]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/creds-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Merge pull request #20522 from yuwata/cgroup-fix
[thirdparty/systemd.git] / src / shared / creds-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <sys/file.h>
4
5 #if HAVE_OPENSSL
6 #include <openssl/err.h>
7 #endif
8
9 #include "sd-id128.h"
10
11 #include "blockdev-util.h"
12 #include "chattr-util.h"
13 #include "creds-util.h"
14 #include "env-util.h"
15 #include "fd-util.h"
16 #include "fileio.h"
17 #include "fs-util.h"
18 #include "io-util.h"
19 #include "memory-util.h"
20 #include "mkdir.h"
21 #include "openssl-util.h"
22 #include "path-util.h"
23 #include "random-util.h"
24 #include "sparse-endian.h"
25 #include "stat-util.h"
26 #include "tpm2-util.h"
27 #include "virt.h"
28
29 bool credential_name_valid(const char *s) {
30 /* We want that credential names are both valid in filenames (since that's our primary way to pass
31 * them around) and as fdnames (which is how we might want to pass them around eventually) */
32 return filename_is_valid(s) && fdname_is_valid(s);
33 }
34
35 int get_credentials_dir(const char **ret) {
36 const char *e;
37
38 assert(ret);
39
40 e = secure_getenv("CREDENTIALS_DIRECTORY");
41 if (!e)
42 return -ENXIO;
43
44 if (!path_is_absolute(e) || !path_is_normalized(e))
45 return -EINVAL;
46
47 *ret = e;
48 return 0;
49 }
50
51 int read_credential(const char *name, void **ret, size_t *ret_size) {
52 _cleanup_free_ char *fn = NULL;
53 const char *d;
54 int r;
55
56 assert(ret);
57
58 if (!credential_name_valid(name))
59 return -EINVAL;
60
61 r = get_credentials_dir(&d);
62 if (r < 0)
63 return r;
64
65 fn = path_join(d, name);
66 if (!fn)
67 return -ENOMEM;
68
69 return read_full_file_full(
70 AT_FDCWD, fn,
71 UINT64_MAX, SIZE_MAX,
72 READ_FULL_FILE_SECURE,
73 NULL,
74 (char**) ret, ret_size);
75 }
76
77 #if HAVE_OPENSSL
78
79 #define CREDENTIAL_HOST_SECRET_SIZE 4096
80
81 static const sd_id128_t credential_app_id =
82 SD_ID128_MAKE(d3,ac,ec,ba,0d,ad,4c,df,b8,c9,38,15,28,93,6c,58);
83
84 struct credential_host_secret_format {
85 /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine
86 * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the
87 * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed
88 * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not
89 * being able to directly associate a secret key file with a host. */
90 sd_id128_t machine_id;
91
92 /* The actual secret key */
93 uint8_t data[CREDENTIAL_HOST_SECRET_SIZE];
94 } _packed_;
95
96 static int make_credential_host_secret(
97 int dfd,
98 const sd_id128_t machine_id,
99 const char *fn,
100 void **ret_data,
101 size_t *ret_size) {
102
103 struct credential_host_secret_format buf;
104 _cleanup_free_ char *t = NULL;
105 _cleanup_close_ int fd = -1;
106 int r;
107
108 assert(dfd >= 0);
109 assert(fn);
110
111 fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400);
112 if (fd < 0) {
113 log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
114
115 if (asprintf(&t, "credential.secret.%016" PRIx64, random_u64()) < 0)
116 return -ENOMEM;
117
118 fd = openat(dfd, t, O_CLOEXEC|O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW, 0400);
119 if (fd < 0)
120 return -errno;
121 }
122
123 r = chattr_secret(fd, 0);
124 if (r < 0)
125 log_debug_errno(r, "Failed to set file attributes for secrets file, ignoring: %m");
126
127 buf = (struct credential_host_secret_format) {
128 .machine_id = machine_id,
129 };
130
131 r = genuine_random_bytes(buf.data, sizeof(buf.data), RANDOM_BLOCK);
132 if (r < 0)
133 goto finish;
134
135 r = loop_write(fd, &buf, sizeof(buf), false);
136 if (r < 0)
137 goto finish;
138
139 if (fsync(fd) < 0) {
140 r = -errno;
141 goto finish;
142 }
143
144 if (t) {
145 r = rename_noreplace(dfd, t, dfd, fn);
146 if (r < 0)
147 goto finish;
148
149 t = mfree(t);
150 } else if (linkat(fd, "", dfd, fn, AT_EMPTY_PATH) < 0) {
151 r = -errno;
152 goto finish;
153 }
154
155 if (fsync(dfd) < 0) {
156 r = -errno;
157 goto finish;
158 }
159
160 if (ret_data) {
161 void *copy;
162
163 copy = memdup(buf.data, sizeof(buf.data));
164 if (!copy) {
165 r = -ENOMEM;
166 goto finish;
167 }
168
169 *ret_data = copy;
170 }
171
172 if (ret_size)
173 *ret_size = sizeof(buf.data);
174
175 r = 0;
176
177 finish:
178 if (t && unlinkat(dfd, t, 0) < 0)
179 log_debug_errno(errno, "Failed to remove temporary credential key: %m");
