1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include <openssl/err.h>
11 #include "blockdev-util.h"
12 #include "chattr-util.h"
13 #include "constants.h"
14 #include "creds-util.h"
21 #include "memory-util.h"
23 #include "openssl-util.h"
24 #include "path-util.h"
25 #include "random-util.h"
26 #include "sparse-endian.h"
27 #include "stat-util.h"
28 #include "tpm2-util.h"
31 #define PUBLIC_KEY_MAX (UINT32_C(1024) * UINT32_C(1024))
33 bool credential_name_valid(const char *s
) {
34 /* We want that credential names are both valid in filenames (since that's our primary way to pass
35 * them around) and as fdnames (which is how we might want to pass them around eventually) */
36 return filename_is_valid(s
) && fdname_is_valid(s
);
39 static int get_credentials_dir_internal(const char *envvar
, const char **ret
) {
44 e
= secure_getenv(envvar
);
48 if (!path_is_absolute(e
) || !path_is_normalized(e
))
55 int get_credentials_dir(const char **ret
) {
56 return get_credentials_dir_internal("CREDENTIALS_DIRECTORY", ret
);
59 int get_encrypted_credentials_dir(const char **ret
) {
60 return get_credentials_dir_internal("ENCRYPTED_CREDENTIALS_DIRECTORY", ret
);
63 int read_credential(const char *name
, void **ret
, size_t *ret_size
) {
64 _cleanup_free_
char *fn
= NULL
;
70 if (!credential_name_valid(name
))
73 r
= get_credentials_dir(&d
);
77 fn
= path_join(d
, name
);
81 return read_full_file_full(
84 READ_FULL_FILE_SECURE
,
86 (char**) ret
, ret_size
);
89 int get_credential_user_password(const char *username
, char **ret_password
, bool *ret_is_hashed
) {
90 _cleanup_(erase_and_freep
) char *creds_password
= NULL
;
91 _cleanup_free_
char *cn
= NULL
;
94 /* Try to pick up the password for this account via the credentials logic */
95 cn
= strjoin("passwd.hashed-password.", username
);
99 r
= read_credential(cn
, (void**) &creds_password
, NULL
);
102 cn
= strjoin("passwd.plaintext-password.", username
);
106 r
= read_credential(cn
, (void**) &creds_password
, NULL
);
108 log_debug_errno(r
, "Couldn't read credential '%s', ignoring: %m", cn
);
110 *ret_is_hashed
= false;
112 log_debug_errno(r
, "Couldn't read credential '%s', ignoring: %m", cn
);
114 *ret_is_hashed
= true;
116 *ret_password
= TAKE_PTR(creds_password
);
123 #define CREDENTIAL_HOST_SECRET_SIZE 4096
125 static const sd_id128_t credential_app_id
=
126 SD_ID128_MAKE(d3
,ac
,ec
,ba
,0d
,ad
,4c
,df
,b8
,c9
,38,15,28,93,6c
,58);
128 struct credential_host_secret_format
{
129 /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine
130 * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the
131 * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed
132 * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not
133 * being able to directly associate a secret key file with a host. */
134 sd_id128_t machine_id
;
136 /* The actual secret key */
137 uint8_t data
[CREDENTIAL_HOST_SECRET_SIZE
];
140 static void warn_not_encrypted(int fd
, CredentialSecretFlags flags
, const char *dirname
, const char *filename
) {
147 if (!FLAGS_SET(flags
, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED
))
150 r
= fd_is_encrypted(fd
);
152 log_debug_errno(r
, "Failed to determine if credential secret file '%s/%s' is encrypted.",
155 log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
159 static int make_credential_host_secret(
161 const sd_id128_t machine_id
,
162 CredentialSecretFlags flags
,
168 struct credential_host_secret_format buf
;
169 _cleanup_free_
char *t
= NULL
;
170 _cleanup_close_
int fd
= -EBADF
;
176 fd
= openat(dfd
, ".", O_CLOEXEC
|O_WRONLY
|O_TMPFILE
, 0400);
178 log_debug_errno(errno
, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
180 if (asprintf(&t
, "credential.secret.%016" PRIx64
, random_u64()) < 0)
183 fd
= openat(dfd
, t
, O_CLOEXEC
|O_WRONLY
|O_CREAT
|O_EXCL
|O_NOFOLLOW
, 0400);
188 r
= chattr_secret(fd
, 0);
190 log_debug_errno(r
, "Failed to set file attributes for secrets file, ignoring: %m");
192 buf
= (struct credential_host_secret_format
) {
193 .machine_id
= machine_id
,
196 r
= crypto_random_bytes(buf
.data
, sizeof(buf
.data
));
200 r
= loop_write(fd
, &buf
, sizeof(buf
), false);
209 warn_not_encrypted(fd
, flags
, dirname
, fn
);
212 r
= rename_noreplace(dfd
, t
, dfd
, fn
);
217 } else if (linkat(fd
, "", dfd
, fn
, AT_EMPTY_PATH
) < 0) {
222 if (fsync(dfd
) < 0) {
230 copy
= memdup(buf
.data
, sizeof(buf
.data
));
240 *ret_size
= sizeof(buf
.data
);
245 if (t
&& unlinkat(dfd
, t
, 0) < 0)
246 log_debug_errno(errno
, "Failed to remove temporary credential key: %m");
248 explicit_bzero_safe(&buf
, sizeof(buf
));
252 int get_credential_host_secret(CredentialSecretFlags flags
, void **ret
, size_t *ret_size
) {
253 _cleanup_free_
