]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/creds-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #23148 from poettering/creds-util-mini-tweaks
[thirdparty/systemd.git] / src / shared / creds-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <sys/file.h>
4
5 #if HAVE_OPENSSL
6 #include <openssl/err.h>
7 #endif
8
9 #include "sd-id128.h"
10
11 #include "blockdev-util.h"
12 #include "chattr-util.h"
13 #include "creds-util.h"
14 #include "efi-api.h"
15 #include "env-util.h"
16 #include "fd-util.h"
17 #include "fileio.h"
18 #include "fs-util.h"
19 #include "io-util.h"
20 #include "memory-util.h"
21 #include "mkdir.h"
22 #include "openssl-util.h"
23 #include "path-util.h"
24 #include "random-util.h"
25 #include "sparse-endian.h"
26 #include "stat-util.h"
27 #include "tpm2-util.h"
28 #include "virt.h"
29
30 bool credential_name_valid(const char *s) {
31 /* We want that credential names are both valid in filenames (since that's our primary way to pass
32 * them around) and as fdnames (which is how we might want to pass them around eventually) */
33 return filename_is_valid(s) && fdname_is_valid(s);
34 }
35
36 int get_credentials_dir(const char **ret) {
37 const char *e;
38
39 assert(ret);
40
41 e = secure_getenv("CREDENTIALS_DIRECTORY");
42 if (!e)
43 return -ENXIO;
44
45 if (!path_is_absolute(e) || !path_is_normalized(e))
46 return -EINVAL;
47
48 *ret = e;
49 return 0;
50 }
51
52 int read_credential(const char *name, void **ret, size_t *ret_size) {
53 _cleanup_free_ char *fn = NULL;
54 const char *d;
55 int r;
56
57 assert(ret);
58
59 if (!credential_name_valid(name))
60 return -EINVAL;
61
62 r = get_credentials_dir(&d);
63 if (r < 0)
64 return r;
65
66 fn = path_join(d, name);
67 if (!fn)
68 return -ENOMEM;
69
70 return read_full_file_full(
71 AT_FDCWD, fn,
72 UINT64_MAX, SIZE_MAX,
73 READ_FULL_FILE_SECURE,
74 NULL,
75 (char**) ret, ret_size);
76 }
77
78 #if HAVE_OPENSSL
79
80 #define CREDENTIAL_HOST_SECRET_SIZE 4096
81
82 static const sd_id128_t credential_app_id =
83 SD_ID128_MAKE(d3,ac,ec,ba,0d,ad,4c,df,b8,c9,38,15,28,93,6c,58);
84
85 struct credential_host_secret_format {
86 /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine
87 * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the
88 * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed
89 * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not
90 * being able to directly associate a secret key file with a host. */
91 sd_id128_t machine_id;
92
93 /* The actual secret key */
94 uint8_t data[CREDENTIAL_HOST_SECRET_SIZE];
95 } _packed_;
96
97 static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) {
98 int r;
99
100 assert(fd >= 0);
101 assert(dirname);
102 assert(filename);
103
104 if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED))
105 return;
106
107 r = fd_is_encrypted(fd);
108 if (r < 0)
109 log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.",
110 dirname, filename);
111 else if (r == 0)
112 log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
113 dirname, filename);
114 }
115
116 static int make_credential_host_secret(
117 int dfd,
118 const sd_id128_t machine_id,
119 CredentialSecretFlags flags,
120 const char *dirname,
121 const char *fn,
122 void **ret_data,
123 size_t *ret_size) {
124
125 struct credential_host_secret_format buf;
126 _cleanup_free_ char *t = NULL;
127 _cleanup_close_ int fd = -1;
128 int r;
129
130 assert(dfd >= 0);
131 assert(fn);
132
133 fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400);
134 if (fd < 0) {
135 log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
136
137 if (asprintf(&t, "credential.secret.%016" PRIx64, random_u64()) < 0)
138 return -ENOMEM;
139
140 fd = openat(dfd, t, O_CLOEXEC|O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW, 0400);
141 if (fd < 0)
142 return -errno;
143 }
144
145 r = chattr_secret(fd, 0);
146 if (r < 0)
147 log_debug_errno(r, "Failed to set file attributes for secrets file, ignoring: %m");
148
