1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include <openssl/err.h>
11 #include "blockdev-util.h"
12 #include "chattr-util.h"
13 #include "creds-util.h"
19 #include "memory-util.h"
21 #include "openssl-util.h"
22 #include "path-util.h"
23 #include "random-util.h"
24 #include "sparse-endian.h"
25 #include "stat-util.h"
26 #include "tpm2-util.h"
29 bool credential_name_valid(const char *s
) {
30 /* We want that credential names are both valid in filenames (since that's our primary way to pass
31 * them around) and as fdnames (which is how we might want to pass them around eventually) */
32 return filename_is_valid(s
) && fdname_is_valid(s
);
35 int get_credentials_dir(const char **ret
) {
40 e
= secure_getenv("CREDENTIALS_DIRECTORY");
44 if (!path_is_absolute(e
) || !path_is_normalized(e
))
51 int read_credential(const char *name
, void **ret
, size_t *ret_size
) {
52 _cleanup_free_
char *fn
= NULL
;
58 if (!credential_name_valid(name
))
61 r
= get_credentials_dir(&d
);
65 fn
= path_join(d
, name
);
69 return read_full_file_full(
72 READ_FULL_FILE_SECURE
,
74 (char**) ret
, ret_size
);
79 #define CREDENTIAL_HOST_SECRET_SIZE 4096
81 static const sd_id128_t credential_app_id
=
82 SD_ID128_MAKE(d3
,ac
,ec
,ba
,0d
,ad
,4c
,df
,b8
,c9
,38,15,28,93,6c
,58);
84 struct credential_host_secret_format
{
85 /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine
86 * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the
87 * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed
88 * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not
89 * being able to directly associate a secret key file with a host. */
90 sd_id128_t machine_id
;
92 /* The actual secret key */
93 uint8_t data
[CREDENTIAL_HOST_SECRET_SIZE
];
96 static int make_credential_host_secret(
98 const sd_id128_t machine_id
,
103 struct credential_host_secret_format buf
;
104 _cleanup_free_
char *t
= NULL
;
105 _cleanup_close_
int fd
= -1;
111 fd
= openat(dfd
, ".", O_CLOEXEC
|O_WRONLY
|O_TMPFILE
, 0400);
113 log_debug_errno(errno
, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
115 if (asprintf(&t
, "credential.secret.%016" PRIx64
, random_u64()) < 0)
118 fd
= openat(dfd
, t
, O_CLOEXEC
|O_WRONLY
|O_CREAT
|O_EXCL
|O_NOFOLLOW
, 0400);
123 r
= chattr_secret(fd
, 0);
125 log_debug_errno(r
, "Failed to set file attributes for secrets file, ignoring: %m");
127 buf
= (struct credential_host_secret_format
) {
128 .machine_id
= machine_id
,
131 r
= genuine_random_bytes(buf
.data
, sizeof(buf
.data
), RANDOM_BLOCK
);
135 r
= loop_write(fd
, &buf
, sizeof(buf
), false);
145 r
= rename_noreplace(dfd
, t
, dfd
, fn
);
150 } else if (linkat(fd
, "", dfd
, fn
, AT_EMPTY_PATH
) < 0) {
155 if (fsync(dfd
) < 0) {
163 copy
= memdup(buf
.data
, sizeof(buf
.data
));
173 *ret_size
= sizeof(buf
.data
);
178 if (t
&& unlinkat(dfd
, t
, 0) < 0)
179 log_debug_errno(errno
, "Failed to remove temporary credential key: %m");
181 explicit_bzero_safe(&buf
, sizeof(buf
));
185 int get_credential_host_secret(CredentialSecretFlags flags
, void **ret
, size_t *ret_size
) {
186 _cleanup_free_
char *efn
= NULL
, *ep
= NULL
;
187 _cleanup_close_
int dfd
= -1;
188 sd_id128_t machine_id
;
189 const char *e
, *fn
, *p
;
192 r
= sd_id128_get_machine_app_specific(credential_app_id
, &machine_id
);
196 e
= secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
198 if (!path_is_normalized(e
))
200 if (!path_is_absolute(e
))
203 r
= path_extract_directory(e
, &ep
);
207 r