char *_dirname
= NULL
, *_filename
= NULL
;
254 _cleanup_close_
int dfd
= -EBADF
;
255 sd_id128_t machine_id
;
256 const char *dirname
, *filename
;
259 r
= sd_id128_get_machine_app_specific(credential_app_id
, &machine_id
);
263 const char *e
= secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
265 if (!path_is_normalized(e
))
267 if (!path_is_absolute(e
))
270 r
= path_extract_directory(e
, &_dirname
);
274 r
= path_extract_filename(e
, &_filename
);
279 filename
= _filename
;
281 dirname
= "/var/lib/systemd";
282 filename
= "credential.secret";
285 mkdir_parents(dirname
, 0755);
286 dfd
= open_mkdir_at(AT_FDCWD
, dirname
, O_CLOEXEC
, 0755);
288 return log_debug_errno(dfd
, "Failed to create or open directory '%s': %m", dirname
);
290 if (FLAGS_SET(flags
, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS
)) {
291 r
= fd_is_temporary_fs(dfd
);
293 return log_debug_errno(r
, "Failed to check directory '%s': %m", dirname
);
295 return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM
),
296 "Directory '%s' is on a temporary file system, refusing.", dirname
);
299 for (unsigned attempt
= 0;; attempt
++) {
300 _cleanup_(erase_and_freep
) struct credential_host_secret_format
*f
= NULL
;
301 _cleanup_close_
int fd
= -EBADF
;
306 if (attempt
>= 3) /* Somebody is playing games with us */
307 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
308 "All attempts to create secret store in %s failed.", dirname
);
310 fd
= openat(dfd
, filename
, O_CLOEXEC
|O_RDONLY
|O_NOCTTY
|O_NOFOLLOW
);
312 if (errno
!= ENOENT
|| !FLAGS_SET(flags
, CREDENTIAL_SECRET_GENERATE
))
313 return log_debug_errno(errno
,
314 "Failed to open %s/%s: %m", dirname
, filename
);
317 r
= make_credential_host_secret(dfd
, machine_id
, flags
, dirname
, filename
, ret
, ret_size
);
319 log_debug_errno(r
, "Credential secret %s/%s appeared while we were creating it, rereading.",
324 return log_debug_errno(r
, "Failed to create credential secret %s/%s: %m",
329 if (fstat(fd
, &st
) < 0)
330 return log_debug_errno(errno
, "Failed to stat %s/%s: %m", dirname
, filename
);
332 r
= stat_verify_regular(&st
);
334 return log_debug_errno(r
, "%s/%s is not a regular file: %m", dirname
, filename
);
335 if (st
.st_nlink
== 0) /* Deleted by now, try again */
338 /* Our deletion check won't work if hardlinked somewhere else */
339 return log_debug_errno(SYNTHETIC_ERRNO(EPERM
),
340 "%s/%s has too many links, refusing.",
342 if ((st
.st_mode
& 07777) != 0400)
343 /* Don't use file if not 0400 access mode */
344 return log_debug_errno(SYNTHETIC_ERRNO(EPERM
),
345 "%s/%s has permissive access mode, refusing.",
348 if (l
< offsetof(struct credential_host_secret_format
, data
) + 1)
349 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
),
350 "%s/%s is too small, refusing.", dirname
, filename
);
351 if (l
> 16*1024*1024)
352 return log_debug_errno(SYNTHETIC_ERRNO(E2BIG
),
353 "%s/%s is too big, refusing.", dirname
, filename
);
357 return log_oom_debug();
359 n
= read(fd
, f
, l
+1);
361 return log_debug_errno(errno
,
362 "Failed to read %s/%s: %m", dirname
, filename
);
363 if ((size_t) n
!= l
) /* What? The size changed? */
364 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
365 "Failed to read %s/%s: %m", dirname
, filename
);
367 if (sd_id128_equal(machine_id
, f
->machine_id
)) {
370 warn_not_encrypted(fd
, flags
, dirname
, filename
);
372 sz
= l
- offsetof(struct credential_host_secret_format
, data
);
378 assert(sz
<= sizeof(f
->data
)); /* Ensure we don't read past f->data bounds */
380 copy
= memdup(f
->data
, sz
);
382 return log_oom_debug();
393 /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock
394 * to ensure we are the only ones accessing the file while we delete it. */
396 if (flock(fd
, LOCK_EX
) < 0)
397 return log_debug_errno(errno
,
398 "Failed to flock %s/%s: %m", dirname
, filename
);
400 /* Before we delete it check that the file is still linked into the file system */
401 if (fstat(fd
, &st
) < 0)
402 return log_debug_errno(errno
, "Failed to stat %s/%s: %m", dirname
, filename
);
403 if (st
.st_nlink
== 0) /* Already deleted by now? */
405 if (st
.st_nlink
!= 1) /* Safety check, someone is playing games with us */
406 return log_debug_errno(SYNTHETIC_ERRNO(EPERM
),
407 "%s/%s unexpectedly has too many links.",
409 if (unlinkat(dfd
, filename
, 0) < 0)
410 return log_debug_errno(errno
, "Failed to unlink %s/%s: %m", dirname
, filename
);
412 /* And now try again */
416 /* Construction is like this:
418 * A symmetric encryption key is derived from:
420 * 1. Either the "host" key (a key stored in /var/lib/credential.secret)
422 * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed
423 * by a key derived from its internal seed key.
