]>
Commit | Line | Data |
---|---|---|
786d19fd LP |
1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
2 | #pragma once | |
3 | ||
4 | #include <inttypes.h> | |
5 | #include <stdbool.h> | |
6 | #include <sys/types.h> | |
7 | ||
21bc0b6f LP |
8 | #include "sd-id128.h" |
9 | ||
3d862ff0 | 10 | #include "fd-util.h" |
21bc0b6f | 11 | #include "time-util.h" |
3d862ff0 YW |
12 | |
13 | #define CREDENTIAL_NAME_MAX FDNAME_MAX | |
14 | ||
21bc0b6f LP |
15 | /* Put a size limit on the individual credential */ |
16 | #define CREDENTIAL_SIZE_MAX (1024U*1024U) | |
17 | ||
18 | /* Refuse to store more than 1M per service, after all this is unswappable memory. Note that for now we put | |
19 | * this to the same limit as the per-credential limit, i.e. if the user has n > 1 credentials instead of 1 it | |
20 | * won't get them more space. */ | |
21 | #define CREDENTIALS_TOTAL_SIZE_MAX CREDENTIAL_SIZE_MAX | |
22 | ||
23 | /* Put a size limit on encrypted credentials (which is the same as the unencrypted size plus a spacious 128K of extra | |
24 | * space for headers, IVs, exported TPM2 key material and so on. */ | |
25 | #define CREDENTIAL_ENCRYPTED_SIZE_MAX (CREDENTIAL_SIZE_MAX + 128U*1024U) | |
26 | ||
786d19fd | 27 | bool credential_name_valid(const char *s); |
947c4d39 | 28 | bool credential_glob_valid(const char *s); |
786d19fd | 29 | |
4b9a4b01 | 30 | /* Where creds have been passed to the local execution context */ |
786d19fd | 31 | int get_credentials_dir(const char **ret); |
4b9a4b01 LP |
32 | int get_encrypted_credentials_dir(const char **ret); |
33 | ||
58982cf0 LP |
34 | int open_credentials_dir(void); |
35 | ||
4b9a4b01 LP |
36 | /* Where creds have been passed to the system */ |
37 | #define SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@system" | |
38 | #define ENCRYPTED_SYSTEM_CREDENTIALS_DIRECTORY "/run/credentials/@encrypted" | |
786d19fd | 39 | |
49e859b7 LP |
40 | int read_credential(const char *name, void **ret, size_t *ret_size); /* use in services! */ |
41 | int read_credential_with_decryption(const char *name, void **ret, size_t *ret_size); /* use in generators + pid1! */ | |
21bc0b6f | 42 | |
ea575e17 LP |
43 | int read_credential_strings_many_internal(const char *first_name, char **first_value, ...); |
44 | ||
45 | #define read_credential_strings_many(first_name, first_value, ...) \ | |
46 | read_credential_strings_many_internal(first_name, first_value, __VA_ARGS__, NULL) | |
47 | ||
77c6add1 DDM |
48 | int read_credential_bool(const char *name); |
49 | ||
21bc0b6f LP |
50 | typedef enum CredentialSecretFlags { |
51 | CREDENTIAL_SECRET_GENERATE = 1 << 0, | |
52 | CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED = 1 << 1, | |
53 | CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS = 1 << 2, | |
54 | } CredentialSecretFlags; | |
55 | ||
8d042bc4 | 56 | int get_credential_host_secret(CredentialSecretFlags flags, struct iovec *ret); |
21bc0b6f | 57 | |
ff86850b LN |
58 | int get_credential_user_password(const char *username, char **ret_password, bool *ret_is_hashed); |
59 | ||
9c3d8db9 LP |
60 | typedef enum CredentialFlags { |
