1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
6 #include <openssl/err.h>
11 #include "blockdev-util.h"
12 #include "capability-util.h"
13 #include "chattr-util.h"
14 #include "constants.h"
15 #include "creds-util.h"
20 #include "format-util.h"
23 #include "memory-util.h"
25 #include "openssl-util.h"
26 #include "parse-util.h"
27 #include "path-util.h"
28 #include "random-util.h"
29 #include "sparse-endian.h"
30 #include "stat-util.h"
31 #include "tpm2-util.h"
32 #include "user-util.h"
34 #define PUBLIC_KEY_MAX (UINT32_C(1024) * UINT32_C(1024))
36 bool credential_name_valid(const char *s
) {
37 /* We want that credential names are both valid in filenames (since that's our primary way to pass
38 * them around) and as fdnames (which is how we might want to pass them around eventually) */
39 return filename_is_valid(s
) && fdname_is_valid(s
);
42 bool credential_glob_valid(const char *s
) {
46 /* Checks if a credential glob expression is valid. Note that this is more restrictive than
47 * fnmatch()! We only allow trailing asterisk matches for now (simply because we want some freedom
48 * with automatically extending the pattern in a systematic way to cover for unit instances getting
49 * per-instance credentials or similar. Moreover, credential globbing expressions are also more
50 * restrictive then credential names: we don't allow *, ?, [, ] in them (except for the asterisk
51 * match at the end of the string), simply to not allow ambiguity. After all, we want the flexibility
52 * to one day add full globbing should the need arise. */
57 /* Find first glob (or NUL byte) */
58 n
= strcspn(s
, "*?[]");
61 /* For now, only allow asterisk wildcards, and only at the end of the string. If it's anything else, refuse. */
63 return credential_name_valid(s
);
65 if (!streq(e
, "*")) /* only allow trailing "*", no other globs */
68 if (n
== 0) /* Explicitly allow the complete wildcard. */
71 if (n
> NAME_MAX
+ strlen(e
)) /* before we make a copy on the stack, let's check this is not overly large */
74 /* Make a copy of the string without the '*' suffix */
75 a
= strndupa_safe(s
, n
);
77 return credential_name_valid(a
);
80 static int get_credentials_dir_internal(const char *envvar
, const char **ret
) {
85 e
= secure_getenv(envvar
);
89 if (!path_is_absolute(e
) || !path_is_normalized(e
))
96 int get_credentials_dir(const char **ret
) {
97 return get_credentials_dir_internal("CREDENTIALS_DIRECTORY", ret
);
100 int get_encrypted_credentials_dir(const char **ret
) {
101 return get_credentials_dir_internal("ENCRYPTED_CREDENTIALS_DIRECTORY", ret
);
104 int open_credentials_dir(void) {
108 r
= get_credentials_dir(&d
);
112 return RET_NERRNO(open(d
, O_CLOEXEC
|O_DIRECTORY
));
115 int read_credential(const char *name
, void **ret
, size_t *ret_size
) {
116 _cleanup_free_
char *fn
= NULL
;
122 if (!credential_name_valid(name
))
125 r
= get_credentials_dir(&d
);
129 fn
= path_join(d
, name
);
133 return read_full_file_full(
135 UINT64_MAX
, SIZE_MAX
,
136 READ_FULL_FILE_SECURE
,
138 (char**) ret
, ret_size
);
141 int read_credential_with_decryption(const char *name
, void **ret
, size_t *ret_size
) {
142 _cleanup_(iovec_done_erase
) struct iovec ret_iovec
= {};
143 _cleanup_(erase_and_freep
) void *data
= NULL
;
144 _cleanup_free_
char *fn
= NULL
;
149 /* Just like read_credential() but will also look for encrypted credentials. Note that services only
150 * receive decrypted credentials, hence use read_credential() for those. This helper here is for
151 * generators, i.e. code that runs outside of service context, and thus has no decrypted credentials
154 * Note that read_credential_harder_and_warn() logs on its own, while read_credential() does not!
155 * (It's a lot more complex and error prone given its TPM2 connectivity, and is generally called from
156 * generators only where logging is OK).
158 * Error handling is also a bit different: if we can't find a credential we'll return 0 and NULL
159 * pointers/zero size, rather than -ENXIO/-ENOENT. */
161 if (!credential_name_valid(name
))
162 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid credential name: %s", name
);
164 r
= read_credential(name
, ret
, ret_size
);
166 return 1; /* found */
167 if (!IN_SET(r
, -ENXIO
, -ENOENT
))
168 return log_error_errno(r
, "Failed read unencrypted credential '%s': %m", name
);
170 r
= get_encrypted_credentials_dir(&d
);
174 return log_error_errno(r
, "Failed to determine encrypted credentials directory: %m");
176 fn
= path_join(d
, name
);
180 r
= read_full_file_full(
182 UINT64_MAX
, SIZE_MAX
,
183 READ_FULL_FILE_SECURE
,
185 (char**) &data
, &sz
);
189 return log_error_errno(r
, "Failed to read encrypted credential data: %m");
191 r
= decrypt_credential_and_warn(
194 /* tpm2_device= */ NULL
,
195 /* tpm2_signature_path= */ NULL
,
197 &IOVEC_MAKE(data
, sz
),
198 CREDENTIAL_ANY_SCOPE
,
204 *ret
= TAKE_PTR(ret_iovec
.iov_base
);
206 *ret_size
= ret_iovec
.iov_len
;
208 return 1; /* found */
216 return 0; /* not found */
219 int read_credential_strings_many_internal(
220 const char *first_name
, char **first_value
,
223 _cleanup_free_
void *b
= NULL
;
227 /* Reads a bunch of credentials into the specified buffers. If the specified buffers are already
228 * non-NULL frees them if a credential is found. Only supports string-based credentials
229 * (i.e. refuses embedded NUL bytes).