= path_extract_filename(e
, &efn
);
214 p
= "/var/lib/systemd";
215 fn
= "credential.secret";
218 mkdir_parents(p
, 0755);
219 dfd
= open_mkdir_at(AT_FDCWD
, p
, O_CLOEXEC
, 0755);
223 if (FLAGS_SET(flags
, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS
)) {
224 r
= fd_is_temporary_fs(dfd
);
231 for (unsigned attempt
= 0;; attempt
++) {
232 _cleanup_(erase_and_freep
) struct credential_host_secret_format
*f
= NULL
;
233 _cleanup_close_
int fd
= -1;
238 if (attempt
>= 3) /* Somebody is playing games with us */
241 fd
= openat(dfd
, fn
, O_CLOEXEC
|O_RDONLY
|O_NOCTTY
|O_NOFOLLOW
);
243 if (errno
!= ENOENT
|| !FLAGS_SET(flags
, CREDENTIAL_SECRET_GENERATE
))
246 r
= make_credential_host_secret(dfd
, machine_id
, fn
, ret
, ret_size
);
248 log_debug_errno(r
, "Credential secret was created while we were creating it. Trying to read new secret.");
257 if (fstat(fd
, &st
) < 0)
260 r
= stat_verify_regular(&st
);
263 if (st
.st_nlink
== 0) /* Deleted by now, try again */
266 return -EPERM
; /* Our deletion check won't work if hardlinked somewhere else */
267 if ((st
.st_mode
& 07777) != 0400) /* Don't use file if not 0400 access mode */
269 if (st
.st_size
> 16*1024*1024)
272 if (l
< offsetof(struct credential_host_secret_format
, data
) + 1)
279 n
= read(fd
, f
, l
+1);
282 if ((size_t) n
!= l
) /* What? The size changed? */
285 if (sd_id128_equal(machine_id
, f
->machine_id
)) {
288 if (FLAGS_SET(flags
, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED
)) {
289 r
= fd_is_encrypted(fd
);
291 log_debug_errno(r
, "Failed to determine if credential secret file '%s/%s' is encrypted.", p
, fn
);
293 log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.", p
, fn
);
296 sz
= l
- offsetof(struct credential_host_secret_format
, data
);
302 assert(sz
<= sizeof(f
->data
)); /* Ensure we don't read past f->data bounds */
304 copy
= memdup(f
->data
, sz
);
317 /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock
318 * to ensure we are the only ones accessing the file while we delete it. */
320 if (flock(fd
, LOCK_EX
) < 0)
323 /* Before we delete it check that the file is still linked into the file system */
324 if (fstat(fd
, &st
) < 0)
326 if (st
.st_nlink
== 0) /* Already deleted by now? */
328 if (st
.st_nlink
!= 1) /* Safety check, someone is playing games with us */
331 if (unlinkat(dfd
, fn
, 0) < 0)
334 /* And now try again */
338 /* Construction is like this:
340 * A symmetric encryption key is derived from:
342 * 1. Either the "host" key (a key stored in /var/lib/credential.secret)
344 * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed
345 * by a key derived from its internal seed key.
347 * 3. The concatenation of the above.
349 * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
350 * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
351 * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
352 * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed
353 * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask
354 * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a
355 * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is
356 * then followed by the encrypted data, which begins with a metadata header (which contains validity
357 * timestamps as well as the credential name), followed by the actual credential payload. The file ends in
358 * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in
359 * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No
360 * unprotected data is included.