425 * 3. The concatenation of the above.
427 * 4. Or a fixed "empty" key. This will not provide confidentiality or authenticity, of course, but is
428 * useful to encode credentials for the initrd on TPM-less systems, where we simply have no better
429 * concept to bind things to. Note that decryption of a key set up like this will be refused on
430 * systems that have a TPM and have SecureBoot enabled.
432 * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
433 * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
434 * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
435 * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed
436 * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask
437 * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a
438 * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is
439 * then followed by the encrypted data, which begins with a metadata header (which contains validity
440 * timestamps as well as the credential name), followed by the actual credential payload. The file ends in
441 * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in
442 * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No
443 * unprotected data is included.
446 struct _packed_ encrypted_credential_header
{
453 /* Followed by NUL bytes until next 8 byte boundary */
456 struct _packed_ tpm2_credential_header
{
457 le64_t pcr_mask
; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems
458 * generally have. But keep the door open for more. */
459 le16_t pcr_bank
; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */
460 le16_t primary_alg
; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */
462 le32_t policy_hash_size
;
463 uint8_t policy_hash_and_blob
[];
464 /* Followed by NUL bytes until next 8 byte boundary */
467 struct _packed_ tpm2_public_key_credential_header
{
468 le64_t pcr_mask
; /* PCRs used for the public key PCR policy (usually just PCR 11, i.e. the unified kernel) */
469 le32_t size
; /* Size of DER public key */
470 uint8_t data
[]; /* DER public key */
471 /* Followed by NUL bytes until next 8 byte boundary */
474 struct _packed_ metadata_credential_header
{
479 /* Followed by NUL bytes until next 8 byte boundary */
482 /* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of
483 * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV,
484 * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */
485 #define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U)
487 static int sha256_hash_host_and_tpm2_key(
488 const void *host_key
,
489 size_t host_key_size
,
490 const void *tpm2_key
,
491 size_t tpm2_key_size
,
492 uint8_t ret
[static SHA256_DIGEST_LENGTH
]) {
494 _cleanup_(EVP_MD_CTX_freep
) EVP_MD_CTX
*md
= NULL
;
497 assert(host_key_size
== 0 || host_key
);
498 assert(tpm2_key_size
== 0 || tpm2_key
);
501 /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
503 md
= EVP_MD_CTX_new();
507 if (EVP_DigestInit_ex(md
, EVP_sha256(), NULL
) != 1)
508 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initial SHA256 context.");
510 if (host_key
&& EVP_DigestUpdate(md
, host_key
, host_key_size
) != 1)
511 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to hash host key.");
513 if (tpm2_key
&& EVP_DigestUpdate(md
, tpm2_key
, tpm2_key_size
) != 1)
514 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to hash TPM2 key.");
516 assert(EVP_MD_CTX_size(md
) == SHA256_DIGEST_LENGTH
);
518 if (EVP_DigestFinal_ex(md
, ret
, &l
) != 1)
519 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to finalize SHA256 hash.");
521 assert(l
== SHA256_DIGEST_LENGTH
);
525 int encrypt_credential_and_warn(
530 const char *tpm2_device
,
531 uint32_t tpm2_hash_pcr_mask
,
532 const char *tpm2_pubkey_path
,
533 uint32_t tpm2_pubkey_pcr_mask
,
539 _cleanup_(EVP_CIPHER_CTX_freep
) EVP_CIPHER_CTX
*context
= NULL
;
540 _cleanup_(erase_and_freep
) void *host_key
= NULL
, *tpm2_key
= NULL
;
541 size_t host_key_size
= 0, tpm2_key_size
= 0, tpm2_blob_size
= 0, tpm2_policy_hash_size
= 0, output_size
, p
, ml
;
542 _cleanup_free_
void *tpm2_blob
= NULL
, *tpm2_policy_hash
= NULL
, *iv
= NULL
, *output
= NULL
;
543 _cleanup_free_
struct metadata_credential_header
*m
= NULL
;
544 uint16_t tpm2_pcr_bank
= 0, tpm2_primary_alg
= 0;
545 struct encrypted_credential_header
*h
;
546 int ksz
, bsz
, ivsz
, tsz
, added
, r
;
547 _cleanup_free_
void *pubkey
= NULL
;
548 size_t pubkey_size
= 0;
549 uint8_t md
[SHA256_DIGEST_LENGTH
];
550 const EVP_CIPHER
*cc
;
553 assert(input
|| input_size
== 0);
557 if (!sd_id128_in_set(with_key
,
560 CRED_AES256_GCM_BY_HOST
,
561 CRED_AES256_GCM_BY_TPM2_HMAC
,
562 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