231 * 0 is returned when some or all credentials are missing.
237 r
= read_credential(first_name
, &b
, NULL
);
238 if (r
== -ENXIO
) /* No creds passed at all? Bail immediately. */
245 free_and_replace(*first_value
, b
);
248 va_start(ap
, first_value
);
251 _cleanup_free_
void *bb
= NULL
;
255 name
= va_arg(ap
, const char *);
259 value
= ASSERT_PTR(va_arg(ap
, char **));
261 r
= read_credential(name
, &bb
, NULL
);
267 free_and_replace(*value
, bb
);
271 return ret
< 0 ? ret
: all
;
274 int read_credential_bool(const char *name
) {
275 _cleanup_free_
void *data
= NULL
;
278 r
= read_credential(name
, &data
, NULL
);
280 return IN_SET(r
, -ENXIO
, -ENOENT
) ? 0 : r
;
282 return parse_boolean(data
);
285 int get_credential_user_password(const char *username
, char **ret_password
, bool *ret_is_hashed
) {
286 _cleanup_(erase_and_freep
) char *creds_password
= NULL
;
287 _cleanup_free_
char *cn
= NULL
;
290 /* Try to pick up the password for this account via the credentials logic */
291 cn
= strjoin("passwd.hashed-password.", username
);
295 r
= read_credential(cn
, (void**) &creds_password
, NULL
);
298 cn
= strjoin("passwd.plaintext-password.", username
);
302 r
= read_credential(cn
, (void**) &creds_password
, NULL
);
304 log_debug_errno(r
, "Couldn't read credential '%s', ignoring: %m", cn
);
306 *ret_is_hashed
= false;
308 log_debug_errno(r
, "Couldn't read credential '%s', ignoring: %m", cn
);
310 *ret_is_hashed
= true;
312 *ret_password
= TAKE_PTR(creds_password
);
319 #define CREDENTIAL_HOST_SECRET_SIZE 4096
321 static const sd_id128_t credential_app_id
=
322 SD_ID128_MAKE(d3
,ac
,ec
,ba
,0d
,ad
,4c
,df
,b8
,c9
,38,15,28,93,6c
,58);
324 struct credential_host_secret_format
{
325 /* The hashed machine ID of the machine this belongs to. Why? We want to ensure that each machine
326 * gets its own secret, even if people forget to flush out this secret file. Hence we bind it to the
327 * machine ID, for which there's hopefully a better chance it will be flushed out. We use a hashed
328 * machine ID instead of the literal one, because it's trivial to, and it might be a good idea not
329 * being able to directly associate a secret key file with a host. */
330 sd_id128_t machine_id
;
332 /* The actual secret key */
333 uint8_t data
[CREDENTIAL_HOST_SECRET_SIZE
];
336 static void warn_not_encrypted(int fd
, CredentialSecretFlags flags
, const char *dirname
, const char *filename
) {
343 if (!FLAGS_SET(flags
, CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED
))
346 r
= fd_is_encrypted(fd
);
348 log_debug_errno(r
, "Failed to determine if credential secret file '%s/%s' is encrypted.",
351 log_warning("Credential secret file '%s/%s' is not located on encrypted media, using anyway.",
355 static int make_credential_host_secret(
357 const sd_id128_t machine_id
,
358 CredentialSecretFlags flags
,
363 _cleanup_free_
char *t
= NULL
;
364 _cleanup_close_
int fd
= -EBADF
;
370 /* For non-root users creating a temporary file using the openat(2) over "." will fail later, in the
371 * linkat(2) step at the end. The reason is that linkat(2) requires the CAP_DAC_READ_SEARCH
372 * capability when it uses the AT_EMPTY_PATH flag. */
373 if (have_effective_cap(CAP_DAC_READ_SEARCH
) > 0) {
374 fd
= openat(dfd
, ".", O_CLOEXEC
|O_WRONLY
|O_TMPFILE
, 0400);
376 log_debug_errno(errno
, "Failed to create temporary credential file with O_TMPFILE, proceeding without: %m");
379 if (asprintf(&t
, "credential.secret.%016" PRIx64
, random_u64()) < 0)
382 fd
= openat(dfd
, t
, O_CLOEXEC
|O_WRONLY
|O_CREAT
|O_EXCL
|O_NOFOLLOW
, 0400);
387 r
= chattr_secret(fd
, 0);
389 log_debug_errno(r
, "Failed to set file attributes for secrets file, ignoring: %m");
391 struct credential_host_secret_format buf
= {
392 .machine_id
= machine_id
,
397 r
= crypto_random_bytes(buf
.data
, sizeof(buf
.data
));
401 r
= loop_write(fd
, &buf
, sizeof(buf
));
410 warn_not_encrypted(fd
, flags
, dirname
, fn
);
413 r
= rename_noreplace(dfd
, t
, dfd
, fn
);
418 } else if (linkat(fd
, "", dfd
, fn
, AT_EMPTY_PATH
) < 0) {
423 if (fsync(dfd
) < 0) {
431 copy
= memdup(buf
.data
, sizeof(buf
.data
));
437 *ret
= IOVEC_MAKE(copy
, sizeof(buf
.data
));
443 if (t
&& unlinkat(dfd
, t
, 0) < 0)
444 log_debug_errno(errno
, "Failed to remove temporary credential key: %m");
449 int get_credential_host_secret(CredentialSecretFlags flags
, struct iovec
*ret
) {
450 _cleanup_free_
char *_dirname
= NULL
, *_filename
= NULL
;
451 _cleanup_close_
int dfd
= -EBADF
;
452 sd_id128_t machine_id
;
453 const char *dirname
, *filename
;
456 r
= sd_id128_get_machine_app_specific(credential_app_id