363 struct _packed_ encrypted_credential_header
{
370 /* Followed by NUL bytes until next 8 byte boundary */
373 struct _packed_ tpm2_credential_header
{
374 le64_t pcr_mask
; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems
375 * generally have. But keep the door open for more. */
376 le16_t pcr_bank
; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */
377 le16_t primary_alg
; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */
379 le32_t policy_hash_size
;
380 uint8_t policy_hash_and_blob
[];
381 /* Followed by NUL bytes until next 8 byte boundary */
384 struct _packed_ metadata_credential_header
{
389 /* Followed by NUL bytes until next 8 byte boundary */
392 /* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of
393 * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV,
394 * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */
395 #define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U)
397 static int sha256_hash_host_and_tpm2_key(
398 const void *host_key
,
399 size_t host_key_size
,
400 const void *tpm2_key
,
401 size_t tpm2_key_size
,
402 uint8_t ret
[static SHA256_DIGEST_LENGTH
]) {
404 _cleanup_(EVP_MD_CTX_freep
) EVP_MD_CTX
*md
= NULL
;
407 assert(host_key_size
== 0 || host_key
);
408 assert(tpm2_key_size
== 0 || tpm2_key
);
411 /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
413 md
= EVP_MD_CTX_new();
417 if (EVP_DigestInit_ex(md
, EVP_sha256(), NULL
) != 1)
418 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initial SHA256 context.");
420 if (host_key
&& EVP_DigestUpdate(md
, host_key
, host_key_size
) != 1)
421 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to hash host key.");
423 if (tpm2_key
&& EVP_DigestUpdate(md
, tpm2_key
, tpm2_key_size
) != 1)
424 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to hash TPM2 key.");
426 assert(EVP_MD_CTX_size(md
) == SHA256_DIGEST_LENGTH
);
428 if (EVP_DigestFinal_ex(md
, ret
, &l
) != 1)
429 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to finalize SHA256 hash.");
431 assert(l
== SHA256_DIGEST_LENGTH
);
435 int encrypt_credential_and_warn(
440 const char *tpm2_device
,
441 uint32_t tpm2_pcr_mask
,
447 _cleanup_(EVP_CIPHER_CTX_freep
) EVP_CIPHER_CTX
*context
= NULL
;
448 _cleanup_(erase_and_freep
) void *host_key
= NULL
, *tpm2_key
= NULL
;
449 size_t host_key_size
= 0, tpm2_key_size
= 0, tpm2_blob_size
= 0, tpm2_policy_hash_size
= 0, output_size
, p
, ml
;
450 _cleanup_free_
void *tpm2_blob
= NULL
, *tpm2_policy_hash
= NULL
, *iv
= NULL
, *output
= NULL
;
451 _cleanup_free_
struct metadata_credential_header
*m
= NULL
;
452 uint16_t tpm2_pcr_bank
= 0, tpm2_primary_alg
= 0;
453 struct encrypted_credential_header
*h
;
454 int ksz
, bsz
, ivsz
, tsz
, added
, r
;
455 uint8_t md
[SHA256_DIGEST_LENGTH
];
456 const EVP_CIPHER
*cc
;
458 bool try_tpm2
= false;
462 assert(input
|| input_size
== 0);
466 if (name
&& !credential_name_valid(name
))
467 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid credential name: %s", name
);
469 if (not_after
!= USEC_INFINITY
&& timestamp
!= USEC_INFINITY
&& not_after
< timestamp
)
470 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Credential is invalidated before it is valid (" USEC_FMT
" < " USEC_FMT
").", not_after
, timestamp
);
473 char buf
[FORMAT_TIMESTAMP_MAX
];
476 log_debug("Including credential name '%s' in encrypted credential.", name
);
477 if (timestamp
!= USEC_INFINITY
)
478 log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf
, sizeof(buf
), timestamp
));
479 if (not_after
!= USEC_INFINITY
)
480 log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf
, sizeof(buf
), not_after
));
483 if (sd_id128_is_null(with_key
) ||
484 sd_id128_in_set(with_key
, CRED_AES256_GCM_BY_HOST
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
)) {
486 r
= get_credential_host_secret(
487 CREDENTIAL_SECRET_GENERATE
|
488 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED
|
489 (sd_id128_is_null(with_key
) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS
: 0),
492 if (r
== -ENOMEDIUM
&& sd_id128_is_null(with_key
))
493 log_debug_errno(r