61 | CREDENTIAL_ALLOW_NULL = 1 << 0, /* allow decryption of NULL key, even if TPM is around */ | |
48d67957 | 62 | CREDENTIAL_ANY_SCOPE = 1 << 1, /* allow decryption of both system and user credentials */ |
9c3d8db9 LP |
63 | } CredentialFlags; |
64 | ||
b6553329 LP |
65 | /* The four modes we support: keyed only by on-disk key, only by TPM2 HMAC key, and by the combination of |
66 | * both, as well as one with a fixed zero length key if TPM2 is missing (the latter of course provides no | |
67 | * authenticity or confidentiality, but is still useful for integrity protection, and makes things simpler | |
68 | * for us to handle). */ | |
21bc0b6f | 69 | #define CRED_AES256_GCM_BY_HOST SD_ID128_MAKE(5a,1c,6a,86,df,9d,40,96,b1,d5,a6,5e,08,62,f1,9a) |
48d67957 | 70 | #define CRED_AES256_GCM_BY_HOST_SCOPED SD_ID128_MAKE(55,b9,ed,1d,38,59,4d,43,a8,31,9d,2e,bb,33,2a,c6) |
21bc0b6f | 71 | #define CRED_AES256_GCM_BY_TPM2_HMAC SD_ID128_MAKE(0c,7c,c0,7b,11,76,45,91,9c,4b,0b,ea,08,bc,20,fe) |
6a0779cb | 72 | #define CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK SD_ID128_MAKE(fa,f7,eb,93,41,e3,41,2c,a1,a4,36,f9,5a,29,36,2f) |
21bc0b6f | 73 | #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC SD_ID128_MAKE(93,a8,94,09,48,74,44,90,90,ca,f2,fc,93,ca,b5,53) |
48d67957 LP |
74 | #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED \ |
75 | SD_ID128_MAKE(ef,4a,c1,36,79,a9,48,0e,a7,db,68,89,7f,9f,16,5d) | |
6a0779cb LP |
76 | #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK \ |
77 | SD_ID128_MAKE(af,49,50,a8,49,13,4e,b1,a7,38,46,30,4f,f3,0c,05) | |
48d67957 LP |
78 | #define CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED \ |
79 | SD_ID128_MAKE(ad,bc,4c,a3,ef,b6,42,01,ba,88,1b,6f,2e,40,95,ea) | |
6d78dc28 | 80 | #define CRED_AES256_GCM_BY_NULL SD_ID128_MAKE(05,84,69,da,f6,f5,43,24,80,05,49,da,0f,8e,a2,fb) |
21bc0b6f | 81 | |
b6553329 LP |
82 | /* Two special IDs to pick a general automatic mode (i.e. tpm2+host if TPM2 exists, only host otherwise) or |
83 | * an initrd-specific automatic mode (i.e. tpm2 if firmware can do it, otherwise fixed zero-length key, and | |
84 | * never involve host keys). These IDs will never be stored on disk, but are useful only internally while | |
85 | * figuring out what precisely to write to disk. To mark that these aren't a "real" type, we'll prefix them | |
86 | * with an underscore. */ | |
571d829e | 87 | #define _CRED_AUTO SD_ID128_MAKE(a2,19,cb,07,85,b2,4c,04,b1,6d,18,ca,b9,d2,ee,01) |
b6553329 | 88 | #define _CRED_AUTO_INITRD SD_ID128_MAKE(02,dc,8e,de,3a,02,43,ab,a9,ec,54,9c,05,e6,a0,71) |
48d67957 | 89 | #define _CRED_AUTO_SCOPED SD_ID128_MAKE(23,88,96,85,6f,74,48,8a,9c,78,6f,6a,b0,e7,3b,6a) |
571d829e | 90 | |
48d67957 LP |
91 | int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret); |
92 | int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret); | |
2c3cbc5c LP |
93 | |
94 | int ipc_encrypt_credential(const char *name, usec_t timestamp, usec_t not_after, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret); | |
95 | int ipc_decrypt_credential(const char *validate_name, usec_t validate_timestamp, uid_t uid, const struct iovec *input, CredentialFlags flags, struct iovec *ret); |