, &machine_id
);
460 const char *e
= secure_getenv("SYSTEMD_CREDENTIAL_SECRET");
462 if (!path_is_normalized(e
))
464 if (!path_is_absolute(e
))
467 r
= path_extract_directory(e
, &_dirname
);
471 r
= path_extract_filename(e
, &_filename
);
476 filename
= _filename
;
478 dirname
= "/var/lib/systemd";
479 filename
= "credential.secret";
485 mkdir_parents(dirname
, 0755);
486 dfd
= open_mkdir_at(AT_FDCWD
, dirname
, O_CLOEXEC
, 0755);
488 return log_debug_errno(dfd
, "Failed to create or open directory '%s': %m", dirname
);
490 if (FLAGS_SET(flags
, CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS
)) {
491 r
= fd_is_temporary_fs(dfd
);
493 return log_debug_errno(r
, "Failed to check directory '%s': %m", dirname
);
495 return log_debug_errno(SYNTHETIC_ERRNO(ENOMEDIUM
),
496 "Directory '%s' is on a temporary file system, refusing.", dirname
);
499 for (unsigned attempt
= 0;; attempt
++) {
500 _cleanup_(erase_and_freep
) struct credential_host_secret_format
*f
= NULL
;
501 _cleanup_close_
int fd
= -EBADF
;
506 if (attempt
>= 3) /* Somebody is playing games with us */
507 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
508 "All attempts to create secret store in %s failed.", dirname
);
510 fd
= openat(dfd
, filename
, O_CLOEXEC
|O_RDONLY
|O_NOCTTY
|O_NOFOLLOW
);
512 if (errno
!= ENOENT
|| !FLAGS_SET(flags
, CREDENTIAL_SECRET_GENERATE
))
513 return log_debug_errno(errno
,
514 "Failed to open %s/%s: %m", dirname
, filename
);
517 r
= make_credential_host_secret(dfd
, machine_id
, flags
, dirname
, filename
, ret
);
519 log_debug_errno(r
, "Credential secret %s/%s appeared while we were creating it, rereading.",
524 return log_debug_errno(r
, "Failed to create credential secret %s/%s: %m",
529 if (fstat(fd
, &st
) < 0)
530 return log_debug_errno(errno
, "Failed to stat %s/%s: %m", dirname
, filename
);
532 r
= stat_verify_regular(&st
);
534 return log_debug_errno(r
, "%s/%s is not a regular file: %m", dirname
, filename
);
535 if (st
.st_nlink
== 0) /* Deleted by now, try again */
538 /* Our deletion check won't work if hardlinked somewhere else */
539 return log_debug_errno(SYNTHETIC_ERRNO(EPERM
),
540 "%s/%s has too many links, refusing.",
542 if ((st
.st_mode
& 07777) != 0400)
543 /* Don't use file if not 0400 access mode */
544 return log_debug_errno(SYNTHETIC_ERRNO(EPERM
),
545 "%s/%s has permissive access mode, refusing.",
548 if (l
< offsetof(struct credential_host_secret_format
, data
) + 1)
549 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL
),
550 "%s/%s is too small, refusing.", dirname
, filename
);
551 if (l
> 16*1024*1024)
552 return log_debug_errno(SYNTHETIC_ERRNO(E2BIG
),
553 "%s/%s is too big, refusing.", dirname
, filename
);
557 return log_oom_debug();
559 n
= read(fd
, f
, l
+1);
561 return log_debug_errno(errno
,
562 "Failed to read %s/%s: %m", dirname
, filename
);
563 if ((size_t) n
!= l
) /* What? The size changed? */
564 return log_debug_errno(SYNTHETIC_ERRNO(EIO
),
565 "Failed to read %s/%s: %m", dirname
, filename
);
567 if (sd_id128_equal(machine_id
, f
->machine_id
)) {
570 warn_not_encrypted(fd
, flags
, dirname
, filename
);
572 sz
= l
- offsetof(struct credential_host_secret_format
, data
);
578 assert(sz
<= sizeof(f
->data
)); /* Ensure we don't read past f->data bounds */
580 copy
= memdup(f
->data
, sz
);
582 return log_oom_debug();
584 *ret
= IOVEC_MAKE(copy
, sz
);
590 /* Hmm, this secret is from somewhere else. Let's delete the file. Let's first acquire a lock
591 * to ensure we are the only ones accessing the file while we delete it. */
593 if (flock(fd
, LOCK_EX
) < 0)
594 return log_debug_errno(errno
,
595 "Failed to flock %s/%s: %m", dirname
, filename
);
597 /* Before we delete it check that the file is still linked into the file system */
598 if (fstat(fd
, &st
) < 0)
599 return log_debug_errno(errno
, "Failed to stat %s/%s: %m", dirname
, filename
);
600 if (st
.st_nlink
== 0) /* Already deleted by now? */
602 if (st
.st_nlink
!= 1) /* Safety check, someone is playing games with us */
603 return log_debug_errno(SYNTHETIC_ERRNO(EPERM
),
604 "%s/%s unexpectedly has too many links.",
606 if (unlinkat(dfd
, filename
, 0) < 0)
607 return log_debug_errno(errno
, "Failed to unlink %s/%s: %m", dirname
, filename
);
609 /* And now try again */
613 /* Construction is like this:
615 * A symmetric encryption key is derived from:
617 * 1. Either the "host" key (a key stored in /var/lib/credential.secret)
619 * 2. A key generated by letting the TPM2 calculate an HMAC hash of some nonce we pass to it, keyed
620 * by a key derived from its internal seed key.