149 buf = (struct credential_host_secret_format) {
150 .machine_id = machine_id,
151 };
152
153 r = genuine_random_bytes(buf.data, sizeof(buf.data), RANDOM_BLOCK);
154 if (r < 0)
155 goto finish;
156
157 r = loop_write(fd, &buf, sizeof(buf), false);
158 if (r < 0)
159 goto finish;
160
161 if (fsync(fd) < 0) {
162 r = -errno;
163 goto finish;
164 }
165
166 warn_not_encrypted(fd, flags, dirname, fn);
167
168 if (t) {
169 r = rename_noreplace(dfd, t, dfd, fn);
170 if (r < 0)
171 goto finish;
172
173 t = mfree(t);
174 } else if (linkat(fd, "", dfd, fn, AT_EMPTY_PATH) < 0) {
175 r = -errno;
176 goto finish;
177 }
178
179 if (fsync(dfd) < 0) {
180 r = -errno;
181 goto finish;
182 }
183
184 if (ret_data) {
185 void *copy;
186
187 copy = memdup(buf.data, sizeof(buf.data));
188 if (!copy) {
189 r = -ENOMEM;
190 goto finish;
191 }
192
193 *ret_data = copy;
194 }
195
196 if (ret_size)
197 *ret_size = sizeof(buf.data);
198
199 r = 0;
200
201 finish:
202 if (t && unlinkat(dfd, t, 0) < 0)
203 log_debug_errno(errno, "Failed to remove temporary credential key: %m");
204
205 explicit_bzero_safe(&buf, sizeof(buf));
206 return r;
207 }
208
209 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
210 _cleanup_free_ char *_dirname = NULL, *_filename = NULL;
211 _cleanup_close_ int dfd = -1;
212 sd_id128_t machine_id;
213 const char *dirname, *filename;
214 int r;
215
216 r = sd_id128_get_machine_app_specific(credential_app_id, &machine_id);
217 if (r < 0)
218 return r;
219
220 const char *e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
221 if (e) {
222 if (!path_is_normalized(e))
223 return -EINVAL;
224 if (!path_is_absolute(e))
225 return -EINVAL;
226
227 r = path_extract_directory(e, &_dirname);
228 if (r < 0)
229 return r;
230
231 r = path_extract_filename(e, &_filename);
232 if (r < 0)
233 return r;
234
235 dirname = _dirname;
236 filename = _filename;
237 } else {
238 dirname = "/var/lib/systemd";
239 filename = "credential.secret";
240 }
241
242 mkdir_parents(dirname, 0755);
243 dfd = open_mkdir_at(AT_FDCWD, dirname, O_CLOEXEC, 0755);
244 if (dfd < 0)
245 return log_debug_errno(dfd, "Failed to create or open directory '%s': %m", dirname);
246
247 if (FLAGS_SET(flags, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS)) {
248 r = fd_is_temporary_fs(dfd);
249 if (r < 0)
250 return log_debug_errno(r, "Failed to check directory '%s': %m", dirname);
251 if (r > 0)
252 return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM),
253 "Directory '%s' is on a temporary file system, refusing.", dirname);
254 }
255
256 for (unsigned attempt = 0;; attempt++) {
257 _cleanup_(erase_and_freep) struct credential_host_secret_format *f = NULL;
258 _cleanup_close_ int fd = -1;
259 size_t l = 0;
260 ssize_t n = 0;
261 struct stat st;
262
263 if (attempt >= 3) /* Somebody is playing games with us */
264 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
265 "All attempts to create secret store in %s failed.", dirname);
266
267 fd = openat(dfd, filename, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
268 if (fd < 0) {
269 if (errno != ENOENT || !FLAGS_SET(flags, CREDENTIAL_SECRET_GENERATE))
270 return log_debug_errno(errno,
271 "Failed to open %s/%s: %m", dirname, filename);
272
273
274 r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size);
275 if (r == -EEXIST) {
276 log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
277 dirname, filename);
278 continue;
279 }
280 if (r < 0)
281 return log_debug_errno(r, "Failed to create credential secret %s/%s: %m",
282 dirname, filename);
283 return 0;
284 }
285
286 if (fstat(fd, &st) < 0)
287 return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
288
289 r = stat_verify_regular(&st);
290 if (r < 0)
291 return log_debug_errno(r, "%s/%s is not a regular file: %m", dirname, filename);
292 if (st.st_nlink == 0) /* Deleted by now, try again */
293 continue;
294 if (st.st_nlink > 1)
295 /* Our deletion check won't work if hardlinked somewhere else */
