]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/creds-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
tree-wide: use -EBADF for fd initialization
[thirdparty/systemd.git] / src / shared / creds-util.c
1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
2
3 #include <sys/file.h>
4
5 #if HAVE_OPENSSL
6 #include <openssl/err.h>
7 #endif
8
9 #include "sd-id128.h"
10
11 #include "blockdev-util.h"
12 #include "chattr-util.h"
13 #include "constants.h"
14 #include "creds-util.h"
15 #include "efi-api.h"
16 #include "env-util.h"
17 #include "fd-util.h"
18 #include "fileio.h"
19 #include "fs-util.h"
20 #include "io-util.h"
21 #include "memory-util.h"
22 #include "mkdir.h"
23 #include "openssl-util.h"
24 #include "path-util.h"
25 #include "random-util.h"
26 #include "sparse-endian.h"
27 #include "stat-util.h"
28 #include "tpm2-util.h"
29 #include "virt.h"
30
31 #define PUBLIC_KEY_MAX (UINT32_C(1024) * UINT32_C(1024))
32
33 bool credential_name_valid(const char *s) {
34 /* We want that credential names are both valid in filenames (since that's our primary way to pass
35 * them around) and as fdnames (which is how we might want to pass them around eventually) */
36 return filename_is_valid(s) && fdname_is_valid(s);
37 }
38
39 static int get_credentials_dir_internal(const char *envvar, const char **ret) {
40 const char *e;
41
42 assert(ret);
43
44 e = secure_getenv(envvar);
45 if (!e)
46 return -ENXIO;
47
48 if (!path_is_absolute(e) || !path_is_normalized(e))
49 return -EINVAL;
50
51 *ret = e;
52 return 0;
53 }
54
55 int get_credentials_dir(const char **ret) {
56 return get_credentials_dir_internal("CREDENTIALS_DIRECTORY", ret);
57 }
58
59 int get_encrypted_credentials_dir(const char **ret) {
60 return get_credentials_dir_internal("ENCRYPTED_CREDENTIALS_DIRECTORY", ret);
61 }
62
63 int read_credential(const char *name, void **ret, size_t *ret_size) {
64 _cleanup_free_ char *fn = NULL;
65 const char *d;
66 int r;
67
68 assert(ret);
69
70 if (!credential_name_valid(name))
71 return -EINVAL;
72
73 r = get_credentials_dir(&d);
74 if (r < 0)
75 return r;
76
77 fn = path_join(d, name);
78 if (!fn)
79 return -ENOMEM;
80
81 return read_full_file_full(
82 AT_FDCWD, fn,
83 UINT64_MAX, SIZE_MAX,
84 READ_FULL_FILE_SECURE,
85 NULL,
86 (char**) ret, ret_size);
87 }
88
89 int get_credential_user_password(const char *username, char **ret_password, bool *ret_is_hashed) {
90 _cleanup_(erase_and_freep) char *creds_password = NULL;
91 _cleanup_free_ char *cn = NULL;
92 int r;
93
94 /* Try to pick up the password for this account via the credentials logic */
95 cn = strjoin("passwd.hashed-password.", username);
96 if (!cn)
97 return -ENOMEM;
98
99 r = read_credential(cn, (void**) &creds_password, NULL);
100 if (r == -ENOENT) {
101 free(cn);
102 cn = strjoin("passwd.plaintext-password.", username);
103 if (!cn)
104 return -ENOMEM;
105
106 r = read_credential(cn, (void**) &creds_password, NULL);
107 if (r < 0)
108 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
109 else
110 *ret_is_hashed = false;
111 } else if (r < 0)
112 log_debug_errno(r, "Couldn't read credential '%s', ignoring: %m", cn);
113 else
114 *ret_is_hashed = true;
115
116 *ret_password = TAKE_PTR(creds_password);
117
118 return r;
119 }
120
121 #if HAVE_OPENSSL
122
123 #define CREDENTIAL_HOST_SECRET_SIZE 4096
124
125 static const sd_id128_t credential_app_id =
126 SD_ID128_MAKE(d3,ac,ec,ba,0d,ad,4c,df,b8,c9,38,15,28,93,6c,58);
127
128 struct credential_host_secret_format {
129 /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine
130 * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the
131 * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed
132 * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not
133 * being able to directly associate a secret key file with a host. */
134 sd_id128_t machine_id;
135
136 /* The actual secret key */
137 uint8_t data[CREDENTIAL_HOST_SECRET_SIZE];
138 } _packed_;
139
140 static void warn_not_encrypted(int fd, CredentialSecretFlags flags, const char *dirname, const char *filename) {
141 int r;
142
143 assert(fd >= 0);
144 assert(dirname);
145 assert(filename);
146
147 if (!FLAGS_SET(flags, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED))
148 return;
149
150 r = fd_is_encrypted(fd);
151 if (r < 0)
152 log_debug_errno(r, "Failed to determine if credential secret file '%s/%s' is encrypted.",
153 dirname, filename);
154 else if (r == 0)
155 log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
156 dirname, filename);
157 }
158
159 static int make_credential_host_secret(
160 int dfd,
161 const sd_id128_t machine_id,
162 CredentialSecretFlags flags,
163 const char *dirname,
164 const char *fn,
165 void **ret_data,
166 size_t *ret_size) {
167
168 struct credential_host_secret_format buf;
169 _cleanup_free_ char *t = NULL;
170 _cleanup_close_ int fd = -EBADF;
171 int r;
172
173 assert(dfd >= 0);
174 assert(fn);
175
176 fd = openat(dfd, ".", O_CLOEXEC|O_WRONLY|O_TMPFILE, 0400);
177 if (fd < 0) {
178 log_debug_errno(errno, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
179
180 if (asprintf(&t, "credential.secret.%016" PRIx64, random_u64()) < 0)
181 return -ENOMEM;
182
183 fd = openat(dfd, t, O_CLOEXEC|O_WRONLY|O_CREAT|O_EXCL|O_NOFOLLOW, 0400);
184 if (fd < 0)
185 return -errno;
186 }