180
181 explicit_bzero_safe(&buf, sizeof(buf));
182 return r;
183 }
184
185 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
186 _cleanup_free_ char *efn = NULL, *ep = NULL;
187 _cleanup_close_ int dfd = -1;
188 sd_id128_t machine_id;
189 const char *e, *fn, *p;
190 int r;
191
192 r = sd_id128_get_machine_app_specific(credential_app_id, &machine_id);
193 if (r < 0)
194 return r;
195
196 e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
197 if (e) {
198 if (!path_is_normalized(e))
199 return -EINVAL;
200 if (!path_is_absolute(e))
201 return -EINVAL;
202
203 r = path_extract_directory(e, &ep);
204 if (r < 0)
205 return r;
206
207 r = path_extract_filename(e, &efn);
208 if (r < 0)
209 return r;
210
211 p = ep;
212 fn = efn;
213 } else {
214 p = "/var/lib/systemd";
215 fn = "credential.secret";
216 }
217
218 mkdir_parents(p, 0755);
219 dfd = open_mkdir_at(AT_FDCWD, p, O_CLOEXEC, 0755);
220 if (dfd < 0)
221 return dfd;
222
223 if (FLAGS_SET(flags, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS)) {
224 r = fd_is_temporary_fs(dfd);
225 if (r < 0)
226 return r;
227 if (r > 0)
228 return -ENOMEDIUM;
229 }
230
231 for (unsigned attempt = 0;; attempt++) {
232 _cleanup_(erase_and_freep) struct credential_host_secret_format *f = NULL;
233 _cleanup_close_ int fd = -1;
234 size_t l = 0;
235 ssize_t n = 0;
236 struct stat st;
237
238 if (attempt >= 3) /* Somebody is playing games with us */
239 return -EIO;
240
241 fd = openat(dfd, fn, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
242 if (fd < 0) {
243 if (errno != ENOENT || !FLAGS_SET(flags, CREDENTIAL_SECRET_GENERATE))
244 return -errno;
245
246 r = make_credential_host_secret(dfd, machine_id, fn, ret, ret_size);
247 if (r == -EEXIST) {
248 log_debug_errno(r, "Credential secret was created while we were creating it. Trying to read new secret.");
249 continue;
250 }
251 if (r < 0)
252 return r;
253
254 return 0;
255 }
256
257 if (fstat(fd, &st) < 0)
258 return -errno;
259
260 r = stat_verify_regular(&st);
261 if (r < 0)
262 return r;
263 if (st.st_nlink == 0) /* Deleted by now, try again */
264 continue;
265 if (st.st_nlink > 1)
266 return -EPERM; /* Our deletion check won't work if hardlinked somewhere else */
267 if ((st.st_mode & 07777) != 0400) /* Don't use file if not 0400 access mode */
268 return -EPERM;
269 if (st.st_size > 16*1024*1024)
270 return -E2BIG;
271 l = st.st_size;
272 if (l < offsetof(struct credential_host_secret_format, data) + 1)
273 return -EINVAL;
274
275 f = malloc(l+1);
276 if (!f)
277 return -ENOMEM;
278
279 n = read(fd, f, l+1);
280 if (n < 0)
281 return -errno;
282 if ((size_t) n != l) /* What? The size changed? */
283 return -EIO;
284
285 if (sd_id128_equal(machine_id, f->machine_id)) {
286 size_t sz;
287
288 if (FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED)) {
289 r = fd_is_encrypted(fd);
290 if (r < 0)
291 log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.", p, fn);
292 else if (r == 0)
293 log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", p, fn);
294 }
295
296 sz = l - offsetof(struct credential_host_secret_format, data);
297 assert(sz > 0);
298
299 if (ret) {
300 void *copy;
301
302 assert(sz <= sizeof(f->data)); /* Ensure we don't read past f->data bounds */
303
304 copy = memdup(f->data, sz);
305 if (!copy)
306 return -ENOMEM;
307
308 *ret = copy;
309 }
310
311 if (ret_size)
312 *ret_size = sz;
313
314 return 0;
315 }
316
317 /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock
318 * to ensure we are the only ones accessing the file while we delete it. */
319
320 if (flock(fd, LOCK_EX) < 0)
321 return -errno;
322
323 /* Before we delete it check that the file is still linked into the file system */
324 if (fstat(fd, &st) < 0)
325 return -errno;
326 if (st.st_nlink == 0) /* Already deleted by now? */
327 continue;
328 if (st.st_nlink != 1) /* Safety check, someone is playing games with us */
329 return -EPERM;
330
331 if (unlinkat(dfd, fn, 0) < 0)
332 return -errno;
333
334 /* And now try again */
335 }
336 }
337
338 /* Construction is like this:
339 *
340 * A symmetric encryption key is derived from:
341 *
342 * 1. Either the "host" key (a key stored in /var/lib/credential.secret)
343 *
344 * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed
345 * by a key derived from its internal seed key.
346 *
347 * 3. The concatenation of the above.
348 *