296 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
297 "%s/%s has too many links, refusing.",
298 dirname, filename);
299 if ((st.st_mode & 07777) != 0400)
300 /* Don't use file if not 0400 access mode */
301 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
302 "%s/%s has permissive access mode, refusing.",
303 dirname, filename);
304 l = st.st_size;
305 if (l < offsetof(struct credential_host_secret_format, data) + 1)
306 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
307 "%s/%s is too small, refusing.", dirname, filename);
308 if (l > 16*1024*1024)
309 return log_debug_errno(SYNTHETIC_ERRNO(E2BIG),
310 "%s/%s is too big, refusing.", dirname, filename);
311
312 f = malloc(l+1);
313 if (!f)
314 return log_oom_debug();
315
316 n = read(fd, f, l+1);
317 if (n < 0)
318 return log_debug_errno(errno,
319 "Failed to read %s/%s: %m", dirname, filename);
320 if ((size_t) n != l) /* What? The size changed? */
321 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
322 "Failed to read %s/%s: %m", dirname, filename);
323
324 if (sd_id128_equal(machine_id, f->machine_id)) {
325 size_t sz;
326
327 warn_not_encrypted(fd, flags, dirname, filename);
328
329 sz = l - offsetof(struct credential_host_secret_format, data);
330 assert(sz > 0);
331
332 if (ret) {
333 void *copy;
334
335 assert(sz <= sizeof(f->data)); /* Ensure we don't read past f->data bounds */
336
337 copy = memdup(f->data, sz);
338 if (!copy)
339 return log_oom_debug();
340
341 *ret = copy;
342 }
343
344 if (ret_size)
345 *ret_size = sz;
346
347 return 0;
348 }
349
350 /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock
351 * to ensure we are the only ones accessing the file while we delete it. */
352
353 if (flock(fd, LOCK_EX) < 0)
354 return log_debug_errno(errno,
355 "Failed to flock %s/%s: %m", dirname, filename);
356
357 /* Before we delete it check that the file is still linked into the file system */
358 if (fstat(fd, &st) < 0)
359 return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
360 if (st.st_nlink == 0) /* Already deleted by now? */
361 continue;
362 if (st.st_nlink != 1) /* Safety check, someone is playing games with us */
363 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
364 "%s/%s unexpectedly has too many links.",
365 dirname, filename);
366 if (unlinkat(dfd, filename, 0) < 0)
367 return log_debug_errno(errno, "Failed to unlink %s/%s: %m", dirname, filename);
368
369 /* And now try again */
370 }
371 }
372
373 /* Construction is like this:
374 *
375 * A symmetric encryption key is derived from:
376 *
377 * 1. Either the "host" key (a key stored in /var/lib/credential.secret)
378 *
379 * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed
380 * by a key derived from its internal seed key.
381 *
382 * 3. The concatenation of the above.
383 *
384 * 4. Or a fixed "empty" key. This will not provide confidentiality or authenticity, of course, but is
385 * useful to encode credentials for the initrd on TPM-less systems, where we simply have no better
386 * concept to bind things to. Note that decryption of a key set up like this will be refused on
387 * systems that have a TPM and have SecureBoot enabled.
388 *
389 * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
390 * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
391 * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
392 * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed
393 * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask
394 * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a
395 * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is
396 * then followed by the encrypted data, which begins with a metadata header (which contains validity
397 * timestamps as well as the credential name), followed by the actual credential payload. The file ends in
398 * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in
399 * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No
400 * unprotected data is included.