622 * 3. The concatenation of the above.
624 * 4. Or a fixed "empty" key. This will not provide confidentiality or authenticity, of course, but is
625 * useful to encode credentials for the initrd on TPM-less systems, where we simply have no better
626 * concept to bind things to. Note that decryption of a key set up like this will be refused on
627 * systems that have a TPM and have SecureBoot enabled.
629 * The above is hashed with SHA256 which is then used as encryption key for AES256-GCM. The encrypted
630 * credential is a short (unencrypted) header describing which of the three keys to use, the IV to use for
631 * AES256-GCM and some more meta information (sizes of certain objects) that is strictly speaking redundant,
632 * but kinda nice to have since we can have a more generic parser. If the TPM2 key is used this is followed
633 * by another (unencrypted) header, with information about the TPM2 policy used (specifically: the PCR mask
634 * to bind against, and a hash of the resulting policy — the latter being redundant, but speeding up things a
635 * bit, since we can more quickly refuse PCR state), followed by a sealed/exported TPM2 HMAC key. This is
636 * then followed by the encrypted data, which begins with a metadata header (which contains validity
637 * timestamps as well as the credential name), followed by the actual credential payload. The file ends in
638 * the AES256-GCM tag. To make things simple, the AES256-GCM AAD covers the main and the TPM2 header in
639 * full. This means the whole file is either protected by AAD, or is ciphertext, or is the tag. No
640 * unprotected data is included.
643 struct _packed_ encrypted_credential_header
{
650 /* Followed by NUL bytes until next 8 byte boundary */
653 struct _packed_ tpm2_credential_header
{
654 le64_t pcr_mask
; /* Note that the spec for PC Clients only mandates 24 PCRs, and that's what systems
655 * generally have. But keep the door open for more. */
656 le16_t pcr_bank
; /* For now, either TPM2_ALG_SHA256 or TPM2_ALG_SHA1 */
657 le16_t primary_alg
; /* Primary key algorithm (either TPM2_ALG_RSA or TPM2_ALG_ECC for now) */
659 le32_t policy_hash_size
;
660 uint8_t policy_hash_and_blob
[];
661 /* Followed by NUL bytes until next 8 byte boundary */
664 struct _packed_ tpm2_public_key_credential_header
{
665 le64_t pcr_mask
; /* PCRs used for the public key PCR policy (usually just PCR 11, i.e. the unified kernel) */
666 le32_t size
; /* Size of DER public key */
667 uint8_t data
[]; /* DER public key */
668 /* Followed by NUL bytes until next 8 byte boundary */
671 struct _packed_ scoped_credential_header
{
672 le64_t flags
; /* SCOPE_HASH_DATA_BASE_FLAGS for now */
675 /* This header is encrypted */
676 struct _packed_ metadata_credential_header
{
681 /* Followed by NUL bytes until next 8 byte boundary */
684 struct _packed_ scoped_hash_data
{
685 le64_t flags
; /* copy of the scoped_credential_header.flags */
687 sd_id128_t machine_id
;
688 char username
[]; /* followed by the username */
689 /* Later on we might want to extend this: with a cgroup path to allow per-app secrets, and with the user's $HOME encryption key */
693 /* Flags for scoped_hash_data.flags and scoped_credential_header.flags */
694 SCOPE_HASH_DATA_HAS_UID
= 1 << 0,
695 SCOPE_HASH_DATA_HAS_MACHINE
= 1 << 1,
696 SCOPE_HASH_DATA_HAS_USERNAME
= 1 << 2,
698 SCOPE_HASH_DATA_BASE_FLAGS
= SCOPE_HASH_DATA_HAS_UID
| SCOPE_HASH_DATA_HAS_USERNAME
| SCOPE_HASH_DATA_HAS_MACHINE
,
701 /* Some generic limit for parts of the encrypted credential for which we don't know the right size ahead of
702 * time, but where we are really sure it won't be larger than this. Should be larger than any possible IV,
703 * padding, tag size and so on. This is purely used for early filtering out of invalid sizes. */
704 #define CREDENTIAL_FIELD_SIZE_MAX (16U*1024U)
706 static int sha256_hash_host_and_tpm2_key(
707 const struct iovec
*host_key
,
708 const struct iovec
*tpm2_key
,
709 uint8_t ret
[static SHA256_DIGEST_LENGTH
]) {
711 _cleanup_(EVP_MD_CTX_freep
) EVP_MD_CTX
*md
= NULL
;
714 assert(iovec_is_valid(host_key
));
715 assert(iovec_is_valid(tpm2_key
));
718 /* Combines the host key and the TPM2 HMAC hash into a SHA256 hash value we'll use as symmetric encryption key. */
720 md
= EVP_MD_CTX_new();
724 if (EVP_DigestInit_ex(md
, EVP_sha256(), NULL
) != 1)
725 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initial SHA256 context.");
727 if (iovec_is_set(host_key
) && EVP_DigestUpdate(md
, host_key
->iov_base
, host_key
->iov_len
) != 1)
728 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to hash host key.");