349 * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
350 * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
351 * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
352 * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed
353 * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask
354 * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a
355 * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is
356 * then followed by the encrypted data, which begins with a metadata header (which contains validity
357 * timestamps as well as the credential name), followed by the actual credential payload. The file ends in
358 * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in
359 * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No
360 * unprotected data is included.
361 */
362
363 struct _packed_ encrypted_credential_header {
364 sd_id128_t id;
365 le32_t key_size;
366 le32_t block_size;
367 le32_t iv_size;
368 le32_t tag_size;
369 uint8_t iv[];
370 /* Followed by NUL bytes until next 8 byte boundary */
371 };
372
373 struct _packed_ tpm2_credential_header {
374 le64_t pcr_mask; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems
375 * generally have. But keep the door open for more. */
376 le16_t pcr_bank; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */
377 le16_t primary_alg; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */
378 le32_t blob_size;
379 le32_t policy_hash_size;
380 uint8_t policy_hash_and_blob[];
381 /* Followed by NUL bytes until next 8 byte boundary */
382 };
383
384 struct _packed_ metadata_credential_header {
385 le64_t timestamp;
386 le64_t not_after;
387 le32_t name_size;
388 char name[];
389 /* Followed by NUL bytes until next 8 byte boundary */
390 };
391
392 /* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of
393 * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV,
394 * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */
395 #define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U)
396
397 static int sha256_hash_host_and_tpm2_key(
398 const void *host_key,
399 size_t host_key_size,
400 const void *tpm2_key,
401 size_t tpm2_key_size,
402 uint8_t ret[static SHA256_DIGEST_LENGTH]) {
403
404 _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
405 unsigned l;
406
407 assert(host_key_size == 0 || host_key);
408 assert(tpm2_key_size == 0 || tpm2_key);
409 assert(ret);
410
411 /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
412
413 md = EVP_MD_CTX_new();
414 if (!md)
415 return log_oom();
416
417 if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
418 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
419
420 if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
421 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
422
423 if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
424 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
425
426 assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
427
428 if (EVP_DigestFinal_ex(md, ret, &l) != 1)
429 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
430
431 assert(l == SHA256_DIGEST_LENGTH);
432 return 0;
433 }
434
435 int encrypt_credential_and_warn(
436 sd_id128_t with_key,
437 const char *name,
438 usec_t timestamp,
439 usec_t not_after,
440 const char *tpm2_device,
441 uint32_t tpm2_pcr_mask,
442 const void *input,
443 size_t input_size,
444 void **ret,
445 size_t *ret_size) {
446
447 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
448 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL;
449 size_t host_key_size = 0, tpm2_key_size = 0, tpm2_blob_size = 0, tpm2_policy_hash_size = 0, output_size, p, ml;
450 _cleanup_free_ void *tpm2_blob = NULL, *tpm2_policy_hash = NULL, *iv = NULL, *output = NULL;
451 _cleanup_free_ struct metadata_credential_header *m = NULL;
452 uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0;
453 struct encrypted_credential_header *h;
454 int ksz, bsz, ivsz, tsz, added, r;
455 uint8_t md[SHA256_DIGEST_LENGTH];
456 const EVP_CIPHER *cc;
457 #if HAVE_TPM2
458 bool try_tpm2 = false;
459 #endif
460 sd_id128_t id;
461
462 assert(input || input_size == 0);
463 assert(ret);
464 assert(ret_size);
465
466 if (name && !credential_name_valid(name))
467 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name);
468
469 if (not_after != USEC_INFINITY && timestamp != USEC_INFINITY && not_after < timestamp)