401 */
402
403 struct _packed_ encrypted_credential_header {
404 sd_id128_t id;
405 le32_t key_size;
406 le32_t block_size;
407 le32_t iv_size;
408 le32_t tag_size;
409 uint8_t iv[];
410 /* Followed by NUL bytes until next 8 byte boundary */
411 };
412
413 struct _packed_ tpm2_credential_header {
414 le64_t pcr_mask; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems
415 * generally have. But keep the door open for more. */
416 le16_t pcr_bank; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */
417 le16_t primary_alg; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */
418 le32_t blob_size;
419 le32_t policy_hash_size;
420 uint8_t policy_hash_and_blob[];
421 /* Followed by NUL bytes until next 8 byte boundary */
422 };
423
424 struct _packed_ metadata_credential_header {
425 le64_t timestamp;
426 le64_t not_after;
427 le32_t name_size;
428 char name[];
429 /* Followed by NUL bytes until next 8 byte boundary */
430 };
431
432 /* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of
433 * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV,
434 * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */
435 #define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U)
436
437 static int sha256_hash_host_and_tpm2_key(
438 const void *host_key,
439 size_t host_key_size,
440 const void *tpm2_key,
441 size_t tpm2_key_size,
442 uint8_t ret[static SHA256_DIGEST_LENGTH]) {
443
444 _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
445 unsigned l;
446
447 assert(host_key_size == 0 || host_key);
448 assert(tpm2_key_size == 0 || tpm2_key);
449 assert(ret);
450
451 /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
452
453 md = EVP_MD_CTX_new();
454 if (!md)
455 return log_oom();
456
457 if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
458 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
459
460 if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
461 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
462
463 if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
464 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
465
466 assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
467
468 if (EVP_DigestFinal_ex(md, ret, &l) != 1)
469 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
470
471 assert(l == SHA256_DIGEST_LENGTH);
472 return 0;
473 }
474
475 int encrypt_credential_and_warn(
476 sd_id128_t with_key,
477 const char *name,
478 usec_t timestamp,
479 usec_t not_after,
480 const char *tpm2_device,
481 uint32_t tpm2_pcr_mask,
482 const void *input,
483 size_t input_size,
484 void **ret,
485 size_t *ret_size) {
486
487 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
488 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL;
489 size_t host_key_size = 0, tpm2_key_size = 0, tpm2_blob_size = 0, tpm2_policy_hash_size = 0, output_size, p, ml;
490 _cleanup_free_ void *tpm2_blob = NULL, *tpm2_policy_hash = NULL, *iv = NULL, *output = NULL;
491 _cleanup_free_ struct metadata_credential_header *m = NULL;
492 uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0;
493 struct encrypted_credential_header *h;
494 int ksz, bsz, ivsz, tsz, added, r;
495 uint8_t md[SHA256_DIGEST_LENGTH];
496 const EVP_CIPHER *cc;
497 sd_id128_t id;
498
499 assert(input || input_size == 0);
500 assert(ret);
501 assert(ret_size);
502
503 if (!sd_id128_in_set(with_key,
504 _CRED_AUTO,
505 _CRED_AUTO_INITRD,
506 CRED_AES256_GCM_BY_HOST,
507 CRED_AES256_GCM_BY_TPM2_HMAC,
508 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
509 CRED_AES256_GCM_BY_TPM2_ABSENT))
510 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid key type: " SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(with_key));
511
512 if (name && !credential_name_valid(name))
513 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name);
514
515 if (not_after != USEC_INFINITY && timestamp != USEC_INFINITY && not_after < timestamp)
516 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid (" USEC_FMT " < " USEC_FMT ").", not_after, timestamp);
517
518 if (DEBUG_LOGGING) {
519 char buf[FORMAT_TIMESTAMP_MAX];
520
521 if (name)
522 log_debug("Including credential name '%s' in encrypted credential.", name);
523 if (timestamp != USEC_INFINITY)
524 log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), timestamp));
525 if (not_after != USEC_INFINITY)
526 log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), not_after));
527 }
528
529 if (sd_id128_in_set(with_key,
530 _CRED_AUTO,
531 CRED_AES256_GCM_BY_HOST,
532 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) {
533
534 r = get_credential_host_secret(
535 CREDENTIAL_SECRET_GENERATE|
536 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED|
537 (sd_id128_equal(with_key, _CRED_AUTO) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0),