187
188 r = chattr_secret(fd, 0);
189 if (r < 0)
190 log_debug_errno(r, "Failed to set file attributes for secrets file, ignoring: %m");
191
192 buf = (struct credential_host_secret_format) {
193 .machine_id = machine_id,
194 };
195
196 r = crypto_random_bytes(buf.data, sizeof(buf.data));
197 if (r < 0)
198 goto finish;
199
200 r = loop_write(fd, &buf, sizeof(buf), false);
201 if (r < 0)
202 goto finish;
203
204 if (fsync(fd) < 0) {
205 r = -errno;
206 goto finish;
207 }
208
209 warn_not_encrypted(fd, flags, dirname, fn);
210
211 if (t) {
212 r = rename_noreplace(dfd, t, dfd, fn);
213 if (r < 0)
214 goto finish;
215
216 t = mfree(t);
217 } else if (linkat(fd, "", dfd, fn, AT_EMPTY_PATH) < 0) {
218 r = -errno;
219 goto finish;
220 }
221
222 if (fsync(dfd) < 0) {
223 r = -errno;
224 goto finish;
225 }
226
227 if (ret_data) {
228 void *copy;
229
230 copy = memdup(buf.data, sizeof(buf.data));
231 if (!copy) {
232 r = -ENOMEM;
233 goto finish;
234 }
235
236 *ret_data = copy;
237 }
238
239 if (ret_size)
240 *ret_size = sizeof(buf.data);
241
242 r = 0;
243
244 finish:
245 if (t && unlinkat(dfd, t, 0) < 0)
246 log_debug_errno(errno, "Failed to remove temporary credential key: %m");
247
248 explicit_bzero_safe(&buf, sizeof(buf));
249 return r;
250 }
251
252 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
253 _cleanup_free_ char *_dirname = NULL, *_filename = NULL;
254 _cleanup_close_ int dfd = -EBADF;
255 sd_id128_t machine_id;
256 const char *dirname, *filename;
257 int r;
258
259 r = sd_id128_get_machine_app_specific(credential_app_id, &machine_id);
260 if (r < 0)
261 return r;
262
263 const char *e = secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
264 if (e) {
265 if (!path_is_normalized(e))
266 return -EINVAL;
267 if (!path_is_absolute(e))
268 return -EINVAL;
269
270 r = path_extract_directory(e, &_dirname);
271 if (r < 0)
272 return r;
273
274 r = path_extract_filename(e, &_filename);
275 if (r < 0)
276 return r;
277
278 dirname = _dirname;
279 filename = _filename;
280 } else {
281 dirname = "/var/lib/systemd";
282 filename = "credential.secret";
283 }
284
285 mkdir_parents(dirname, 0755);
286 dfd = open_mkdir_at(AT_FDCWD, dirname, O_CLOEXEC, 0755);
287 if (dfd < 0)
288 return log_debug_errno(dfd, "Failed to create or open directory '%s': %m", dirname);
289
290 if (FLAGS_SET(flags, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS)) {
291 r = fd_is_temporary_fs(dfd);
292 if (r < 0)
293 return log_debug_errno(r, "Failed to check directory '%s': %m", dirname);
294 if (r > 0)
295 return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM),
296 "Directory '%s' is on a temporary file system, refusing.", dirname);
297 }
298
299 for (unsigned attempt = 0;; attempt++) {
300 _cleanup_(erase_and_freep) struct credential_host_secret_format *f = NULL;
301 _cleanup_close_ int fd = -EBADF;
302 size_t l = 0;
303 ssize_t n = 0;
304 struct stat st;
305
306 if (attempt >= 3) /* Somebody is playing games with us */
307 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
308 "All attempts to create secret store in %s failed.", dirname);
309
310 fd = openat(dfd, filename, O_CLOEXEC|O_RDONLY|O_NOCTTY|O_NOFOLLOW);
311 if (fd < 0) {
312 if (errno != ENOENT || !FLAGS_SET(flags, CREDENTIAL_SECRET_GENERATE))
313 return log_debug_errno(errno,
314 "Failed to open %s/%s: %m", dirname, filename);
315
316
317 r = make_credential_host_secret(dfd, machine_id, flags, dirname, filename, ret, ret_size);
318 if (r == -EEXIST) {
319 log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
320 dirname, filename);
321 continue;
322 }
323 if (r < 0)
324 return log_debug_errno(r, "Failed to create credential secret %s/%s: %m",
325 dirname, filename);
326 return 0;
327 }
328
329 if (fstat(fd, &st) < 0)
330 return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
331
332 r = stat_verify_regular(&st);
333 if (r < 0)
334 return log_debug_errno(r, "%s/%s is not a regular file: %m", dirname, filename);
335 if (st.st_nlink == 0) /* Deleted by now, try again */
336 continue;
337 if (st.st_nlink > 1)
338 /* Our deletion check won't work if hardlinked somewhere else */
339 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
340 "%s/%s has too many links, refusing.",
341 dirname, filename);
342 if ((st.st_mode & 07777) != 0400)
343 /* Don't use file if not 0400 access mode */
344 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
345 "%s/%s has permissive access mode, refusing.",
346 dirname, filename);
347 l = st.st_size;
348 if (l < offsetof(struct credential_host_secret_format, data) + 1)
349 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL),
350 "%s/%s is too small, refusing.", dirname, filename);
351 if (l > 16*1024*1024)
352 return log_debug_errno(SYNTHETIC_ERRNO(E2BIG),
353 "%s/%s is too big, refusing.", dirname, filename);
354
355 f = malloc(l+1);
356 if (!f)
357 return log_oom_debug();
358
359 n = read(fd, f, l+1);
360 if (n < 0)
361 return log_debug_errno(errno,
362 "Failed to read %s/%s: %m", dirname, filename);
363 if ((size_t) n != l) /* What? The size changed? */
364 return log_debug_errno(SYNTHETIC_ERRNO(EIO),
365 "Failed to read %s/%s: %m", dirname, filename);
366
367 if (sd_id128_equal(machine_id, f->machine_id)) {
368 size_t sz;
369
370 warn_not_encrypted(fd, flags, dirname, filename);