470 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid (" USEC_FMT " < " USEC_FMT ").", not_after, timestamp);
471
472 if (DEBUG_LOGGING) {
473 char buf[FORMAT_TIMESTAMP_MAX];
474
475 if (name)
476 log_debug("Including credential name '%s' in encrypted credential.", name);
477 if (timestamp != USEC_INFINITY)
478 log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), timestamp));
479 if (not_after != USEC_INFINITY)
480 log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), not_after));
481 }
482
483 if (sd_id128_is_null(with_key) ||
484 sd_id128_in_set(with_key, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) {
485
486 r = get_credential_host_secret(
487 CREDENTIAL_SECRET_GENERATE|
488 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED|
489 (sd_id128_is_null(with_key) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0),
490 &host_key,
491 &host_key_size);
492 if (r == -ENOMEDIUM && sd_id128_is_null(with_key))
493 log_debug_errno(r, "Credential host secret location on temporary file system, not using.");
494 else if (r < 0)
495 return log_error_errno(r, "Failed to determine local credential host secret: %m");
496 }
497
498 #if HAVE_TPM2
499 if (sd_id128_is_null(with_key)) {
500 /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH
501 * if user picks TPM2 explicitly, let's always honour the request and try. */
502
503 r = detect_container();
504 if (r < 0)
505 log_debug_errno(r, "Failed to determine whether we are running in a container, ignoring: %m");
506 else if (r > 0)
507 log_debug("Running in container, not attempting to use TPM2.");
508
509 try_tpm2 = r <= 0;
510 }
511
512 if (try_tpm2 ||
513 sd_id128_in_set(with_key, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC)) {
514
515 r = tpm2_seal(tpm2_device,
516 tpm2_pcr_mask,
517 &tpm2_key,
518 &tpm2_key_size,
519 &tpm2_blob,
520 &tpm2_blob_size,
521 &tpm2_policy_hash,
522 &tpm2_policy_hash_size,
523 &tpm2_pcr_bank,
524 &tpm2_primary_alg);
525 if (r < 0) {
526 if (!sd_id128_is_null(with_key))
527 return r;
528
529 log_debug_errno(r, "TPM2 sealing didn't work, not using: %m");
530 }
531
532 assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX);
533 assert(tpm2_policy_hash_size <= CREDENTIAL_FIELD_SIZE_MAX);
534 }
535 #endif
536
537 if (sd_id128_is_null(with_key)) {
538 /* Let's settle the key type in auto mode now. */
539
540 if (host_key && tpm2_key)
541 id = CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
542 else if (tpm2_key)
543 id = CRED_AES256_GCM_BY_TPM2_HMAC;
544 else if (host_key)
545 id = CRED_AES256_GCM_BY_HOST;
546 else
547 return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
548 "TPM2 not available and host key located on temporary file system, no encryption key available.");
549 } else
550 id = with_key;
551
552 /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
553 r = sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
554 if (r < 0)
555 return r;
556
557 assert_se(cc = EVP_aes_256_gcm());
558
559 ksz = EVP_CIPHER_key_length(cc);
560 assert(ksz == sizeof(md));
561
562 bsz = EVP_CIPHER_block_size(cc);
563 assert(bsz > 0);
564 assert((size_t) bsz <= CREDENTIAL_FIELD_SIZE_MAX);
565
566 ivsz = EVP_CIPHER_iv_length(cc);
567 if (ivsz > 0) {
568 assert((size_t) ivsz <= CREDENTIAL_FIELD_SIZE_MAX);
569
570 iv = malloc(ivsz);
571 if (!iv)
572 return log_oom();
573
574 r = genuine_random_bytes(iv, ivsz, RANDOM_BLOCK);
575 if (r < 0)
576 return log_error_errno(r, "Failed to acquired randomized IV: %m");
577 }
578
579 tsz = 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */
580
581 context = EVP_CIPHER_CTX_new();
582 if (!context)
583 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate encryption object: %s",
584 ERR_error_string(ERR_get_error(), NULL));
585
586 if (EVP_EncryptInit_ex(context, cc, NULL, md, iv) != 1)
587 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize encryption context: %s",
588 ERR_error_string(ERR_get_error(), NULL));
589
590 /* Just an upper estimate */
591 output_size =
592 ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) +
593 ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) +
594 ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) +
595 input_size + 2U * (size_t) bsz +
596 tsz;
597
598 output = malloc0(output_size);
599 if (!output)
600 return log_oom();
601
602 h = (struct encrypted_credential_header*) output;
603 h->id = id;
604 h->block_size = htole32(bsz);
605 h->key_size = htole32(ksz);