538 &host_key,
539 &host_key_size);
540 if (r == -ENOMEDIUM && sd_id128_equal(with_key, _CRED_AUTO))
541 log_debug_errno(r, "Credential host secret location on temporary file system, not using.");
542 else if (r < 0)
543 return log_error_errno(r, "Failed to determine local credential host secret: %m");
544 }
545
546 #if HAVE_TPM2
547 bool try_tpm2;
548 if (sd_id128_equal(with_key, _CRED_AUTO)) {
549 /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH
550 * if user picks TPM2 explicitly, let's always honour the request and try. */
551
552 r = detect_container();
553 if (r < 0)
554 log_debug_errno(r, "Failed to determine whether we are running in a container, ignoring: %m");
555 else if (r > 0)
556 log_debug("Running in container, not attempting to use TPM2.");
557
558 try_tpm2 = r <= 0;
559 } else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) {
560 /* If automatic mode for initrds is selected, we'll use the TPM2 key if the firmware does it,
561 * otherwise we'll use a fixed key */
562
563 try_tpm2 = efi_has_tpm2();
564 if (!try_tpm2)
565 log_debug("Firmware lacks TPM2 support, not attempting to use TPM2.");
566 } else
567 try_tpm2 = sd_id128_in_set(with_key, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC);
568
569 if (try_tpm2) {
570 r = tpm2_seal(tpm2_device,
571 tpm2_pcr_mask,
572 NULL,
573 &tpm2_key,
574 &tpm2_key_size,
575 &tpm2_blob,
576 &tpm2_blob_size,
577 &tpm2_policy_hash,
578 &tpm2_policy_hash_size,
579 &tpm2_pcr_bank,
580 &tpm2_primary_alg);
581 if (r < 0) {
582 if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
583 log_warning("Firmware reported a TPM2 being present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
584 else if (!sd_id128_equal(with_key, _CRED_AUTO))
585 return r;
586
587 log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m");
588 }
589
590 assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX);
591 assert(tpm2_policy_hash_size <= CREDENTIAL_FIELD_SIZE_MAX);
592 }
593 #endif
594
595 if (sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) {
596 /* Let's settle the key type in auto mode now. */
597
598 if (host_key && tpm2_key)
599 id = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
600 else if (tpm2_key)
601 id = CRED_AES256_GCM_BY_TPM2_HMAC;
602 else if (host_key)
603 id = CRED_AES256_GCM_BY_HOST;
604 else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
605 id = CRED_AES256_GCM_BY_TPM2_ABSENT;
606 else
607 return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
608 "TPM2 not available and host key located on temporary file system, no encryption key available.");
609 } else
610 id = with_key;
611
612 if (sd_id128_equal(id, CRED_AES256_GCM_BY_TPM2_ABSENT))
613 log_warning("Using a null key for encryption and signing. Confidentiality or authenticity will not be provided.");
614
615 /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
616 r = sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
617 if (r < 0)
618 return r;
619
620 assert_se(cc = EVP_aes_256_gcm());
621
622 ksz = EVP_CIPHER_key_length(cc);
623 assert(ksz == sizeof(md));
624
625 bsz = EVP_CIPHER_block_size(cc);
626 assert(bsz > 0);
627 assert((size_t) bsz <= CREDENTIAL_FIELD_SIZE_MAX);
628
629 ivsz = EVP_CIPHER_iv_length(cc);
630 if (ivsz > 0) {
631 assert((size_t) ivsz <= CREDENTIAL_FIELD_SIZE_MAX);
632
633 iv = malloc(ivsz);
634 if (!iv)
635 return log_oom();
636
637 r = genuine_random_bytes(iv, ivsz, RANDOM_BLOCK);
638 if (r < 0)
639 return log_error_errno(r, "Failed to acquired randomized IV: %m");
640 }
641
642 tsz = 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */
643
644 context = EVP_CIPHER_CTX_new();
645 if (!context)
646 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate encryption object: %s",
647 ERR_error_string(ERR_get_error(), NULL));
648
649 if (EVP_EncryptInit_ex(context, cc, NULL, md, iv) != 1)
650 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize encryption context: %s",
651 ERR_error_string(ERR_get_error(), NULL));
652
653 /* Just an upper estimate */
654 output_size =
655 ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) +
656 ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) +
657 ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) +
658 input_size + 2U * (size_t) bsz +
659 tsz;
660
661 output = malloc0(output_size);
662 if (!output)
663 return log_oom();
664
665 h = (struct encrypted_credential_header*) output;
666 h->id = id;
667 h->block_size = htole32(bsz);
668 h->key_size = htole32(ksz);
669 h->tag_size = htole32(tsz);
670 h->iv_size = htole32(ivsz);
671 memcpy(h->iv, iv, ivsz);
672
673 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz);
674
675 if (tpm2_key) {
676 struct tpm2_credential_header *t;
677
678 t = (struct tpm2_credential_header*) ((uint8_t*) output + p);