371
372 sz = l - offsetof(struct credential_host_secret_format, data);
373 assert(sz > 0);
374
375 if (ret) {
376 void *copy;
377
378 assert(sz <= sizeof(f->data)); /* Ensure we don't read past f->data bounds */
379
380 copy = memdup(f->data, sz);
381 if (!copy)
382 return log_oom_debug();
383
384 *ret = copy;
385 }
386
387 if (ret_size)
388 *ret_size = sz;
389
390 return 0;
391 }
392
393 /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock
394 * to ensure we are the only ones accessing the file while we delete it. */
395
396 if (flock(fd, LOCK_EX) < 0)
397 return log_debug_errno(errno,
398 "Failed to flock %s/%s: %m", dirname, filename);
399
400 /* Before we delete it check that the file is still linked into the file system */
401 if (fstat(fd, &st) < 0)
402 return log_debug_errno(errno, "Failed to stat %s/%s: %m", dirname, filename);
403 if (st.st_nlink == 0) /* Already deleted by now? */
404 continue;
405 if (st.st_nlink != 1) /* Safety check, someone is playing games with us */
406 return log_debug_errno(SYNTHETIC_ERRNO(EPERM),
407 "%s/%s unexpectedly has too many links.",
408 dirname, filename);
409 if (unlinkat(dfd, filename, 0) < 0)
410 return log_debug_errno(errno, "Failed to unlink %s/%s: %m", dirname, filename);
411
412 /* And now try again */
413 }
414 }
415
416 /* Construction is like this:
417 *
418 * A symmetric encryption key is derived from:
419 *
420 * 1. Either the "host" key (a key stored in /var/lib/credential.secret)
421 *
422 * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed
423 * by a key derived from its internal seed key.
424 *
425 * 3. The concatenation of the above.
426 *
427 * 4. Or a fixed "empty" key. This will not provide confidentiality or authenticity, of course, but is
428 * useful to encode credentials for the initrd on TPM-less systems, where we simply have no better
429 * concept to bind things to. Note that decryption of a key set up like this will be refused on
430 * systems that have a TPM and have SecureBoot enabled.
431 *
432 * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
433 * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
434 * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
435 * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed
436 * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask
437 * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a
438 * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is
439 * then followed by the encrypted data, which begins with a metadata header (which contains validity
440 * timestamps as well as the credential name), followed by the actual credential payload. The file ends in
441 * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in
442 * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No
443 * unprotected data is included.
444 */
445
446 struct _packed_ encrypted_credential_header {
447 sd_id128_t id;
448 le32_t key_size;
449 le32_t block_size;
450 le32_t iv_size;
451 le32_t tag_size;
452 uint8_t iv[];
453 /* Followed by NUL bytes until next 8 byte boundary */
454 };
455
456 struct _packed_ tpm2_credential_header {
457 le64_t pcr_mask; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems
458 * generally have. But keep the door open for more. */
459 le16_t pcr_bank; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */
460 le16_t primary_alg; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */
461 le32_t blob_size;
462 le32_t policy_hash_size;
463 uint8_t policy_hash_and_blob[];
464 /* Followed by NUL bytes until next 8 byte boundary */
465 };
466
467 struct _packed_ tpm2_public_key_credential_header {
468 le64_t pcr_mask; /* PCRs used for the public key PCR policy (usually just PCR 11, i.e. the unified kernel) */
469 le32_t size; /* Size of DER public key */
470 uint8_t data[]; /* DER public key */
471 /* Followed by NUL bytes until next 8 byte boundary */
472 };
473
474 struct _packed_ metadata_credential_header {
475 le64_t timestamp;
476 le64_t not_after;
477 le32_t name_size;
478 char name[];
479 /* Followed by NUL bytes until next 8 byte boundary */
480 };
481
482 /* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of
483 * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV,
484 * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */
485 #define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U)
486
487 static int sha256_hash_host_and_tpm2_key(
488 const void *host_key,
489 size_t host_key_size,
490 const void *tpm2_key,
491 size_t tpm2_key_size,
492 uint8_t ret[static SHA256_DIGEST_LENGTH]) {
493
494 _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *md = NULL;
495 unsigned l;
496
497 assert(host_key_size == 0 || host_key);
498 assert(tpm2_key_size == 0 || tpm2_key);
499 assert(ret);
500
501 /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
502
503 md = EVP_MD_CTX_new();
504 if (!md)
505 return log_oom();
506
507 if (EVP_DigestInit_ex(md, EVP_sha256(), NULL) != 1)
508 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initial SHA256 context.");
509
510 if (host_key && EVP_DigestUpdate(md, host_key, host_key_size) != 1)
511 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash host key.");
512
513 if (tpm2_key && EVP_DigestUpdate(md, tpm2_key, tpm2_key_size) != 1)
514 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to hash TPM2 key.");