606 h->tag_size = htole32(tsz);
607 h->iv_size = htole32(ivsz);
608 memcpy(h->iv, iv, ivsz);
609
610 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz);
611
612 if (tpm2_key) {
613 struct tpm2_credential_header *t;
614
615 t = (struct tpm2_credential_header*) ((uint8_t*) output + p);
616 t->pcr_mask = htole64(tpm2_pcr_mask);
617 t->pcr_bank = htole16(tpm2_pcr_bank);
618 t->primary_alg = htole16(tpm2_primary_alg);
619 t->blob_size = htole32(tpm2_blob_size);
620 t->policy_hash_size = htole32(tpm2_policy_hash_size);
621 memcpy(t->policy_hash_and_blob, tpm2_blob, tpm2_blob_size);
622 memcpy(t->policy_hash_and_blob + tpm2_blob_size, tpm2_policy_hash, tpm2_policy_hash_size);
623
624 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size);
625 }
626
627 /* Pass the encrypted + TPM2 header as AAD */
628 if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1)
629 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
630 ERR_error_string(ERR_get_error(), NULL));
631
632 /* Now construct the metadata header */
633 ml = strlen_ptr(name);
634 m = malloc0(ALIGN8(offsetof(struct metadata_credential_header, name) + ml));
635 if (!m)
636 return log_oom();
637
638 m->timestamp = htole64(timestamp);
639 m->not_after = htole64(not_after);
640 m->name_size = htole32(ml);
641 memcpy_safe(m->name, name, ml);
642
643 /* And encrypt the metadata header */
644 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, (const unsigned char*) m, ALIGN8(offsetof(struct metadata_credential_header, name) + ml)) != 1)
645 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt metadata header: %s",
646 ERR_error_string(ERR_get_error(), NULL));
647
648 assert(added >= 0);
649 assert((size_t) added <= output_size - p);
650 p += added;
651
652 /* Then encrypt the plaintext */
653 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, input, input_size) != 1)
654 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt data: %s",
655 ERR_error_string(ERR_get_error(), NULL));
656
657 assert(added >= 0);
658 assert((size_t) added <= output_size - p);
659 p += added;
660
661 /* Finalize */
662 if (EVP_EncryptFinal_ex(context, (uint8_t*) output + p, &added) != 1)
663 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize data encryption: %s",
664 ERR_error_string(ERR_get_error(), NULL));
665
666 assert(added >= 0);
667 assert((size_t) added <= output_size - p);
668 p += added;
669
670 assert(p <= output_size - tsz);
671
672 /* Append tag */
673 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_GET_TAG, tsz, (uint8_t*) output + p) != 1)
674 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get tag: %s",
675 ERR_error_string(ERR_get_error(), NULL));
676
677 p += tsz;
678 assert(p <= output_size);
679
680 if (DEBUG_LOGGING && input_size > 0) {
681 size_t base64_size;
682
683 base64_size = DIV_ROUND_UP(p * 4, 3); /* Include base64 size increase in debug output */
684 assert(base64_size >= input_size);
685 log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size, base64_size, base64_size * 100 / input_size - 100);
686 }
687
688 *ret = TAKE_PTR(output);
689 *ret_size = p;
690
691 return 0;
692 }
693
694 int decrypt_credential_and_warn(
695 const char *validate_name,
696 usec_t validate_timestamp,
697 const char *tpm2_device,
698 const void *input,
699 size_t input_size,
700 void **ret,
701 size_t *ret_size) {
702
703 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL;
704 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
705 size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs;
706 struct encrypted_credential_header *h;
707 struct metadata_credential_header *m;
708 uint8_t md[SHA256_DIGEST_LENGTH];
709 bool with_tpm2, with_host_key;
710 const EVP_CIPHER *cc;
711 int r, added;
712
713 assert(input || input_size == 0);
714 assert(ret);
715 assert(ret_size);
716
717 h = (struct encrypted_credential_header*) input;
718
719 /* The ID must fit in, for the current and all future formats */
720 if (input_size < sizeof(h->id))
721 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
722
723 with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC);
724 with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC);
725
726 if (!with_host_key && !with_tpm2)
727 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m");
728
729 /* Now we know the minimum header size */
730 if (input_size < offsetof(struct encrypted_credential_header, iv))