, "Credential host secret location on temporary file system, not using.");
495 return log_error_errno(r
, "Failed to determine local credential host secret: %m");
499 if (sd_id128_is_null(with_key
)) {
500 /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH
501 * if user picks TPM2 explicitly, let's always honour the request and try. */
503 r
= detect_container();
505 log_debug_errno(r
, "Failed to determine whether we are running in a container, ignoring: %m");
507 log_debug("Running in container, not attempting to use TPM2.");
513 sd_id128_in_set(with_key
, CRED_AES256_GCM_BY_TPM2_HMAC
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
)) {
515 r
= tpm2_seal(tpm2_device
,
522 &tpm2_policy_hash_size
,
526 if (!sd_id128_is_null(with_key
))
529 log_debug_errno(r
, "TPM2 sealing didn't work, not using: %m");
532 assert(tpm2_blob_size
<= CREDENTIAL_FIELD_SIZE_MAX
);
533 assert(tpm2_policy_hash_size
<= CREDENTIAL_FIELD_SIZE_MAX
);
537 if (sd_id128_is_null(with_key
)) {
538 /* Let's settle the key type in auto mode now. */
540 if (host_key
&& tpm2_key
)
541 id
= CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
;
543 id
= CRED_AES256_GCM_BY_TPM2_HMAC
;
545 id
= CRED_AES256_GCM_BY_HOST
;
547 return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE
),
548 "TPM2 not available and host key located on temporary file system, no encryption key available.");
552 /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
553 r
= sha256_hash_host_and_tpm2_key(host_key
, host_key_size
, tpm2_key
, tpm2_key_size
, md
);
557 assert_se(cc
= EVP_aes_256_gcm());
559 ksz
= EVP_CIPHER_key_length(cc
);
560 assert(ksz
== sizeof(md
));
562 bsz
= EVP_CIPHER_block_size(cc
);
564 assert((size_t) bsz
<= CREDENTIAL_FIELD_SIZE_MAX
);
566 ivsz
= EVP_CIPHER_iv_length(cc
);
568 assert((size_t) ivsz
<= CREDENTIAL_FIELD_SIZE_MAX
);
574 r
= genuine_random_bytes(iv
, ivsz
, RANDOM_BLOCK
);
576 return log_error_errno(r
, "Failed to acquired randomized IV: %m");
579 tsz
= 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */
581 context
= EVP_CIPHER_CTX_new();
583 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM
), "Failed to allocate encryption object: %s",
584 ERR_error_string(ERR_get_error(), NULL
));
586 if (EVP_EncryptInit_ex(context
, cc
, NULL
, md
, iv
) != 1)
587 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initialize encryption context: %s",
588 ERR_error_string(ERR_get_error(), NULL
));
590 /* Just an upper estimate */
592 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + ivsz
) +
593 ALIGN8(tpm2_key
? offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + tpm2_blob_size
+ tpm2_policy_hash_size
: 0) +
594 ALIGN8(offsetof(struct metadata_credential_header
, name
) + strlen_ptr(name
)) +
595 input_size
+ 2U * (size_t) bsz
+
598 output
= malloc0(output_size
);
602 h
= (struct encrypted_credential_header
*) output
;
604 h
->block_size
= htole32(bsz
);
605 h
->key_size
= htole32(ksz
);
606 h
->tag_size
= htole32(tsz
);
607 h
->iv_size
= htole32(ivsz
);
608 memcpy(h
->iv
, iv
, ivsz
);
610 p
= ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + ivsz
);
613 struct tpm2_credential_header
*t
;
615 t
= (struct tpm2_credential_header
*) ((uint8_t*) output
+ p
);
616 t
->pcr_mask
= htole64(tpm2_pcr_mask
);
617 t
->pcr_bank
= htole16(tpm2_pcr_bank
);
618 t
->primary_alg
= htole16(tpm2_primary_alg
);
619 t
->blob_size
= htole32(tpm2_blob_size
);
620 t
->policy_hash_size
= htole32(tpm2_policy_hash_size
);
621 memcpy(t
->policy_hash_and_blob
, tpm2_blob
, tpm2_blob_size
);
622 memcpy(t
->policy_hash_and_blob
+ tpm2_blob_size
, tpm2_policy_hash
, tpm2_policy_hash_size
);
624 p
+= ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + tpm2_blob_size
+ tpm2_policy_hash_size
);
627 /* Pass the encrypted + TPM2 header as AAD */
628 if (EVP_EncryptUpdate(context
, NULL
, &added
, output
, p
) != 1)
629 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to write AAD data: %s",
630 ERR_error_string(ERR_get_error(), NULL
));
632 /* Now construct the metadata header */
633 ml
= strlen_ptr(name
);
634 m