,
563 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
,
564 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
,
565 CRED_AES256_GCM_BY_TPM2_ABSENT
))
566 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid key type: " SD_ID128_FORMAT_STR
, SD_ID128_FORMAT_VAL(with_key
));
568 if (name
&& !credential_name_valid(name
))
569 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid credential name: %s", name
);
571 if (not_after
!= USEC_INFINITY
&& timestamp
!= USEC_INFINITY
&& not_after
< timestamp
)
572 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Credential is invalidated before it is valid (" USEC_FMT
" < " USEC_FMT
").", not_after
, timestamp
);
575 char buf
[FORMAT_TIMESTAMP_MAX
];
578 log_debug("Including credential name '%s' in encrypted credential.", name
);
579 if (timestamp
!= USEC_INFINITY
)
580 log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf
, sizeof(buf
), timestamp
));
581 if (not_after
!= USEC_INFINITY
)
582 log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf
, sizeof(buf
), not_after
));
585 if (sd_id128_in_set(with_key
,
587 CRED_AES256_GCM_BY_HOST
,
588 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
,
589 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
)) {
591 r
= get_credential_host_secret(
592 CREDENTIAL_SECRET_GENERATE
|
593 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED
|
594 (sd_id128_equal(with_key
, _CRED_AUTO
) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS
: 0),
597 if (r
== -ENOMEDIUM
&& sd_id128_equal(with_key
, _CRED_AUTO
))
598 log_debug_errno(r
, "Credential host secret location on temporary file system, not using.");
600 return log_error_errno(r
, "Failed to determine local credential host secret: %m");
605 if (sd_id128_equal(with_key
, _CRED_AUTO
)) {
606 /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH
607 * if user picks TPM2 explicitly, let's always honour the request and try. */
609 r
= detect_container();
611 log_debug_errno(r
, "Failed to determine whether we are running in a container, ignoring: %m");
613 log_debug("Running in container, not attempting to use TPM2.");
616 } else if (sd_id128_equal(with_key
, _CRED_AUTO_INITRD
)) {
617 /* If automatic mode for initrds is selected, we'll use the TPM2 key if the firmware does it,
618 * otherwise we'll use a fixed key */
620 try_tpm2
= efi_has_tpm2();
622 log_debug("Firmware lacks TPM2 support, not attempting to use TPM2.");
624 try_tpm2
= sd_id128_in_set(with_key
,
625 CRED_AES256_GCM_BY_TPM2_HMAC
,
626 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
,
627 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
,
628 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
);
631 if (sd_id128_in_set(with_key
,
634 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
,
635 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
)) {
637 /* Load public key for PCR policies, if one is specified, or explicitly requested */
639 r
= tpm2_load_pcr_public_key(tpm2_pubkey_path
, &pubkey
, &pubkey_size
);
641 if (tpm2_pubkey_path
|| r
!= -ENOENT
|| !sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_INITRD
))
642 return log_error_errno(r
, "Failed read TPM PCR public key: %m");
644 log_debug_errno(r
, "Failed to read TPM2 PCR public key, proceeding without: %m");
649 tpm2_pubkey_pcr_mask
= 0;
651 r
= tpm2_seal(tpm2_device
,
654 tpm2_pubkey_pcr_mask
,
656 &tpm2_key
, &tpm2_key_size
,
657 &tpm2_blob
, &tpm2_blob_size
,
658 &tpm2_policy_hash
, &tpm2_policy_hash_size
,
662 if (sd_id128_equal(with_key
, _CRED_AUTO_INITRD
))
663 log_warning("Firmware reported a TPM2 being present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
664 else if (!sd_id128_equal(with_key
, _CRED_AUTO
))
667 log_notice_errno(r
, "TPM2 sealing didn't work, continuing without TPM2: %m");
670 assert(tpm2_blob_size
<= CREDENTIAL_FIELD_SIZE_MAX
);
671 assert(tpm2_policy_hash_size
<= CREDENTIAL_FIELD_SIZE_MAX
);
675 if (sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_INITRD
)) {
676 /* Let's settle the key type in auto mode now. */
678 if (host_key
&& tpm2_key
)
679 id
= pubkey
? CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
: CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
;
681 id
= pubkey
? CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
: CRED_AES256_GCM_BY_TPM2_HMAC
;
683 id
= CRED_AES256_GCM_BY_HOST
;
684 else if (sd_id128_equal(with_key
, _CRED_AUTO_INITRD
))
685 id
= CRED_AES256_GCM_BY_TPM2_ABSENT
;
687 return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE
),
688 "TPM2 not available and host key located on temporary file system, no encryption key available.");