730 if (iovec_is_set(tpm2_key
) && EVP_DigestUpdate(md
, tpm2_key
->iov_base
, tpm2_key
->iov_len
) != 1)
731 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to hash TPM2 key.");
733 assert(EVP_MD_CTX_size(md
) == SHA256_DIGEST_LENGTH
);
735 if (EVP_DigestFinal_ex(md
, ret
, &l
) != 1)
736 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to finalize SHA256 hash.");
738 assert(l
== SHA256_DIGEST_LENGTH
);
742 static int mangle_uid_into_key(
744 uint8_t md
[static SHA256_DIGEST_LENGTH
]) {
749 assert(uid_is_valid(uid
));
752 /* If we shall encrypt for a specific user, we HMAC() a structure with the user's credentials
753 * (specifically, UID, user name, machine ID) with the key we'd otherwise use for system credentials,
754 * and use the resulting hash as actual encryption key. */
757 struct passwd
*pw
= getpwuid(uid
);
759 return log_error_errno(
760 IN_SET(errno
, 0, ENOENT
) ? SYNTHETIC_ERRNO(ESRCH
) : errno
,
761 "Failed to resolve UID " UID_FMT
": %m", uid
);
763 r
= sd_id128_get_machine(&mid
);
765 return log_error_errno(r
, "Failed to read machine ID: %m");
767 size_t sz
= offsetof(struct scoped_hash_data
, username
) + strlen(pw
->pw_name
) + 1;
768 _cleanup_free_
struct scoped_hash_data
*d
= malloc0(sz
);
772 d
->flags
= htole64(SCOPE_HASH_DATA_BASE_FLAGS
);
773 d
->uid
= htole32(uid
);
776 strcpy(d
->username
, pw
->pw_name
);
778 _cleanup_(erase_and_freep
) void *buf
= NULL
;
780 r
= openssl_hmac_many(
782 md
, SHA256_DIGEST_LENGTH
,
783 &IOVEC_MAKE(d
, sz
), 1,
788 assert(buf_size
== SHA256_DIGEST_LENGTH
);
789 memcpy(md
, buf
, buf_size
);
794 int encrypt_credential_and_warn(
799 const char *tpm2_device
,
800 uint32_t tpm2_hash_pcr_mask
,
801 const char *tpm2_pubkey_path
,
802 uint32_t tpm2_pubkey_pcr_mask
,
804 const struct iovec
*input
,
805 CredentialFlags flags
,
808 _cleanup_(iovec_done
) struct iovec tpm2_blob
= {}, tpm2_policy_hash
= {}, iv
= {}, pubkey
= {};
809 _cleanup_(iovec_done_erase
) struct iovec tpm2_key
= {}, output
= {}, host_key
= {};
810 _cleanup_(EVP_CIPHER_CTX_freep
) EVP_CIPHER_CTX
*context
= NULL
;
811 _cleanup_free_
struct metadata_credential_header
*m
= NULL
;
812 uint16_t tpm2_pcr_bank
= 0, tpm2_primary_alg
= 0;
813 struct encrypted_credential_header
*h
;
814 int ksz
, bsz
, ivsz
, tsz
, added
, r
;
815 uint8_t md
[SHA256_DIGEST_LENGTH
];
816 const EVP_CIPHER
*cc
;
820 assert(iovec_is_valid(input
));
823 if (!sd_id128_in_set(with_key
,
827 CRED_AES256_GCM_BY_HOST
,
828 CRED_AES256_GCM_BY_HOST_SCOPED
,
829 CRED_AES256_GCM_BY_TPM2_HMAC
,
830 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
,
831 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
,
832 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
,
833 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
,
834 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
,
835 CRED_AES256_GCM_BY_NULL
))
836 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid key type: " SD_ID128_FORMAT_STR
, SD_ID128_FORMAT_VAL(with_key
));
838 if (name
&& !credential_name_valid(name
))
839 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Invalid credential name: %s", name
);
841 if (not_after
!= USEC_INFINITY
&& timestamp
!= USEC_INFINITY
&& not_after
< timestamp
)
842 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Credential is invalidated before it is valid (" USEC_FMT
" < " USEC_FMT
").", not_after
, timestamp
);
845 char buf
[FORMAT_TIMESTAMP_MAX
];
848 log_debug("Including credential name '%s' in encrypted credential.", name
);
849 if (timestamp
!= USEC_INFINITY
)
850 log_debug("Including timestamp '%s' in encrypted credential.", format_timestamp(buf
, sizeof(buf
), timestamp
));
851 if (not_after
!= USEC_INFINITY
)
852 log_debug("Including not-after timestamp '%s' in encrypted credential.", format_timestamp(buf
, sizeof(buf
), not_after
));
855 if (sd_id128_in_set(with_key
,
857 CRED_AES256_GCM_BY_HOST_SCOPED
,
858 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
,
859 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
)) {
860 if (!uid_is_valid(uid
))
861 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Scoped credential selected, but no UID specified.");
865 if (sd_id128_in_set(with_key
,
868 CRED_AES256_GCM_BY_HOST
,
869 CRED_AES256_GCM_BY_HOST_SCOPED
,
870 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
,
871 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
,
872 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
,
873 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
)) {
875 r
= get_credential_host_secret(
876 CREDENTIAL_SECRET_GENERATE
|
877 CREDENTIAL_SECRET_WARN_NOT_ENCRYPTED