515
516 assert(EVP_MD_CTX_size(md) == SHA256_DIGEST_LENGTH);
517
518 if (EVP_DigestFinal_ex(md, ret, &l) != 1)
519 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize SHA256 hash.");
520
521 assert(l == SHA256_DIGEST_LENGTH);
522 return 0;
523 }
524
525 int encrypt_credential_and_warn(
526 sd_id128_t with_key,
527 const char *name,
528 usec_t timestamp,
529 usec_t not_after,
530 const char *tpm2_device,
531 uint32_t tpm2_hash_pcr_mask,
532 const char *tpm2_pubkey_path,
533 uint32_t tpm2_pubkey_pcr_mask,
534 const void *input,
535 size_t input_size,
536 void **ret,
537 size_t *ret_size) {
538
539 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
540 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL;
541 size_t host_key_size = 0, tpm2_key_size = 0, tpm2_blob_size = 0, tpm2_policy_hash_size = 0, output_size, p, ml;
542 _cleanup_free_ void *tpm2_blob = NULL, *tpm2_policy_hash = NULL, *iv = NULL, *output = NULL;
543 _cleanup_free_ struct metadata_credential_header *m = NULL;
544 uint16_t tpm2_pcr_bank = 0, tpm2_primary_alg = 0;
545 struct encrypted_credential_header *h;
546 int ksz, bsz, ivsz, tsz, added, r;
547 _cleanup_free_ void *pubkey = NULL;
548 size_t pubkey_size = 0;
549 uint8_t md[SHA256_DIGEST_LENGTH];
550 const EVP_CIPHER *cc;
551 sd_id128_t id;
552
553 assert(input || input_size == 0);
554 assert(ret);
555 assert(ret_size);
556
557 if (!sd_id128_in_set(with_key,
558 _CRED_AUTO,
559 _CRED_AUTO_INITRD,
560 CRED_AES256_GCM_BY_HOST,
561 CRED_AES256_GCM_BY_TPM2_HMAC,
562 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
563 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
564 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK,
565 CRED_AES256_GCM_BY_TPM2_ABSENT))
566 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid key type: " SD_ID128_FORMAT_STR, SD_ID128_FORMAT_VAL(with_key));
567
568 if (name && !credential_name_valid(name))
569 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid credential name: %s", name);
570
571 if (not_after != USEC_INFINITY && timestamp != USEC_INFINITY && not_after < timestamp)
572 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential is invalidated before it is valid (" USEC_FMT " < " USEC_FMT ").", not_after, timestamp);
573
574 if (DEBUG_LOGGING) {
575 char buf[FORMAT_TIMESTAMP_MAX];
576
577 if (name)
578 log_debug("Including credential name '%s' in encrypted credential.", name);
579 if (timestamp != USEC_INFINITY)
580 log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), timestamp));
581 if (not_after != USEC_INFINITY)
582 log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf, sizeof(buf), not_after));
583 }
584
585 if (sd_id128_in_set(with_key,
586 _CRED_AUTO,
587 CRED_AES256_GCM_BY_HOST,
588 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
589 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) {
590
591 r = get_credential_host_secret(
592 CREDENTIAL_SECRET_GENERATE|
593 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED|
594 (sd_id128_equal(with_key, _CRED_AUTO) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS : 0),
595 &host_key,
596 &host_key_size);
597 if (r == -ENOMEDIUM && sd_id128_equal(with_key, _CRED_AUTO))
598 log_debug_errno(r, "Credential host secret location on temporary file system, not using.");
599 else if (r < 0)
600 return log_error_errno(r, "Failed to determine local credential host secret: %m");
601 }
602
603 #if HAVE_TPM2
604 bool try_tpm2;
605 if (sd_id128_equal(with_key, _CRED_AUTO)) {
606 /* If automatic mode is selected and we are running in a container, let's not try TPM2. OTOH
607 * if user picks TPM2 explicitly, let's always honour the request and try. */
608
609 r = detect_container();
610 if (r < 0)
611 log_debug_errno(r, "Failed to determine whether we are running in a container, ignoring: %m");
612 else if (r > 0)
613 log_debug("Running in container, not attempting to use TPM2.");
614
615 try_tpm2 = r <= 0;
616 } else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD)) {
617 /* If automatic mode for initrds is selected, we'll use the TPM2 key if the firmware does it,
618 * otherwise we'll use a fixed key */
619
620 try_tpm2 = efi_has_tpm2();
621 if (!try_tpm2)
622 log_debug("Firmware lacks TPM2 support, not attempting to use TPM2.");
623 } else
624 try_tpm2 = sd_id128_in_set(with_key,
625 CRED_AES256_GCM_BY_TPM2_HMAC,
626 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
627 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC,
628 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
629
630 if (try_tpm2) {
631 if (sd_id128_in_set(with_key,
632 _CRED_AUTO,
633 _CRED_AUTO_INITRD,
634 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK,
635 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK)) {
636
637 /* Load public key for PCR policies, if one is specified, or explicitly requested */
638
639 r = tpm2_load_pcr_public_key(tpm2_pubkey_path, &pubkey, &pubkey_size);
640 if (r < 0) {
641 if (tpm2_pubkey_path || r != -ENOENT || !sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD))
642 return log_error_errno(r, "Failed read TPM PCR public key: %m");
643
644 log_debug_errno(r, "Failed to read TPM2 PCR public key, proceeding without: %m");
645 }
646 }
647
648 if (!pubkey)
649 tpm2_pubkey_pcr_mask = 0;
650