= malloc0(ALIGN8(offsetof(struct metadata_credential_header
, name
) + ml
));
638 m
->timestamp
= htole64(timestamp
);
639 m
->not_after
= htole64(not_after
);
640 m
->name_size
= htole32(ml
);
641 memcpy_safe(m
->name
, name
, ml
);
643 /* And encrypt the metadata header */
644 if (EVP_EncryptUpdate(context
, (uint8_t*) output
+ p
, &added
, (const unsigned char*) m
, ALIGN8(offsetof(struct metadata_credential_header
, name
) + ml
)) != 1)
645 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to encrypt metadata header: %s",
646 ERR_error_string(ERR_get_error(), NULL
));
649 assert((size_t) added
<= output_size
- p
);
652 /* Then encrypt the plaintext */
653 if (EVP_EncryptUpdate(context
, (uint8_t*) output
+ p
, &added
, input
, input_size
) != 1)
654 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to encrypt data: %s",
655 ERR_error_string(ERR_get_error(), NULL
));
658 assert((size_t) added
<= output_size
- p
);
662 if (EVP_EncryptFinal_ex(context
, (uint8_t*) output
+ p
, &added
) != 1)
663 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to finalize data encryption: %s",
664 ERR_error_string(ERR_get_error(), NULL
));
667 assert((size_t) added
<= output_size
- p
);
670 assert(p
<= output_size
- tsz
);
673 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_GET_TAG
, tsz
, (uint8_t*) output
+ p
) != 1)
674 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to get tag: %s",
675 ERR_error_string(ERR_get_error(), NULL
));
678 assert(p
<= output_size
);
680 if (DEBUG_LOGGING
&& input_size
> 0) {
683 base64_size
= DIV_ROUND_UP(p
* 4, 3); /* Include base64 size increase in debug output */
684 assert(base64_size
>= input_size
);
685 log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size
, base64_size
, base64_size
* 100 / input_size
- 100);
688 *ret
= TAKE_PTR(output
);
694 int decrypt_credential_and_warn(
695 const char *validate_name
,
696 usec_t validate_timestamp
,
697 const char *tpm2_device
,
703 _cleanup_(erase_and_freep
) void *host_key
= NULL
, *tpm2_key
= NULL
, *plaintext
= NULL
;
704 _cleanup_(EVP_CIPHER_CTX_freep
) EVP_CIPHER_CTX
*context
= NULL
;
705 size_t host_key_size
= 0, tpm2_key_size
= 0, plaintext_size
, p
, hs
;
706 struct encrypted_credential_header
*h
;
707 struct metadata_credential_header
*m
;
708 uint8_t md
[SHA256_DIGEST_LENGTH
];
709 bool with_tpm2
, with_host_key
;
710 const EVP_CIPHER
*cc
;
713 assert(input
|| input_size
== 0);
717 h
= (struct encrypted_credential_header
*) input
;
719 /* The ID must fit in, for the current and all future formats */
720 if (input_size
< sizeof(h
->id
))
721 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
723 with_host_key
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_HOST
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
);
724 with_tpm2
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_TPM2_HMAC
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
);
726 if (!with_host_key
&& !with_tpm2
)
727 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Unknown encryption format, or corrupted data: %m");
729 /* Now we know the minimum header size */
730 if (input_size
< offsetof(struct encrypted_credential_header
, iv
))
731 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
733 /* Verify some basic header values */
734 if (le32toh(h
->key_size
) != sizeof(md
))
735 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected key size in header.");
736 if (le32toh(h
->block_size
) <= 0 || le32toh(h
->block_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
737 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected block size in header.");
738 if (le32toh(h
->iv_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
739 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "IV size too large.");
740 if (le32toh(h
->tag_size
) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */
741 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected tag size in header.");
743 /* Ensure we have space for the full header now (we don't know the size of the name hence this is a
744 * lower limit only) */