679 t->pcr_mask = htole64(tpm2_pcr_mask);
680 t->pcr_bank = htole16(tpm2_pcr_bank);
681 t->primary_alg = htole16(tpm2_primary_alg);
682 t->blob_size = htole32(tpm2_blob_size);
683 t->policy_hash_size = htole32(tpm2_policy_hash_size);
684 memcpy(t->policy_hash_and_blob, tpm2_blob, tpm2_blob_size);
685 memcpy(t->policy_hash_and_blob + tpm2_blob_size, tpm2_policy_hash, tpm2_policy_hash_size);
686
687 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size);
688 }
689
690 /* Pass the encrypted + TPM2 header as AAD */
691 if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1)
692 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
693 ERR_error_string(ERR_get_error(), NULL));
694
695 /* Now construct the metadata header */
696 ml = strlen_ptr(name);
697 m = malloc0(ALIGN8(offsetof(struct metadata_credential_header, name) + ml));
698 if (!m)
699 return log_oom();
700
701 m->timestamp = htole64(timestamp);
702 m->not_after = htole64(not_after);
703 m->name_size = htole32(ml);
704 memcpy_safe(m->name, name, ml);
705
706 /* And encrypt the metadata header */
707 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, (const unsigned char*) m, ALIGN8(offsetof(struct metadata_credential_header, name) + ml)) != 1)
708 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt metadata header: %s",
709 ERR_error_string(ERR_get_error(), NULL));
710
711 assert(added >= 0);
712 assert((size_t) added <= output_size - p);
713 p += added;
714
715 /* Then encrypt the plaintext */
716 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, input, input_size) != 1)
717 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt data: %s",
718 ERR_error_string(ERR_get_error(), NULL));
719
720 assert(added >= 0);
721 assert((size_t) added <= output_size - p);
722 p += added;
723
724 /* Finalize */
725 if (EVP_EncryptFinal_ex(context, (uint8_t*) output + p, &added) != 1)
726 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize data encryption: %s",
727 ERR_error_string(ERR_get_error(), NULL));
728
729 assert(added >= 0);
730 assert((size_t) added <= output_size - p);
731 p += added;
732
733 assert(p <= output_size - tsz);
734
735 /* Append tag */
736 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_GET_TAG, tsz, (uint8_t*) output + p) != 1)
737 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get tag: %s",
738 ERR_error_string(ERR_get_error(), NULL));
739
740 p += tsz;
741 assert(p <= output_size);
742
743 if (DEBUG_LOGGING && input_size > 0) {
744 size_t base64_size;
745
746 base64_size = DIV_ROUND_UP(p * 4, 3); /* Include base64 size increase in debug output */
747 assert(base64_size >= input_size);
748 log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size, base64_size, base64_size * 100 / input_size - 100);
749 }
750
751 *ret = TAKE_PTR(output);
752 *ret_size = p;
753
754 return 0;
755 }
756
757 int decrypt_credential_and_warn(
758 const char *validate_name,
759 usec_t validate_timestamp,
760 const char *tpm2_device,
761 const void *input,
762 size_t input_size,
763 void **ret,
764 size_t *ret_size) {
765
766 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL;
767 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
768 size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs;
769 struct encrypted_credential_header *h;
770 struct metadata_credential_header *m;
771 uint8_t md[SHA256_DIGEST_LENGTH];
772 bool with_tpm2, with_host_key, is_tpm2_absent;
773 const EVP_CIPHER *cc;
774 int r, added;
775
776 assert(input || input_size == 0);
777 assert(ret);
778 assert(ret_size);
779
780 h = (struct encrypted_credential_header*) input;
781
782 /* The ID must fit in, for the current and all future formats */
783 if (input_size < sizeof(h->id))
784 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
785
786 with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC);
787 with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC);
788 is_tpm2_absent = sd_id128_equal(h->id, CRED_AES256_GCM_BY_TPM2_ABSENT);
789
790 if (!with_host_key && !with_tpm2 && !is_tpm2_absent)
791 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m");
792
793 if (is_tpm2_absent) {
794 /* So this is a credential encrypted with a zero length key. We support this to cover for the
795 * case where neither a host key not a TPM2 are available (specifically: initrd environments
796 * where the host key is not yet accessible and no TPM2 chip exists at all), to minimize
797 * different codeflow for TPM2 and non-TPM2 codepaths. Of course, credentials encoded this
798 * way offer no confidentiality nor authenticity. Because of that it's important we refuse to
799 * use them on systems that actually *do* have a TPM2 chip – if we are in SecureBoot
800 * mode. Otherwise an attacker could hand us credentials like this and we'd use them thinking