692 if (sd_id128_equal(id
, CRED_AES256_GCM_BY_TPM2_ABSENT
))
693 log_warning("Using a null key for encryption and signing. Confidentiality or authenticity will not be provided.");
695 /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
696 r
= sha256_hash_host_and_tpm2_key(host_key
, host_key_size
, tpm2_key
, tpm2_key_size
, md
);
700 assert_se(cc
= EVP_aes_256_gcm());
702 ksz
= EVP_CIPHER_key_length(cc
);
703 assert(ksz
== sizeof(md
));
705 bsz
= EVP_CIPHER_block_size(cc
);
707 assert((size_t) bsz
<= CREDENTIAL_FIELD_SIZE_MAX
);
709 ivsz
= EVP_CIPHER_iv_length(cc
);
711 assert((size_t) ivsz
<= CREDENTIAL_FIELD_SIZE_MAX
);
717 r
= crypto_random_bytes(iv
, ivsz
);
719 return log_error_errno(r
, "Failed to acquired randomized IV: %m");
722 tsz
= 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */
724 context
= EVP_CIPHER_CTX_new();
726 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM
), "Failed to allocate encryption object: %s",
727 ERR_error_string(ERR_get_error(), NULL
));
729 if (EVP_EncryptInit_ex(context
, cc
, NULL
, md
, iv
) != 1)
730 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initialize encryption context: %s",
731 ERR_error_string(ERR_get_error(), NULL
));
733 /* Just an upper estimate */
735 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + ivsz
) +
736 ALIGN8(tpm2_key
? offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + tpm2_blob_size
+ tpm2_policy_hash_size
: 0) +
737 ALIGN8(pubkey
? offsetof(struct tpm2_public_key_credential_header
, data
) + pubkey_size
: 0) +
738 ALIGN8(offsetof(struct metadata_credential_header
, name
) + strlen_ptr(name
)) +
739 input_size
+ 2U * (size_t) bsz
+
742 output
= malloc0(output_size
);
746 h
= (struct encrypted_credential_header
*) output
;
748 h
->block_size
= htole32(bsz
);
749 h
->key_size
= htole32(ksz
);
750 h
->tag_size
= htole32(tsz
);
751 h
->iv_size
= htole32(ivsz
);
752 memcpy(h
->iv
, iv
, ivsz
);
754 p
= ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + ivsz
);
757 struct tpm2_credential_header
*t
;
759 t
= (struct tpm2_credential_header
*) ((uint8_t*) output
+ p
);
760 t
->pcr_mask
= htole64(tpm2_hash_pcr_mask
);
761 t
->pcr_bank
= htole16(tpm2_pcr_bank
);
762 t
->primary_alg
= htole16(tpm2_primary_alg
);
763 t
->blob_size
= htole32(tpm2_blob_size
);
764 t
->policy_hash_size
= htole32(tpm2_policy_hash_size
);
765 memcpy(t
->policy_hash_and_blob
, tpm2_blob
, tpm2_blob_size
);
766 memcpy(t
->policy_hash_and_blob
+ tpm2_blob_size
, tpm2_policy_hash
, tpm2_policy_hash_size
);
768 p
+= ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + tpm2_blob_size
+ tpm2_policy_hash_size
);
772 struct tpm2_public_key_credential_header
*z
;
774 z
= (struct tpm2_public_key_credential_header
*) ((uint8_t*) output
+ p
);
775 z
->pcr_mask
= htole64(tpm2_pubkey_pcr_mask
);
776 z
->size
= htole32(pubkey_size
);
777 memcpy(z
->data
, pubkey
, pubkey_size
);
779 p
+= ALIGN8(offsetof(struct tpm2_public_key_credential_header
, data
) + pubkey_size
);
782 /* Pass the encrypted + TPM2 header as AAD */
783 if (EVP_EncryptUpdate(context
, NULL
, &added
, output
, p
) != 1)
784 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to write AAD data: %s",
785 ERR_error_string(ERR_get_error(), NULL
));
787 /* Now construct the metadata header */
788 ml
= strlen_ptr(name
);
789 m
= malloc0(ALIGN8(offsetof(struct metadata_credential_header
, name
) + ml
));
793 m
->timestamp
= htole64(timestamp
);
794 m
->not_after
= htole64(not_after
);
795 m
->name_size
= htole32(ml
);
796 memcpy_safe(m
->name
, name
, ml
);
798 /* And encrypt the metadata header */
799 if (EVP_EncryptUpdate(context
, (uint8_t*) output
+ p
, &added
, (const unsigned char*) m
, ALIGN8(offsetof(struct metadata_credential_header
, name
) + ml
)) != 1)
800 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to encrypt metadata header: %s",
801 ERR_error_string(ERR_get_error(), NULL
));
804 assert((size_t) added
<= output_size
- p
);
807 /* Then encrypt the plaintext */
808 if (EVP_EncryptUpdate(context
, (uint8_t*) output
+ p
, &added
, input
, input_size
) != 1)
809 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to encrypt data: %s",
810 ERR_error_string(ERR_get_error(), NULL
));
813 assert((size_t) added
<= output_size
- p
);
817 if (EVP_EncryptFinal_ex(context
, (uint8_t*) output
+ p
, &added
) != 1)
818 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to finalize data encryption: %s",
819 ERR_error_string(ERR_get_error(), NULL
));
822 assert((size_t) added
<= output_size
- p
);
825 assert(p
<= output_size
- tsz
);
828 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_GET_TAG
, tsz
, (uint8_t*) output
+ p
) != 1)