746 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
)) +
747 ALIGN8((with_tpm2
? offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) : 0)) +
748 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
749 le32toh(h
->tag_size
))
750 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
752 p
= ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
));
756 struct tpm2_credential_header
* t
= (struct tpm2_credential_header
*) ((uint8_t*) input
+ p
);
758 if (le64toh(t
->pcr_mask
) >= (UINT64_C(1) << TPM2_PCRS_MAX
))
759 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR mask out of range.");
760 if (!tpm2_pcr_bank_to_string(le16toh(t
->pcr_bank
)))
761 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR bank invalid or not supported");
762 if (!tpm2_primary_alg_to_string(le16toh(t
->primary_alg
)))
763 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 primary key algorithm invalid or not supported.");
764 if (le32toh(t
->blob_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
765 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected TPM2 blob size.");
766 if (le32toh(t
->policy_hash_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
767 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected TPM2 policy hash size.");
769 /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size
770 * though, hence still just a lower limit test only) */
772 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
)) +
773 ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + le32toh(t
->blob_size
) + le32toh(t
->policy_hash_size
)) +
774 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
775 le32toh(h
->tag_size
))
776 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
778 r
= tpm2_unseal(tpm2_device
,
779 le64toh(t
->pcr_mask
),
780 le16toh(t
->pcr_bank
),
781 le16toh(t
->primary_alg
),
782 t
->policy_hash_and_blob
,
783 le32toh(t
->blob_size
),
784 t
->policy_hash_and_blob
+ le32toh(t
->blob_size
),
785 le32toh(t
->policy_hash_size
),
791 p
+= ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) +
792 le32toh(t
->blob_size
) +
793 le32toh(t
->policy_hash_size
));
795 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Credential requires TPM2 support, but TPM2 support not available.");
800 r
= get_credential_host_secret(
805 return log_error_errno(r
, "Failed to determine local credential key: %m");
808 sha256_hash_host_and_tpm2_key(host_key
, host_key_size
, tpm2_key
, tpm2_key_size
, md
);
810 assert_se(cc
= EVP_aes_256_gcm());
812 /* Make sure cipher expectations match the header */
813 if (EVP_CIPHER_key_length(cc
) != (int) le32toh(h
->key_size
))
814 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected key size in header.");
815 if (EVP_CIPHER_block_size(cc
) != (int) le32toh(h
->block_size
))
816 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected block size in header.");
818 context
= EVP_CIPHER_CTX_new();
820 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM
), "Failed to allocate decryption object: %s",
821 ERR_error_string(ERR_get_error(), NULL
));
823 if (EVP_DecryptInit_ex(context
, cc
, NULL
, NULL
, NULL
) != 1)
824 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initialize decryption context: %s",
825 ERR_error_string(ERR_get_error(), NULL
));
827 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_SET_IVLEN
, le32toh(h
->iv_size
), NULL
) != 1)
828 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set IV size on decryption context: %s",
829 ERR_error_string(ERR_get_error(), NULL
));
831 if (EVP_DecryptInit_ex(context
, NULL
, NULL
, md
, h
->iv
) != 1)
832 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set IV and key: %s",
833 ERR_error_string(ERR_get_error(), NULL
));
835 if (EVP_DecryptUpdate(context
, NULL
, &added
, input
, p
) != 1)
836 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to write AAD data: %s",
837 ERR_error_string(ERR_get_error(), NULL
));
839 plaintext
= malloc(input_size
- p
- le32toh(h
->tag_size
));
843 if (EVP_DecryptUpdate(
847 (uint8_t*) input
+ p
,
848 input_size
- p
- le32toh(h
->tag_size
)) != 1)