651 r = tpm2_seal(tpm2_device,
652 tpm2_hash_pcr_mask,
653 pubkey, pubkey_size,
654 tpm2_pubkey_pcr_mask,
655 /* pin= */ NULL,
656 &tpm2_key, &tpm2_key_size,
657 &tpm2_blob, &tpm2_blob_size,
658 &tpm2_policy_hash, &tpm2_policy_hash_size,
659 &tpm2_pcr_bank,
660 &tpm2_primary_alg);
661 if (r < 0) {
662 if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
663 log_warning("Firmware reported a TPM2 being present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
664 else if (!sd_id128_equal(with_key, _CRED_AUTO))
665 return r;
666
667 log_notice_errno(r, "TPM2 sealing didn't work, continuing without TPM2: %m");
668 }
669
670 assert(tpm2_blob_size <= CREDENTIAL_FIELD_SIZE_MAX);
671 assert(tpm2_policy_hash_size <= CREDENTIAL_FIELD_SIZE_MAX);
672 }
673 #endif
674
675 if (sd_id128_in_set(with_key, _CRED_AUTO, _CRED_AUTO_INITRD)) {
676 /* Let's settle the key type in auto mode now. */
677
678 if (host_key && tpm2_key)
679 id = pubkey ? CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC;
680 else if (tpm2_key)
681 id = pubkey ? CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK : CRED_AES256_GCM_BY_TPM2_HMAC;
682 else if (host_key)
683 id = CRED_AES256_GCM_BY_HOST;
684 else if (sd_id128_equal(with_key, _CRED_AUTO_INITRD))
685 id = CRED_AES256_GCM_BY_TPM2_ABSENT;
686 else
687 return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
688 "TPM2 not available and host key located on temporary file system, no encryption key available.");
689 } else
690 id = with_key;
691
692 if (sd_id128_equal(id, CRED_AES256_GCM_BY_TPM2_ABSENT))
693 log_warning("Using a null key for encryption and signing. Confidentiality or authenticity will not be provided.");
694
695 /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
696 r = sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
697 if (r < 0)
698 return r;
699
700 assert_se(cc = EVP_aes_256_gcm());
701
702 ksz = EVP_CIPHER_key_length(cc);
703 assert(ksz == sizeof(md));
704
705 bsz = EVP_CIPHER_block_size(cc);
706 assert(bsz > 0);
707 assert((size_t) bsz <= CREDENTIAL_FIELD_SIZE_MAX);
708
709 ivsz = EVP_CIPHER_iv_length(cc);
710 if (ivsz > 0) {
711 assert((size_t) ivsz <= CREDENTIAL_FIELD_SIZE_MAX);
712
713 iv = malloc(ivsz);
714 if (!iv)
715 return log_oom();
716
717 r = crypto_random_bytes(iv, ivsz);
718 if (r < 0)
719 return log_error_errno(r, "Failed to acquired randomized IV: %m");
720 }
721
722 tsz = 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */
723
724 context = EVP_CIPHER_CTX_new();
725 if (!context)
726 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate encryption object: %s",
727 ERR_error_string(ERR_get_error(), NULL));
728
729 if (EVP_EncryptInit_ex(context, cc, NULL, md, iv) != 1)
730 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize encryption context: %s",
731 ERR_error_string(ERR_get_error(), NULL));
732
733 /* Just an upper estimate */
734 output_size =
735 ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz) +
736 ALIGN8(tpm2_key ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size : 0) +
737 ALIGN8(pubkey ? offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size : 0) +
738 ALIGN8(offsetof(struct metadata_credential_header, name) + strlen_ptr(name)) +
739 input_size + 2U * (size_t) bsz +
740 tsz;
741
742 output = malloc0(output_size);
743 if (!output)
744 return log_oom();
745
746 h = (struct encrypted_credential_header*) output;
747 h->id = id;
748 h->block_size = htole32(bsz);
749 h->key_size = htole32(ksz);
750 h->tag_size = htole32(tsz);
751 h->iv_size = htole32(ivsz);
752 memcpy(h->iv, iv, ivsz);
753
754 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + ivsz);
755
756 if (tpm2_key) {
757 struct tpm2_credential_header *t;
758
759 t = (struct tpm2_credential_header*) ((uint8_t*) output + p);
760 t->pcr_mask = htole64(tpm2_hash_pcr_mask);
761 t->pcr_bank = htole16(tpm2_pcr_bank);
762 t->primary_alg = htole16(tpm2_primary_alg);
763 t->blob_size = htole32(tpm2_blob_size);
764 t->policy_hash_size = htole32(tpm2_policy_hash_size);
765 memcpy(t->policy_hash_and_blob, tpm2_blob, tpm2_blob_size);
766 memcpy(t->policy_hash_and_blob + tpm2_blob_size, tpm2_policy_hash, tpm2_policy_hash_size);
767
768 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + tpm2_blob_size + tpm2_policy_hash_size);
769 }
770
771 if (pubkey) {
772 struct tpm2_public_key_credential_header *z;
773
774 z = (struct tpm2_public_key_credential_header*) ((uint8_t*) output + p);
775 z->pcr_mask = htole64(tpm2_pubkey_pcr_mask);
776 z->size = htole32(pubkey_size);
777 memcpy(z->data, pubkey, pubkey_size);
778
779 p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + pubkey_size);
780 }
781
782 /* Pass the encrypted + TPM2 header as AAD */
783 if (EVP_EncryptUpdate(context, NULL, &added, output, p) != 1)
784 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
785 ERR_error_string(ERR_get_error(), NULL));
786
787 /* Now construct the metadata header */
788 ml = strlen_ptr(name);
789 m = malloc0(ALIGN8(offsetof(struct metadata_credential_header, name) + ml));
790 if (!m)
791 return log_oom();
792
793 m->timestamp = htole64(timestamp);
794 m->not_after = htole64(not_after);
795 m->name_size = htole32(ml);
796 memcpy_safe(m->name, name, ml);
797
798 /* And encrypt the metadata header */