|
878 (sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_SCOPED
) ? CREDENTIAL_SECRET_FAIL_ON_TEMPORARY_FS
: 0),
880 if (r
== -ENOMEDIUM
&& sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_SCOPED
))
881 log_debug_errno(r
, "Credential host secret location on temporary file system, not using.");
883 return log_error_errno(r
, "Failed to determine local credential host secret: %m");
888 if (sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_INITRD
, _CRED_AUTO_SCOPED
)) {
889 /* If automatic mode is selected lets see if a TPM2 it is present. If we are running in a
890 * container tpm2_support will detect this, and will return a different flag combination of
891 * TPM2_SUPPORT_FULL, effectively skipping the use of TPM2 when inside one. */
893 try_tpm2
= tpm2_support() == TPM2_SUPPORT_FULL
;
895 log_debug("System lacks TPM2 support or running in a container, not attempting to use TPM2.");
897 try_tpm2
= sd_id128_in_set(with_key
,
898 CRED_AES256_GCM_BY_TPM2_HMAC
,
899 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
,
900 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
,
901 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
,
902 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
,
903 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
);
906 if (sd_id128_in_set(with_key
,
910 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
,
911 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
,
912 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
)) {
914 /* Load public key for PCR policies, if one is specified, or explicitly requested */
916 r
= tpm2_load_pcr_public_key(tpm2_pubkey_path
, &pubkey
.iov_base
, &pubkey
.iov_len
);
918 if (tpm2_pubkey_path
|| r
!= -ENOENT
|| !sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_INITRD
, _CRED_AUTO_SCOPED
))
919 return log_error_errno(r
, "Failed read TPM PCR public key: %m");
921 log_debug_errno(r
, "Failed to read TPM2 PCR public key, proceeding without: %m");
925 if (!iovec_is_set(&pubkey
))
926 tpm2_pubkey_pcr_mask
= 0;
928 _cleanup_(tpm2_context_unrefp
) Tpm2Context
*tpm2_context
= NULL
;
929 r
= tpm2_context_new(tpm2_device
, &tpm2_context
);
931 return log_error_errno(r
, "Failed to create TPM2 context: %m");
933 r
= tpm2_get_best_pcr_bank(tpm2_context
, tpm2_hash_pcr_mask
| tpm2_pubkey_pcr_mask
, &tpm2_pcr_bank
);
935 return log_error_errno(r
, "Could not find best pcr bank: %m");
937 TPML_PCR_SELECTION tpm2_hash_pcr_selection
;
938 tpm2_tpml_pcr_selection_from_mask(tpm2_hash_pcr_mask
, tpm2_pcr_bank
, &tpm2_hash_pcr_selection
);
940 _cleanup_free_ Tpm2PCRValue
*tpm2_hash_pcr_values
= NULL
;
941 size_t tpm2_n_hash_pcr_values
;
942 r
= tpm2_pcr_read(tpm2_context
, &tpm2_hash_pcr_selection
, &tpm2_hash_pcr_values
, &tpm2_n_hash_pcr_values
);
944 return log_error_errno(r
, "Could not read PCR values: %m");
947 if (iovec_is_set(&pubkey
)) {
948 r
= tpm2_tpm2b_public_from_pem(pubkey
.iov_base
, pubkey
.iov_len
, &public);
950 return log_error_errno(r
, "Could not convert public key to TPM2B_PUBLIC: %m");
953 TPM2B_DIGEST tpm2_policy
= TPM2B_DIGEST_MAKE(NULL
, TPM2_SHA256_DIGEST_SIZE
);
954 r
= tpm2_calculate_sealing_policy(
955 tpm2_hash_pcr_values
,
956 tpm2_n_hash_pcr_values
,
957 iovec_is_set(&pubkey
) ? &public : NULL
,
958 /* use_pin= */ false,
959 /* pcrlock_policy= */ NULL
,
962 return log_error_errno(r
, "Could not calculate sealing policy digest: %m");
964 r
= tpm2_seal(tpm2_context
,
965 /* seal_key_handle= */ 0,
971 /* ret_srk= */ NULL
);
973 if (sd_id128_equal(with_key
, _CRED_AUTO_INITRD
))
974 log_warning("TPM2 present and used, but we didn't manage to talk to it. Credential will be refused if SecureBoot is enabled.");
975 else if (!sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_SCOPED
))
976 return log_error_errno(r
, "Failed to seal to TPM2: %m");
978 log_notice_errno(r
, "TPM2 sealing didn't work, continuing without TPM2: %m");
981 if (!iovec_memdup(&IOVEC_MAKE(tpm2_policy
.buffer
, tpm2_policy
.size
), &tpm2_policy_hash
))
984 assert(tpm2_blob
.iov_len
<= CREDENTIAL_FIELD_SIZE_MAX
);
985 assert(tpm2_policy_hash
.iov_len
<= CREDENTIAL_FIELD_SIZE_MAX
);
989 if (sd_id128_in_set(with_key
, _CRED_AUTO
, _CRED_AUTO_INITRD
, _CRED_AUTO_SCOPED
)) {
990 /* Let's settle the key type in auto mode now. */
992 if (iovec_is_set(&host_key
) && iovec_is_set(&tpm2_key
))
993 id
= iovec_is_set(&pubkey
) ? (sd_id128_equal(with_key
, _CRED_AUTO_SCOPED
) ?
994 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
: CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
)
995 : (sd_id128_equal(with_key
, _CRED_AUTO_SCOPED
) ?