731 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
732
733 /* Verify some basic header values */
734 if (le32toh(h->key_size) != sizeof(md))
735 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
736 if (le32toh(h->block_size) <= 0 || le32toh(h->block_size) > CREDENTIAL_FIELD_SIZE_MAX)
737 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
738 if (le32toh(h->iv_size) > CREDENTIAL_FIELD_SIZE_MAX)
739 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "IV size too large.");
740 if (le32toh(h->tag_size) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */
741 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected tag size in header.");
742
743 /* Ensure we have space for the full header now (we don't know the size of the name hence this is a
744 * lower limit only) */
745 if (input_size <
746 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
747 ALIGN8((with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0)) +
748 ALIGN8(offsetof(struct metadata_credential_header, name)) +
749 le32toh(h->tag_size))
750 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
751
752 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size));
753
754 if (with_tpm2) {
755 #if HAVE_TPM2
756 struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
757
758 if (le64toh(t->pcr_mask) >= (UINT64_C(1) << TPM2_PCRS_MAX))
759 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
760 if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank)))
761 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
762 if (!tpm2_primary_alg_to_string(le16toh(t->primary_alg)))
763 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 primary key algorithm invalid or not supported.");
764 if (le32toh(t->blob_size) > CREDENTIAL_FIELD_SIZE_MAX)
765 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 blob size.");
766 if (le32toh(t->policy_hash_size) > CREDENTIAL_FIELD_SIZE_MAX)
767 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 policy hash size.");
768
769 /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size
770 * though, hence still just a lower limit test only) */
771 if (input_size <
772 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
773 ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
774 ALIGN8(offsetof(struct metadata_credential_header, name)) +
775 le32toh(h->tag_size))
776 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
777
778 r = tpm2_unseal(tpm2_device,
779 le64toh(t->pcr_mask),
780 le16toh(t->pcr_bank),
781 le16toh(t->primary_alg),
782 t->policy_hash_and_blob,
783 le32toh(t->blob_size),
784 t->policy_hash_and_blob + le32toh(t->blob_size),
785 le32toh(t->policy_hash_size),
786 &tpm2_key,
787 &tpm2_key_size);
788 if (r < 0)
789 return r;
790
791 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) +
792 le32toh(t->blob_size) +
793 le32toh(t->policy_hash_size));
794 #else
795 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available.");
796 #endif
797 }
798
799 if (with_host_key) {
800 r = get_credential_host_secret(
801 0,
802 &host_key,
803 &host_key_size);
804 if (r < 0)
805 return log_error_errno(r, "Failed to determine local credential key: %m");
806 }
807
808 sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
809
810 assert_se(cc = EVP_aes_256_gcm());
811
812 /* Make sure cipher expectations match the header */
813 if (EVP_CIPHER_key_length(cc) != (int) le32toh(h->key_size))
814 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
815 if (EVP_CIPHER_block_size(cc) != (int) le32toh(h->block_size))
816 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
817
818 context = EVP_CIPHER_CTX_new();
819 if (!context)
820 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate decryption object: %s",
821 ERR_error_string(ERR_get_error(), NULL));
822
823 if (EVP_DecryptInit_ex(context, cc, NULL, NULL, NULL) != 1)
824 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize decryption context: %s",
825 ERR_error_string(ERR_get_error(), NULL));
826
827 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, le32toh(h->iv_size), NULL) != 1)
828 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV size on decryption context: %s",
829 ERR_error_string(ERR_get_error(), NULL));
830
831 if (EVP_DecryptInit_ex(context, NULL, NULL, md, h->iv) != 1)
832 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV and key: %s",
833 ERR_error_string(ERR_get_error(), NULL));
834