801 * they are trusted, even though they are not. */
802
803 if (efi_has_tpm2()) {
804 if (is_efi_secure_boot())
805 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
806 "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.");
807
808 log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled.");
809 } else
810 log_debug("Credential uses fixed key for use when TPM2 is absent, and TPM2 indeed is absent. Accepting.");
811 }
812
813 /* Now we know the minimum header size */
814 if (input_size < offsetof(struct encrypted_credential_header, iv))
815 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
816
817 /* Verify some basic header values */
818 if (le32toh(h->key_size) != sizeof(md))
819 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
820 if (le32toh(h->block_size) <= 0 || le32toh(h->block_size) > CREDENTIAL_FIELD_SIZE_MAX)
821 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
822 if (le32toh(h->iv_size) > CREDENTIAL_FIELD_SIZE_MAX)
823 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "IV size too large.");
824 if (le32toh(h->tag_size) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */
825 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected tag size in header.");
826
827 /* Ensure we have space for the full header now (we don't know the size of the name hence this is a
828 * lower limit only) */
829 if (input_size <
830 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
831 ALIGN8((with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0)) +
832 ALIGN8(offsetof(struct metadata_credential_header, name)) +
833 le32toh(h->tag_size))
834 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
835
836 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size));
837
838 if (with_tpm2) {
839 #if HAVE_TPM2
840 struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
841
842 if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX))
843 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
844 if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank)))
845 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
846 if (!tpm2_primary_alg_to_string(le16toh(t->primary_alg)))
847 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 primary key algorithm invalid or not supported.");
848 if (le32toh(t->blob_size) > CREDENTIAL_FIELD_SIZE_MAX)
849 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 blob size.");
850 if (le32toh(t->policy_hash_size) > CREDENTIAL_FIELD_SIZE_MAX)
851 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 policy hash size.");
852
853 /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size
854 * though, hence still just a lower limit test only) */
855 if (input_size <
856 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
857 ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
858 ALIGN8(offsetof(struct metadata_credential_header, name)) +
859 le32toh(h->tag_size))
860 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
861
862 r = tpm2_unseal(tpm2_device,
863 le64toh(t->pcr_mask),
864 le16toh(t->pcr_bank),
865 le16toh(t->primary_alg),
866 t->policy_hash_and_blob,
867 le32toh(t->blob_size),
868 t->policy_hash_and_blob + le32toh(t->blob_size),
869 le32toh(t->policy_hash_size),
870 NULL,
871 &tpm2_key,
872 &tpm2_key_size);
873 if (r < 0)
874 return r;
875
876 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) +
877 le32toh(t->blob_size) +
878 le32toh(t->policy_hash_size));
879 #else
880 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available.");
881 #endif
882 }
883
884 if (with_host_key) {
885 r = get_credential_host_secret(
886 0,
887 &host_key,
888 &host_key_size);
889 if (r < 0)
890 return log_error_errno(r, "Failed to determine local credential key: %m");
891 }
892
893 if (is_tpm2_absent)
894 log_warning("Warning: using a null key for decryption and authentication. Confidentiality or authenticity are not provided.");
895
896 sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
897
898 assert_se(cc = EVP_aes_256_gcm());
899
900 /* Make sure cipher expectations match the header */
901 if (EVP_CIPHER_key_length(cc) != (int) le32toh(h->key_size))
902 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
903 if (EVP_CIPHER_block_size(cc) != (int) le32toh(h->block_size))
904 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
905
906 context = EVP_CIPHER_CTX_new();
907 if (!context)
908 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate decryption object: %s",
909 ERR_error_string(ERR_get_error(), NULL));
910
911 if (EVP_DecryptInit_ex(context, cc, NULL, NULL, NULL) != 1)
912 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize decryption context: %s",
913 ERR_error_string(ERR_get_error(), NULL));
914
915 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, le32toh(h->iv_size), NULL) != 1)