799 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, (const unsigned char*) m, ALIGN8(offsetof(struct metadata_credential_header, name) + ml)) != 1)
800 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt metadata header: %s",
801 ERR_error_string(ERR_get_error(), NULL));
802
803 assert(added >= 0);
804 assert((size_t) added <= output_size - p);
805 p += added;
806
807 /* Then encrypt the plaintext */
808 if (EVP_EncryptUpdate(context, (uint8_t*) output + p, &added, input, input_size) != 1)
809 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to encrypt data: %s",
810 ERR_error_string(ERR_get_error(), NULL));
811
812 assert(added >= 0);
813 assert((size_t) added <= output_size - p);
814 p += added;
815
816 /* Finalize */
817 if (EVP_EncryptFinal_ex(context, (uint8_t*) output + p, &added) != 1)
818 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to finalize data encryption: %s",
819 ERR_error_string(ERR_get_error(), NULL));
820
821 assert(added >= 0);
822 assert((size_t) added <= output_size - p);
823 p += added;
824
825 assert(p <= output_size - tsz);
826
827 /* Append tag */
828 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_GET_TAG, tsz, (uint8_t*) output + p) != 1)
829 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to get tag: %s",
830 ERR_error_string(ERR_get_error(), NULL));
831
832 p += tsz;
833 assert(p <= output_size);
834
835 if (DEBUG_LOGGING && input_size > 0) {
836 size_t base64_size;
837
838 base64_size = DIV_ROUND_UP(p * 4, 3); /* Include base64 size increase in debug output */
839 assert(base64_size >= input_size);
840 log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input_size, base64_size, base64_size * 100 / input_size - 100);
841 }
842
843 *ret = TAKE_PTR(output);
844 *ret_size = p;
845
846 return 0;
847 }
848
849 int decrypt_credential_and_warn(
850 const char *validate_name,
851 usec_t validate_timestamp,
852 const char *tpm2_device,
853 const char *tpm2_signature_path,
854 const void *input,
855 size_t input_size,
856 void **ret,
857 size_t *ret_size) {
858
859 _cleanup_(erase_and_freep) void *host_key = NULL, *tpm2_key = NULL, *plaintext = NULL;
860 _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL;
861 _cleanup_(EVP_CIPHER_CTX_freep) EVP_CIPHER_CTX *context = NULL;
862 size_t host_key_size = 0, tpm2_key_size = 0, plaintext_size, p, hs;
863 struct encrypted_credential_header *h;
864 struct metadata_credential_header *m;
865 uint8_t md[SHA256_DIGEST_LENGTH];
866 bool with_tpm2, with_host_key, is_tpm2_absent, with_tpm2_pk;
867 const EVP_CIPHER *cc;
868 int r, added;
869
870 assert(input || input_size == 0);
871 assert(ret);
872 assert(ret_size);
873
874 h = (struct encrypted_credential_header*) input;
875
876 /* The ID must fit in, for the current and all future formats */
877 if (input_size < sizeof(h->id))
878 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
879
880 with_host_key = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_HOST, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
881 with_tpm2_pk = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK);
882 with_tpm2 = sd_id128_in_set(h->id, CRED_AES256_GCM_BY_TPM2_HMAC, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC) || with_tpm2_pk;
883 is_tpm2_absent = sd_id128_equal(h->id, CRED_AES256_GCM_BY_TPM2_ABSENT);
884
885 if (!with_host_key && !with_tpm2 && !is_tpm2_absent)
886 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unknown encryption format, or corrupted data: %m");
887
888 if (with_tpm2_pk) {
889 r = tpm2_load_pcr_signature(tpm2_signature_path, &signature_json);
890 if (r < 0)
891 return r;
892 }
893
894 if (is_tpm2_absent) {
895 /* So this is a credential encrypted with a zero length key. We support this to cover for the
896 * case where neither a host key not a TPM2 are available (specifically: initrd environments
897 * where the host key is not yet accessible and no TPM2 chip exists at all), to minimize
898 * different codeflow for TPM2 and non-TPM2 codepaths. Of course, credentials encoded this
899 * way offer no confidentiality nor authenticity. Because of that it's important we refuse to
900 * use them on systems that actually *do* have a TPM2 chip – if we are in SecureBoot
901 * mode. Otherwise an attacker could hand us credentials like this and we'd use them thinking
902 * they are trusted, even though they are not. */
903
904 if (efi_has_tpm2()) {
905 if (is_efi_secure_boot())
906 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG),
907 "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.");
908
909 log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled.");
910 } else
911 log_debug("Credential uses fixed key for use when TPM2 is absent, and TPM2 indeed is absent. Accepting.");
912 }
913
914 /* Now we know the minimum header size */
915 if (input_size < offsetof(struct encrypted_credential_header, iv))
916 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
917
918 /* Verify some basic header values */
919 if (le32toh(h->key_size) != sizeof(md))
920 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
921 if (le32toh(h->block_size) <= 0 || le32toh(h->block_size) > CREDENTIAL_FIELD_SIZE_MAX)
922 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
923 if (le32toh(h->iv_size) > CREDENTIAL_FIELD_SIZE_MAX)
924 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "IV size too large.");