996 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
: CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
);
997 else if (iovec_is_set(&tpm2_key
) && !sd_id128_equal(with_key
, _CRED_AUTO_SCOPED
))
998 id
= iovec_is_set(&pubkey
) ? CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
: CRED_AES256_GCM_BY_TPM2_HMAC
;
999 else if (iovec_is_set(&host_key
))
1000 id
= sd_id128_equal(with_key
, _CRED_AUTO_SCOPED
) ? CRED_AES256_GCM_BY_HOST_SCOPED
: CRED_AES256_GCM_BY_HOST
;
1001 else if (sd_id128_equal(with_key
, _CRED_AUTO_INITRD
))
1002 id
= CRED_AES256_GCM_BY_NULL
;
1004 return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE
),
1005 "TPM2 not available and host key located on temporary file system, no encryption key available.");
1009 if (sd_id128_equal(id
, CRED_AES256_GCM_BY_NULL
) && !FLAGS_SET(flags
, CREDENTIAL_ALLOW_NULL
))
1010 log_warning("Using a null key for encryption and signing. Confidentiality or authenticity will not be provided.");
1012 /* Let's now take the host key and the TPM2 key and hash it together, to use as encryption key for the data */
1013 r
= sha256_hash_host_and_tpm2_key(&host_key
, &tpm2_key
, md
);
1017 if (uid_is_valid(uid
)) {
1018 r
= mangle_uid_into_key(uid
, md
);
1023 assert_se(cc
= EVP_aes_256_gcm());
1025 ksz
= EVP_CIPHER_key_length(cc
);
1026 assert(ksz
== sizeof(md
));
1028 bsz
= EVP_CIPHER_block_size(cc
);
1030 assert((size_t) bsz
<= CREDENTIAL_FIELD_SIZE_MAX
);
1032 ivsz
= EVP_CIPHER_iv_length(cc
);
1034 assert((size_t) ivsz
<= CREDENTIAL_FIELD_SIZE_MAX
);
1036 iv
.iov_base
= malloc(ivsz
);
1042 r
= crypto_random_bytes(iv
.iov_base
, iv
.iov_len
);
1044 return log_error_errno(r
, "Failed to acquired randomized IV: %m");
1047 tsz
= 16; /* FIXME: On OpenSSL 3 there is EVP_CIPHER_CTX_get_tag_length(), until then let's hardcode this */
1049 context
= EVP_CIPHER_CTX_new();
1051 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM
), "Failed to allocate encryption object: %s",
1052 ERR_error_string(ERR_get_error(), NULL
));
1054 if (EVP_EncryptInit_ex(context
, cc
, NULL
, md
, iv
.iov_base
) != 1)
1055 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initialize encryption context: %s",
1056 ERR_error_string(ERR_get_error(), NULL
));
1058 /* Just an upper estimate */
1060 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + ivsz
) +
1061 ALIGN8(iovec_is_set(&tpm2_key
) ? offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + tpm2_blob
.iov_len
+ tpm2_policy_hash
.iov_len
: 0) +
1062 ALIGN8(iovec_is_set(&pubkey
) ? offsetof(struct tpm2_public_key_credential_header
, data
) + pubkey
.iov_len
: 0) +
1063 ALIGN8(uid_is_valid(uid
) ? sizeof(struct scoped_credential_header
) : 0) +
1064 ALIGN8(offsetof(struct metadata_credential_header
, name
) + strlen_ptr(name
)) +
1065 input
->iov_len
+ 2U * (size_t) bsz
+
1068 output
.iov_base
= malloc0(output
.iov_len
);
1069 if (!output
.iov_base
)
1072 h
= (struct encrypted_credential_header
*) output
.iov_base
;
1074 h
->block_size
= htole32(bsz
);
1075 h
->key_size
= htole32(ksz
);
1076 h
->tag_size
= htole32(tsz
);
1077 h
->iv_size
= htole32(ivsz
);
1078 memcpy(h
->iv
, iv
.iov_base
, ivsz
);
1080 p
= ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + ivsz
);
1082 if (iovec_is_set(&tpm2_key
)) {
1083 struct tpm2_credential_header
*t
;
1085 t
= (struct tpm2_credential_header
*) ((uint8_t*) output
.iov_base
+ p
);
1086 t
->pcr_mask
= htole64(tpm2_hash_pcr_mask
);
1087 t
->pcr_bank
= htole16(tpm2_pcr_bank
);
1088 t
->primary_alg
= htole16(tpm2_primary_alg
);
1089 t
->blob_size
= htole32(tpm2_blob
.iov_len
);
1090 t
->policy_hash_size
= htole32(tpm2_policy_hash
.iov_len
);
1091 memcpy(t
->policy_hash_and_blob
, tpm2_blob
.iov_base
, tpm2_blob
.iov_len
);
1092 memcpy(t
->policy_hash_and_blob
+ tpm2_blob
.iov_len
, tpm2_policy_hash
.iov_base
, tpm2_policy_hash
.iov_len
);
1094 p
+= ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + tpm2_blob
.iov_len
+ tpm2_policy_hash
.iov_len
);
1097 if (iovec_is_set(&pubkey
)) {
1098 struct tpm2_public_key_credential_header
*z
;
1100 z
= (struct tpm2_public_key_credential_header
*) ((uint8_t*) output
.iov_base
+ p
);
1101 z
->pcr_mask
= htole64(tpm2_pubkey_pcr_mask
);
1102 z
->size
= htole32(pubkey
.iov_len
);
1103 memcpy(z
->data
, pubkey
.iov_base
, pubkey
.iov_len
);
1105 p
+= ALIGN8(offsetof(struct tpm2_public_key_credential_header
, data
) + pubkey
.iov_len
);
1108 if (uid_is_valid(uid
)) {
1109 struct scoped_credential_header
*w
;
1111 w
= (struct scoped_credential_header
*) ((uint8_t*) output
.iov_base
+ p
);
1112 w
->flags
= htole64(SCOPE_HASH_DATA_BASE_FLAGS
);
1114 p
+= ALIGN8(sizeof(struct scoped_credential_header
));
1117 /* Pass the encrypted + TPM2 header + scoped header as AAD */
1118 if (EVP_EncryptUpdate(context
, NULL
, &added
, output
.iov_base
, p
) != 1)
1119 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to write AAD data: %s",
1120 ERR_error_string(ERR_get_error(), NULL
));
1122 /* Now construct the metadata header */
1123 ml
= strlen_ptr(name
);
1124 m
= malloc0(ALIGN8(offsetof(struct metadata_credential_header
, name
) + ml
));
1128 m
->timestamp
= htole64(timestamp
);
1129 m
->not_after
= htole64(not_after
);
1130 m
->name_size
= htole32(ml
);
1131 memcpy_safe(m
->name
, name
, ml
);
1133 /* And encrypt the metadata header */
1134 if (EVP_EncryptUpdate(context