916 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV size on decryption context: %s",
917 ERR_error_string(ERR_get_error(), NULL));
918
919 if (EVP_DecryptInit_ex(context, NULL, NULL, md, h->iv) != 1)
920 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV and key: %s",
921 ERR_error_string(ERR_get_error(), NULL));
922
923 if (EVP_DecryptUpdate(context, NULL, &added, input, p) != 1)
924 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
925 ERR_error_string(ERR_get_error(), NULL));
926
927 plaintext = malloc(input_size - p - le32toh(h->tag_size));
928 if (!plaintext)
929 return -ENOMEM;
930
931 if (EVP_DecryptUpdate(
932 context,
933 plaintext,
934 &added,
935 (uint8_t*) input + p,
936 input_size - p - le32toh(h->tag_size)) != 1)
937 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to decrypt data: %s",
938 ERR_error_string(ERR_get_error(), NULL));
939
940 assert(added >= 0);
941 assert((size_t) added <= input_size - p - le32toh(h->tag_size));
942 plaintext_size = added;
943
944 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_TAG, le32toh(h->tag_size), (uint8_t*) input + input_size - le32toh(h->tag_size)) != 1)
945 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set tag: %s",
946 ERR_error_string(ERR_get_error(), NULL));
947
948 if (EVP_DecryptFinal_ex(context, (uint8_t*) plaintext + plaintext_size, &added) != 1)
949 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Decryption failed (incorrect key?): %s",
950 ERR_error_string(ERR_get_error(), NULL));
951
952 plaintext_size += added;
953
954 if (plaintext_size < ALIGN8(offsetof(struct metadata_credential_header, name)))
955 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
956
957 m = plaintext;
958
959 if (le64toh(m->timestamp) != USEC_INFINITY &&
960 le64toh(m->not_after) != USEC_INFINITY &&
961 le64toh(m->timestamp) >= le64toh(m->not_after))
962 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Timestamps of credential are not in order, refusing.");
963
964 if (le32toh(m->name_size) > CREDENTIAL_NAME_MAX)
965 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name too long, refusing.");
966
967 hs = ALIGN8(offsetof(struct metadata_credential_header, name) + le32toh(m->name_size));
968 if (plaintext_size < hs)
969 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
970
971 if (le32toh(m->name_size) > 0) {
972 _cleanup_free_ char *embedded_name = NULL;
973
974 if (memchr(m->name, 0, le32toh(m->name_size)))
975 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name contains NUL byte, refusing.");
976
977 embedded_name = memdup_suffix0(m->name, le32toh(m->name_size));
978 if (!embedded_name)
979 return log_oom();
980
981 if (!credential_name_valid(embedded_name))
982 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name is not valid, refusing.");
983
984 if (validate_name && !streq(embedded_name, validate_name)) {
985
986 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
987 if (r < 0 && r != -ENXIO)
988 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
989 if (r != 0)
990 return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name);
991
992 log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name);
993 }
994 }
995
996 if (validate_timestamp != USEC_INFINITY) {
997 if (le64toh(m->timestamp) != USEC_INFINITY && le64toh(m->timestamp) > validate_timestamp)
998 log_debug("Credential timestamp is from the future, assuming clock skew.");
999
1000 if (le64toh(m->not_after) != USEC_INFINITY && le64toh(m->not_after) < validate_timestamp) {
1001
1002 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
1003 if (r < 0 && r != -ENXIO)
1004 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
1005 if (r != 0)
1006 return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Credential's time passed, refusing to use.");
1007
1008 log_debug("Credential not-after timestamp has passed, but configured to use credential anyway.");
1009 }
1010 }
1011
1012 if (ret) {
1013 char *without_metadata;
1014
1015 without_metadata = memdup((uint8_t*) plaintext + hs, plaintext_size - hs);
1016 if (!without_metadata)
1017 return log_oom();
1018
1019 *ret = without_metadata;
1020 }
1021
1022 if (ret_size)
1023 *ret_size = plaintext_size - hs;
1024
1025 return 0;
1026 }
1027
1028 #else
1029
1030 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
1031 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1032 }
1033
1034 int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
1035 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1036 }
1037
1038 int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size) {
1039 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1040 }
1041
1042 #endif
Unnamed repository; edit this file 'description' to name the repository.