925 if (le32toh(h->tag_size) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */
926 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected tag size in header.");
927
928 /* Ensure we have space for the full header now (we don't know the size of the name hence this is a
929 * lower limit only) */
930 if (input_size <
931 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
932 ALIGN8(with_tpm2 ? offsetof(struct tpm2_credential_header, policy_hash_and_blob) : 0) +
933 ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) +
934 ALIGN8(offsetof(struct metadata_credential_header, name)) +
935 le32toh(h->tag_size))
936 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
937
938 p = ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size));
939
940 if (with_tpm2) {
941 #if HAVE_TPM2
942 struct tpm2_credential_header* t = (struct tpm2_credential_header*) ((uint8_t*) input + p);
943 struct tpm2_public_key_credential_header *z = NULL;
944
945 if (!TPM2_PCR_MASK_VALID(t->pcr_mask))
946 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
947 if (!tpm2_pcr_bank_to_string(le16toh(t->pcr_bank)))
948 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR bank invalid or not supported");
949 if (!tpm2_primary_alg_to_string(le16toh(t->primary_alg)))
950 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 primary key algorithm invalid or not supported.");
951 if (le32toh(t->blob_size) > CREDENTIAL_FIELD_SIZE_MAX)
952 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 blob size.");
953 if (le32toh(t->policy_hash_size) > CREDENTIAL_FIELD_SIZE_MAX)
954 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected TPM2 policy hash size.");
955
956 /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size
957 * though, hence still just a lower limit test only) */
958 if (input_size <
959 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
960 ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
961 ALIGN8(with_tpm2_pk ? offsetof(struct tpm2_public_key_credential_header, data) : 0) +
962 ALIGN8(offsetof(struct metadata_credential_header, name)) +
963 le32toh(h->tag_size))
964 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
965
966 p += ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) +
967 le32toh(t->blob_size) +
968 le32toh(t->policy_hash_size));
969
970 if (with_tpm2_pk) {
971 z = (struct tpm2_public_key_credential_header*) ((uint8_t*) input + p);
972
973 if (!TPM2_PCR_MASK_VALID(le64toh(z->pcr_mask)) || le64toh(z->pcr_mask) == 0)
974 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "TPM2 PCR mask out of range.");
975 if (le32toh(z->size) > PUBLIC_KEY_MAX)
976 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected public key size.");
977
978 if (input_size <
979 ALIGN8(offsetof(struct encrypted_credential_header, iv) + le32toh(h->iv_size)) +
980 ALIGN8(offsetof(struct tpm2_credential_header, policy_hash_and_blob) + le32toh(t->blob_size) + le32toh(t->policy_hash_size)) +
981 ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) + le32toh(z->size)) +
982 ALIGN8(offsetof(struct metadata_credential_header, name)) +
983 le32toh(h->tag_size))
984 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Encrypted file too short.");
985
986 p += ALIGN8(offsetof(struct tpm2_public_key_credential_header, data) +
987 le32toh(z->size));
988 }
989
990 r = tpm2_unseal(tpm2_device,
991 le64toh(t->pcr_mask),
992 le16toh(t->pcr_bank),
993 z ? z->data : NULL,
994 z ? le32toh(z->size) : 0,
995 z ? le64toh(z->pcr_mask) : 0,
996 signature_json,
997 /* pin= */ NULL,
998 le16toh(t->primary_alg),
999 t->policy_hash_and_blob,
1000 le32toh(t->blob_size),
1001 t->policy_hash_and_blob + le32toh(t->blob_size),
1002 le32toh(t->policy_hash_size),
1003 &tpm2_key,
1004 &tpm2_key_size);
1005 if (r < 0)
1006 return r;
1007
1008 #else
1009 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Credential requires TPM2 support, but TPM2 support not available.");
1010 #endif
1011 }
1012
1013 if (with_host_key) {
1014 r = get_credential_host_secret(
1015 0,
1016 &host_key,
1017 &host_key_size);
1018 if (r < 0)
1019 return log_error_errno(r, "Failed to determine local credential key: %m");
1020 }
1021
1022 if (is_tpm2_absent)
1023 log_warning("Warning: using a null key for decryption and authentication. Confidentiality or authenticity are not provided.");
1024
1025 sha256_hash_host_and_tpm2_key(host_key, host_key_size, tpm2_key, tpm2_key_size, md);
1026
1027 assert_se(cc = EVP_aes_256_gcm());
1028
1029 /* Make sure cipher expectations match the header */
1030 if (EVP_CIPHER_key_length(cc) != (int) le32toh(h->key_size))
1031 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected key size in header.");
1032 if (EVP_CIPHER_block_size(cc) != (int) le32toh(h->block_size))
1033 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Unexpected block size in header.");
1034
1035 context = EVP_CIPHER_CTX_new();
1036 if (!context)
1037 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Failed to allocate decryption object: %s",
1038 ERR_error_string(ERR_get_error(), NULL));
1039
1040 if (EVP_DecryptInit_ex(context, cc, NULL, NULL, NULL) != 1)
1041 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to initialize decryption context: %s",
1042 ERR_error_string(ERR_get_error(), NULL));