849 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to decrypt data: %s",
850 ERR_error_string(ERR_get_error(), NULL
));
853 assert((size_t) added
<= input_size
- p
- le32toh(h
->tag_size
));
854 plaintext_size
= added
;
856 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_SET_TAG
, le32toh(h
->tag_size
), (uint8_t*) input
+ input_size
- le32toh(h
->tag_size
)) != 1)
857 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set tag: %s",
858 ERR_error_string(ERR_get_error(), NULL
));
860 if (EVP_DecryptFinal_ex(context
, (uint8_t*) plaintext
+ plaintext_size
, &added
) != 1)
861 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Decryption failed (incorrect key?): %s",
862 ERR_error_string(ERR_get_error(), NULL
));
864 plaintext_size
+= added
;
866 if (plaintext_size
< ALIGN8(offsetof(struct metadata_credential_header
, name
)))
867 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Metadata header incomplete.");
871 if (le64toh(m
->timestamp
) != USEC_INFINITY
&&
872 le64toh(m
->not_after
) != USEC_INFINITY
&&
873 le64toh(m
->timestamp
) >= le64toh(m
->not_after
))
874 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Timestamps of credential are not in order, refusing.");
876 if (le32toh(m
->name_size
) > CREDENTIAL_NAME_MAX
)
877 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name too long, refusing.");
879 hs
= ALIGN8(offsetof(struct metadata_credential_header
, name
) + le32toh(m
->name_size
));
880 if (plaintext_size
< hs
)
881 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Metadata header incomplete.");
883 if (le32toh(m
->name_size
) > 0) {
884 _cleanup_free_
char *embedded_name
= NULL
;
886 if (memchr(m
->name
, 0, le32toh(m
->name_size
)))
887 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name contains NUL byte, refusing.");
889 embedded_name
= memdup_suffix0(m
->name
, le32toh(m
->name_size
));
893 if (!credential_name_valid(embedded_name
))
894 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name is not valid, refusing.");
896 if (validate_name
&& !streq(embedded_name
, validate_name
)) {
898 r
= getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
899 if (r
< 0 && r
!= -ENXIO
)
900 log_debug_errno(r
, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
902 return log_error_errno(SYNTHETIC_ERRNO(EREMOTE
), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name
, validate_name
);
904 log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name
, validate_name
);
908 if (validate_timestamp
!= USEC_INFINITY
) {
909 if (le64toh(m
->timestamp
) != USEC_INFINITY
&& le64toh(m
->timestamp
) > validate_timestamp
)
910 log_debug("Credential timestamp is from the future, assuming clock skew.");
912 if (le64toh(m
->not_after
) != USEC_INFINITY
&& le64toh(m
->not_after
) < validate_timestamp
) {
914 r
= getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
915 if (r
< 0 && r
!= -ENXIO
)
916 log_debug_errno(r
, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
918 return log_error_errno(SYNTHETIC_ERRNO(ESTALE
), "Credential's time passed, refusing to use.");
920 log_debug("Credential not-after timestamp has passed, but configured to use credential anyway.");
925 char *without_metadata
;
927 without_metadata
= memdup((uint8_t*) plaintext
+ hs
, plaintext_size
- hs
);
928 if (!without_metadata
)
931 *ret
= without_metadata
;
935 *ret_size
= plaintext_size
- hs
;
942 int get_credential_host_secret(CredentialSecretFlags flags
, void **ret
, size_t *ret_size
) {
943 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");
946 int encrypt_credential_and_warn(sd_id128_t with_key
, const char *name
, usec_t timestamp
, usec_t not_after
, const char *tpm2_device
, uint32_t tpm2_pcr_mask
, const void *input
, size_t input_size
, void **ret
, size_t *ret_size
) {
947 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");
950 int decrypt_credential_and_warn(const char *validate_name
, usec_t validate_timestamp
, const char *tpm2_device
, const void *input
, size_t input_size
, void **ret
, size_t *ret_size
) {
951 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");