829 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to get tag: %s",
830 ERR_error_string(ERR_get_error(), NULL
));
833 assert(p
<= output_size
);
835 if (DEBUG_LOGGING
&& input_size
> 0) {
838 base64_size
= DIV_ROUND_UP(p
* 4, 3); /* Include base64 size increase in debug output */
839 assert(base64_size
>= input_size
);
840 log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size
, base64_size
, base64_size
* 100 / input_size
- 100);
843 *ret
= TAKE_PTR(output
);
849 int decrypt_credential_and_warn(
850 const char *validate_name
,
851 usec_t validate_timestamp
,
852 const char *tpm2_device
,
853 const char *tpm2_signature_path
,
859 _cleanup_(erase_and_freep
) void *host_key
= NULL
, *tpm2_key
= NULL
, *plaintext
= NULL
;
860 _cleanup_(json_variant_unrefp
) JsonVariant
*signature_json
= NULL
;
861 _cleanup_(EVP_CIPHER_CTX_freep
) EVP_CIPHER_CTX
*context
= NULL
;
862 size_t host_key_size
= 0, tpm2_key_size
= 0, plaintext_size
, p
, hs
;
863 struct encrypted_credential_header
*h
;
864 struct metadata_credential_header
*m
;
865 uint8_t md
[SHA256_DIGEST_LENGTH
];
866 bool with_tpm2
, with_host_key
, is_tpm2_absent
, with_tpm2_pk
;
867 const EVP_CIPHER
*cc
;
870 assert(input
|| input_size
== 0);
874 h
= (struct encrypted_credential_header
*) input
;
876 /* The ID must fit in, for the current and all future formats */
877 if (input_size
< sizeof(h
->id
))
878 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
880 with_host_key
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_HOST
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
);
881 with_tpm2_pk
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
);
882 with_tpm2
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_TPM2_HMAC
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
) || with_tpm2_pk
;
883 is_tpm2_absent
= sd_id128_equal(h
->id
, CRED_AES256_GCM_BY_TPM2_ABSENT
);
885 if (!with_host_key
&& !with_tpm2
&& !is_tpm2_absent
)
886 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Unknown encryption format, or corrupted data: %m");
889 r
= tpm2_load_pcr_signature(tpm2_signature_path
, &signature_json
);
894 if (is_tpm2_absent
) {
895 /* So this is a credential encrypted with a zero length key. We support this to cover for the
896 * case where neither a host key not a TPM2 are available (specifically: initrd environments
897 * where the host key is not yet accessible and no TPM2 chip exists at all), to minimize
898 * different codeflow for TPM2 and non-TPM2 codepaths. Of course, credentials encoded this
899 * way offer no confidentiality nor authenticity. Because of that it's important we refuse to
900 * use them on systems that actually *do* have a TPM2 chip – if we are in SecureBoot
901 * mode. Otherwise an attacker could hand us credentials like this and we'd use them thinking
902 * they are trusted, even though they are not. */
904 if (efi_has_tpm2()) {
905 if (is_efi_secure_boot())
906 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
),
907 "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.");
909 log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled.");
911 log_debug("Credential uses fixed key for use when TPM2 is absent, and TPM2 indeed is absent. Accepting.");
914 /* Now we know the minimum header size */
915 if (input_size
< offsetof(struct encrypted_credential_header
, iv
))
916 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
918 /* Verify some basic header values */
919 if (le32toh(h
->key_size
) != sizeof(md
))
920 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected key size in header.");
921 if (le32toh(h
->block_size
) <= 0 || le32toh(h
->block_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
922 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected block size in header.");
923 if (le32toh(h
->iv_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
924 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "IV size too large.");
925 if (le32toh(h
->tag_size
) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */
926 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected tag size in header.");
928 /* Ensure we have space for the full header now (we don't know the size of the name hence this is a
929 * lower limit only) */
931 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
)) +
932 ALIGN8(with_tpm2
? offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) : 0) +
933 ALIGN8(with_tpm2_pk
? offsetof(struct tpm2_public_key_credential_header
, data
) : 0) +
934 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
935 le32toh(h
->tag_size
))
936 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
938 p
= ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
));
942 struct tpm2_credential_header
* t
= (struct tpm2_credential_header
*) ((uint8_t*) input
+ p
);
943 struct tpm2_public_key_credential_header
*z
= NULL
;
945 if (!TPM2_PCR_MASK_VALID(t
->pcr_mask
))
946 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR mask out of range.");
947 if (!tpm2_pcr_bank_to_string(le16toh(t
->pcr_bank
)))
948 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR bank invalid or not supported");
949 if (!tpm2_primary_alg_to_string(le16toh(t
->primary_alg
)))
950 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 primary key algorithm invalid or not supported.");
951 if (le32toh(t
->blob_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
952 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected TPM2 blob size.");
953 if (le32toh(t
->policy_hash_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
954 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected TPM2 policy hash size.");
956 /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size
957 * though, hence still just a lower limit test only) */
959 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
)) +
960 ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + le32toh(t
->blob_size
) + le32toh(t
->policy_hash_size
)) +
961 ALIGN8(with_tpm2_pk
? offsetof(struct tpm2_public_key_credential_header
, data
) : 0) +
962 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
963 le32toh(h
->tag_size
))
964 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
966 p
+= ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) +
967 le32toh(t
->blob_size
) +
968 le32toh(t
->policy_hash_size
));
971 z
= (struct tpm2_public_key_credential_header
*) ((uint8_t*) input
+ p
);
973 if (!TPM2_PCR_MASK_VALID(le64toh(z
->pcr_mask
)) || le64toh(z
->pcr_mask
) == 0)
974 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR mask out of range.");
975 if (le32toh(z
->size
) > PUBLIC_KEY_MAX
)
976 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected public key size.");
979 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
)) +
980 ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + le32toh(t
->blob_size
) + le32toh(t
->policy_hash_size
)) +
981 ALIGN8(offsetof(struct tpm2_public_key_credential_header
, data
) + le32toh(z
->size
)) +
982 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
983 le32toh(h
->tag_size
))
984 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
986 p
+= ALIGN8(offsetof(struct tpm2_public_key_credential_header
, data
) +
990 r
= tpm2_unseal(tpm2_device
,
991 le64toh(t
->pcr_mask
),
992 le16toh(t
->pcr_bank
),
994 z
? le32toh(z
->size
) : 0,
995 z
? le64toh(z
->pcr_mask
) : 0,
998 le16toh(t
->primary_alg
),
999 t
->policy_hash_and_blob
,
1000 le32toh(t
->blob_size
),
1001 t
->policy_hash_and_blob
+ le32toh(t
->blob_size
),
1002 le32toh(t
->policy_hash_size
),
1009 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Credential requires TPM2 support, but TPM2 support not available.");
1013 if (with_host_key
) {
1014 r
= get_credential_host_secret(
1019 return log_error_errno(r
, "Failed to determine local credential key: %m");
1023 log_warning("Warning: using a null key for decryption and authentication. Confidentiality or authenticity are not provided.");
1025 sha256_hash_host_and_tpm2_key(host_key
, host_key_size
, tpm2_key
, tpm2_key_size
, md
);
1027 assert_se(cc
= EVP_aes_256_gcm());
1029 /* Make sure cipher expectations match the header */
1030 if (EVP_CIPHER_key_length(cc
) != (int) le32toh(h
->key_size
))
1031 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected key size in header.");
1032 if (EVP_CIPHER_block_size(cc
) != (int) le32toh(h
->block_size
))
1033 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected block size in header.");
1035 context
= EVP_CIPHER_CTX_new();
1037 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM
), "Failed to allocate decryption object: %s",
1038 ERR_error_string(ERR_get_error(), NULL
));
1040 if (EVP_DecryptInit_ex(context
, cc
, NULL
, NULL
, NULL
) != 1)
1041 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initialize decryption context: %s",
1042 ERR_error_string(ERR_get_error(), NULL
));
1044 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_SET_IVLEN
, le32toh(h
->iv_size
), NULL
) != 1)
1045 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set IV size on decryption context: %s",
1046 ERR_error_string(ERR_get_error(), NULL
));
1048 if (EVP_DecryptInit_ex(context
, NULL
, NULL
, md
, h
->iv
) != 1)
1049 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set IV and key: %s",
1050 ERR_error_string(ERR_get_error(), NULL