835 if (EVP_DecryptUpdate(context, NULL, &added, input, p) != 1)
836 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
837 ERR_error_string(ERR_get_error(), NULL));
838
839 plaintext = malloc(input_size - p - le32toh(h->tag_size));
840 if (!plaintext)
841 return -ENOMEM;
842
843 if (EVP_DecryptUpdate(
844 context,
845 plaintext,
846 &added,
847 (uint8_t*) input + p,
848 input_size - p - le32toh(h->tag_size)) != 1)
849 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to decrypt data: %s",
850 ERR_error_string(ERR_get_error(), NULL));
851
852 assert(added >= 0);
853 assert((size_t) added <= input_size - p - le32toh(h->tag_size));
854 plaintext_size = added;
855
856 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_TAG, le32toh(h->tag_size), (uint8_t*) input + input_size - le32toh(h->tag_size)) != 1)
857 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set tag: %s",
858 ERR_error_string(ERR_get_error(), NULL));
859
860 if (EVP_DecryptFinal_ex(context, (uint8_t*) plaintext + plaintext_size, &added) != 1)
861 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Decryption failed (incorrect key?): %s",
862 ERR_error_string(ERR_get_error(), NULL));
863
864 plaintext_size += added;
865
866 if (plaintext_size < ALIGN8(offsetof(struct metadata_credential_header, name)))
867 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
868
869 m = plaintext;
870
871 if (le64toh(m->timestamp) != USEC_INFINITY &&
872 le64toh(m->not_after) != USEC_INFINITY &&
873 le64toh(m->timestamp) >= le64toh(m->not_after))
874 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Timestamps of credential are not in order, refusing.");
875
876 if (le32toh(m->name_size) > CREDENTIAL_NAME_MAX)
877 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name too long, refusing.");
878
879 hs = ALIGN8(offsetof(struct metadata_credential_header, name) + le32toh(m->name_size));
880 if (plaintext_size < hs)
881 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
882
883 if (le32toh(m->name_size) > 0) {
884 _cleanup_free_ char *embedded_name = NULL;
885
886 if (memchr(m->name, 0, le32toh(m->name_size)))
887 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name contains NUL byte, refusing.");
888
889 embedded_name = memdup_suffix0(m->name, le32toh(m->name_size));
890 if (!embedded_name)
891 return log_oom();
892
893 if (!credential_name_valid(embedded_name))
894 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name is not valid, refusing.");
895
896 if (validate_name && !streq(embedded_name, validate_name)) {
897
898 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
899 if (r < 0 && r != -ENXIO)
900 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
901 if (r != 0)
902 return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name);
903
904 log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name);
905 }
906 }
907
908 if (validate_timestamp != USEC_INFINITY) {
909 if (le64toh(m->timestamp) != USEC_INFINITY && le64toh(m->timestamp) > validate_timestamp)
910 log_debug("Credential timestamp is from the future, assuming clock skew.");
911
912 if (le64toh(m->not_after) != USEC_INFINITY && le64toh(m->not_after) < validate_timestamp) {
913
914 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
915 if (r < 0 && r != -ENXIO)
916 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
917 if (r != 0)
918 return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Credential's time passed, refusing to use.");
919
920 log_debug("Credential not-after timestamp has passed, but configured to use credential anyway.");
921 }
922 }
923
924 if (ret) {
925 char *without_metadata;
926
927 without_metadata = memdup((uint8_t*) plaintext + hs, plaintext_size - hs);
928 if (!without_metadata)
929 return log_oom();
930
931 *ret = without_metadata;
932 }
933
934 if (ret_size)
935 *ret_size = plaintext_size - hs;
936
937 return 0;
938 }
939
940 #else
941
942 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
943 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
944 }
945
946 int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
947 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
948 }
949
950 int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const void *input, size_t input_size, void **ret, size_t *ret_size) {
951 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
952 }
953
954 #endif
Unnamed repository; edit this file 'description' to name the repository.