1043
1044 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_IVLEN, le32toh(h->iv_size), NULL) != 1)
1045 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV size on decryption context: %s",
1046 ERR_error_string(ERR_get_error(), NULL));
1047
1048 if (EVP_DecryptInit_ex(context, NULL, NULL, md, h->iv) != 1)
1049 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set IV and key: %s",
1050 ERR_error_string(ERR_get_error(), NULL));
1051
1052 if (EVP_DecryptUpdate(context, NULL, &added, input, p) != 1)
1053 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to write AAD data: %s",
1054 ERR_error_string(ERR_get_error(), NULL));
1055
1056 plaintext = malloc(input_size - p - le32toh(h->tag_size));
1057 if (!plaintext)
1058 return -ENOMEM;
1059
1060 if (EVP_DecryptUpdate(
1061 context,
1062 plaintext,
1063 &added,
1064 (uint8_t*) input + p,
1065 input_size - p - le32toh(h->tag_size)) != 1)
1066 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to decrypt data: %s",
1067 ERR_error_string(ERR_get_error(), NULL));
1068
1069 assert(added >= 0);
1070 assert((size_t) added <= input_size - p - le32toh(h->tag_size));
1071 plaintext_size = added;
1072
1073 if (EVP_CIPHER_CTX_ctrl(context, EVP_CTRL_GCM_SET_TAG, le32toh(h->tag_size), (uint8_t*) input + input_size - le32toh(h->tag_size)) != 1)
1074 return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to set tag: %s",
1075 ERR_error_string(ERR_get_error(), NULL));
1076
1077 if (EVP_DecryptFinal_ex(context, (uint8_t*) plaintext + plaintext_size, &added) != 1)
1078 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Decryption failed (incorrect key?): %s",
1079 ERR_error_string(ERR_get_error(), NULL));
1080
1081 plaintext_size += added;
1082
1083 if (plaintext_size < ALIGN8(offsetof(struct metadata_credential_header, name)))
1084 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
1085
1086 m = plaintext;
1087
1088 if (le64toh(m->timestamp) != USEC_INFINITY &&
1089 le64toh(m->not_after) != USEC_INFINITY &&
1090 le64toh(m->timestamp) >= le64toh(m->not_after))
1091 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Timestamps of credential are not in order, refusing.");
1092
1093 if (le32toh(m->name_size) > CREDENTIAL_NAME_MAX)
1094 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name too long, refusing.");
1095
1096 hs = ALIGN8(offsetof(struct metadata_credential_header, name) + le32toh(m->name_size));
1097 if (plaintext_size < hs)
1098 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Metadata header incomplete.");
1099
1100 if (le32toh(m->name_size) > 0) {
1101 _cleanup_free_ char *embedded_name = NULL;
1102
1103 if (memchr(m->name, 0, le32toh(m->name_size)))
1104 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name contains NUL byte, refusing.");
1105
1106 embedded_name = memdup_suffix0(m->name, le32toh(m->name_size));
1107 if (!embedded_name)
1108 return log_oom();
1109
1110 if (!credential_name_valid(embedded_name))
1111 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG), "Embedded credential name is not valid, refusing.");
1112
1113 if (validate_name && !streq(embedded_name, validate_name)) {
1114
1115 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
1116 if (r < 0 && r != -ENXIO)
1117 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
1118 if (r != 0)
1119 return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name, validate_name);
1120
1121 log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name, validate_name);
1122 }
1123 }
1124
1125 if (validate_timestamp != USEC_INFINITY) {
1126 if (le64toh(m->timestamp) != USEC_INFINITY && le64toh(m->timestamp) > validate_timestamp)
1127 log_debug("Credential timestamp is from the future, assuming clock skew.");
1128
1129 if (le64toh(m->not_after) != USEC_INFINITY && le64toh(m->not_after) < validate_timestamp) {
1130
1131 r = getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
1132 if (r < 0 && r != -ENXIO)
1133 log_debug_errno(r, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
1134 if (r != 0)
1135 return log_error_errno(SYNTHETIC_ERRNO(ESTALE), "Credential's time passed, refusing to use.");
1136
1137 log_debug("Credential not-after timestamp has passed, but configured to use credential anyway.");
1138 }
1139 }
1140
1141 if (ret) {
1142 char *without_metadata;
1143
1144 without_metadata = memdup((uint8_t*) plaintext + hs, plaintext_size - hs);
1145 if (!without_metadata)
1146 return log_oom();
1147
1148 *ret = without_metadata;
1149 }
1150
1151 if (ret_size)
1152 *ret_size = plaintext_size - hs;
1153
1154 return 0;
1155 }
1156
1157 #else
1158
1159 int get_credential_host_secret(CredentialSecretFlags flags, void **ret, size_t *ret_size) {
1160 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1161 }
1162
1163 int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const void *input, size_t input_size, void **ret, size_t *ret_size) {
1164 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1165 }
1166
1167 int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const void *input, size_t input_size, void **ret, size_t *ret_size) {
1168 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Support for encrypted credentials not available.");
1169 }
1170
1171 #endif
Unnamed repository; edit this file 'description' to name the repository.