));
1052 if (EVP_DecryptUpdate(context
, NULL
, &added
, input
, p
) != 1)
1053 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to write AAD data: %s",
1054 ERR_error_string(ERR_get_error(), NULL
));
1056 plaintext
= malloc(input_size
- p
- le32toh(h
->tag_size
));
1060 if (EVP_DecryptUpdate(
1064 (uint8_t*) input
+ p
,
1065 input_size
- p
- le32toh(h
->tag_size
)) != 1)
1066 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to decrypt data: %s",
1067 ERR_error_string(ERR_get_error(), NULL
));
1070 assert((size_t) added
<= input_size
- p
- le32toh(h
->tag_size
));
1071 plaintext_size
= added
;
1073 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_SET_TAG
, le32toh(h
->tag_size
), (uint8_t*) input
+ input_size
- le32toh(h
->tag_size
)) != 1)
1074 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set tag: %s",
1075 ERR_error_string(ERR_get_error(), NULL
));
1077 if (EVP_DecryptFinal_ex(context
, (uint8_t*) plaintext
+ plaintext_size
, &added
) != 1)
1078 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Decryption failed (incorrect key?): %s",
1079 ERR_error_string(ERR_get_error(), NULL
));
1081 plaintext_size
+= added
;
1083 if (plaintext_size
< ALIGN8(offsetof(struct metadata_credential_header
, name
)))
1084 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Metadata header incomplete.");
1088 if (le64toh(m
->timestamp
) != USEC_INFINITY
&&
1089 le64toh(m
->not_after
) != USEC_INFINITY
&&
1090 le64toh(m
->timestamp
) >= le64toh(m
->not_after
))
1091 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Timestamps of credential are not in order, refusing.");
1093 if (le32toh(m
->name_size
) > CREDENTIAL_NAME_MAX
)
1094 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name too long, refusing.");
1096 hs
= ALIGN8(offsetof(struct metadata_credential_header
, name
) + le32toh(m
->name_size
));
1097 if (plaintext_size
< hs
)
1098 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Metadata header incomplete.");
1100 if (le32toh(m
->name_size
) > 0) {
1101 _cleanup_free_
char *embedded_name
= NULL
;
1103 if (memchr(m
->name
, 0, le32toh(m
->name_size
)))
1104 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name contains NUL byte, refusing.");
1106 embedded_name
= memdup_suffix0(m
->name
, le32toh(m
->name_size
));
1110 if (!credential_name_valid(embedded_name
))
1111 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name is not valid, refusing.");
1113 if (validate_name
&& !streq(embedded_name
, validate_name
)) {
1115 r
= getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
1116 if (r
< 0 && r
!= -ENXIO
)
1117 log_debug_errno(r
, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
1119 return log_error_errno(SYNTHETIC_ERRNO(EREMOTE
), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name
, validate_name
);
1121 log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name
, validate_name
);
1125 if (validate_timestamp
!= USEC_INFINITY
) {
1126 if (le64toh(m
->timestamp
) != USEC_INFINITY
&& le64toh(m
->timestamp
) > validate_timestamp
)
1127 log_debug("Credential timestamp is from the future, assuming clock skew.");
1129 if (le64toh(m
->not_after
) != USEC_INFINITY
&& le64toh(m
->not_after
) < validate_timestamp
) {
1131 r
= getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
1132 if (r
< 0 && r
!= -ENXIO
)
1133 log_debug_errno(r
, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
1135 return log_error_errno(SYNTHETIC_ERRNO(ESTALE
), "Credential's time passed, refusing to use.");
1137 log_debug("Credential not-after timestamp has passed, but configured to use credential anyway.");
1142 char *without_metadata
;
1144 without_metadata
= memdup((uint8_t*) plaintext
+ hs
, plaintext_size
- hs
);
1145 if (!without_metadata
)
1148 *ret
= without_metadata
;
1152 *ret_size
= plaintext_size
- hs
;
1159 int get_credential_host_secret(CredentialSecretFlags flags
, void **ret
, size_t *ret_size
) {
1160 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");
1163 int encrypt_credential_and_warn(sd_id128_t with_key
, const char *name
, usec_t timestamp
, usec_t not_after
, const char *tpm2_device
, uint32_t tpm2_hash_pcr_mask
, const char *tpm2_pubkey_path
, uint32_t tpm2_pubkey_pcr_mask
, const void *input
, size_t input_size
, void **ret
, size_t *ret_size
) {
1164 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");
1167 int decrypt_credential_and_warn(const char *validate_name
, usec_t validate_timestamp
, const char *tpm2_device
, const char *tpm2_signature_path
, const void *input
, size_t input_size
, void **ret
, size_t *ret_size
) {
1168 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");