, (uint8_t*) output
.iov_base
+ p
, &added
, (const unsigned char*) m
, ALIGN8(offsetof(struct metadata_credential_header
, name
) + ml
)) != 1)
1135 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to encrypt metadata header: %s",
1136 ERR_error_string(ERR_get_error(), NULL
));
1139 assert((size_t) added
<= output
.iov_len
- p
);
1142 /* Then encrypt the plaintext */
1143 if (EVP_EncryptUpdate(context
, (uint8_t*) output
.iov_base
+ p
, &added
, input
->iov_base
, input
->iov_len
) != 1)
1144 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to encrypt data: %s",
1145 ERR_error_string(ERR_get_error(), NULL
));
1148 assert((size_t) added
<= output
.iov_len
- p
);
1152 if (EVP_EncryptFinal_ex(context
, (uint8_t*) output
.iov_base
+ p
, &added
) != 1)
1153 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to finalize data encryption: %s",
1154 ERR_error_string(ERR_get_error(), NULL
));
1157 assert((size_t) added
<= output
.iov_len
- p
);
1160 assert(p
<= output
.iov_len
- tsz
);
1163 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_GET_TAG
, tsz
, (uint8_t*) output
.iov_base
+ p
) != 1)
1164 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to get tag: %s",
1165 ERR_error_string(ERR_get_error(), NULL
));
1168 assert(p
<= output
.iov_len
);
1171 if (DEBUG_LOGGING
&& input
->iov_len
> 0) {
1174 base64_size
= DIV_ROUND_UP(output
.iov_len
* 4, 3); /* Include base64 size increase in debug output */
1175 assert(base64_size
>= input
->iov_len
);
1176 log_debug("Input of %zu bytes grew to output of %zu bytes (+%2zu%%).", input
->iov_len
, base64_size
, base64_size
* 100 / input
->iov_len
- 100);
1179 *ret
= TAKE_STRUCT(output
);
1183 int decrypt_credential_and_warn(
1184 const char *validate_name
,
1185 usec_t validate_timestamp
,
1186 const char *tpm2_device
,
1187 const char *tpm2_signature_path
,
1189 const struct iovec
*input
,
1190 CredentialFlags flags
,
1191 struct iovec
*ret
) {
1193 _cleanup_(iovec_done_erase
) struct iovec host_key
= {}, plaintext
= {}, tpm2_key
= {};
1194 _cleanup_(json_variant_unrefp
) JsonVariant
*signature_json
= NULL
;
1195 _cleanup_(EVP_CIPHER_CTX_freep
) EVP_CIPHER_CTX
*context
= NULL
;
1196 struct encrypted_credential_header
*h
;
1197 struct metadata_credential_header
*m
;
1198 uint8_t md
[SHA256_DIGEST_LENGTH
];
1199 bool with_tpm2
, with_tpm2_pk
, with_host_key
, with_null
, with_scope
;
1200 const EVP_CIPHER
*cc
;
1204 assert(iovec_is_valid(input
));
1207 h
= (struct encrypted_credential_header
*) input
->iov_base
;
1209 /* The ID must fit in, for the current and all future formats */
1210 if (input
->iov_len
< sizeof(h
->id
))
1211 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
1213 with_host_key
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_HOST
, CRED_AES256_GCM_BY_HOST_SCOPED
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
);
1214 with_tpm2_pk
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
);
1215 with_tpm2
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_TPM2_HMAC
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
) || with_tpm2_pk
;
1216 with_null
= sd_id128_equal(h
->id
, CRED_AES256_GCM_BY_NULL
);
1217 with_scope
= sd_id128_in_set(h
->id
, CRED_AES256_GCM_BY_HOST_SCOPED
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
, CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
);
1219 if (!with_host_key
&& !with_tpm2
&& !with_null
)
1220 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Unknown encryption format, or corrupted data: %m");
1223 r
= tpm2_load_pcr_signature(tpm2_signature_path
, &signature_json
);
1225 return log_error_errno(r
, "Failed to load pcr signature: %m");
1228 if (with_null
&& !FLAGS_SET(flags
, CREDENTIAL_ALLOW_NULL
)) {
1229 /* So this is a credential encrypted with a zero length key. We support this to cover for the
1230 * case where neither a host key not a TPM2 are available (specifically: initrd environments
1231 * where the host key is not yet accessible and no TPM2 chip exists at all), to minimize
1232 * different codeflow for TPM2 and non-TPM2 codepaths. Of course, credentials encoded this
1233 * way offer no confidentiality nor authenticity. Because of that it's important we refuse to
1234 * use them on systems that actually *do* have a TPM2 chip – if we are in SecureBoot
1235 * mode. Otherwise an attacker could hand us credentials like this and we'd use them thinking
1236 * they are trusted, even though they are not. */
1238 if (efi_has_tpm2()) {
1239 if (is_efi_secure_boot())
1240 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
),
1241 "Credential uses fixed key for fallback use when TPM2 is absent — but TPM2 is present, and SecureBoot is enabled, refusing.");
1243 log_warning("Credential uses fixed key for use when TPM2 is absent, but TPM2 is present! Accepting anyway, since SecureBoot is disabled.");
1245 log_debug("Credential uses fixed key for use when TPM2 is absent, and TPM2 indeed is absent. Accepting.");
1249 if (!uid_is_valid(uid
))
1250 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE
), "Encrypted file is scoped to a user, but no user selected.");
1252 /* Refuse to unlock system credentials if user scope is requested. */
1253 if (uid_is_valid(uid
) && !FLAGS_SET(flags
, CREDENTIAL_ANY_SCOPE
))
1254 return log_error_errno(SYNTHETIC_ERRNO(EMEDIUMTYPE
), "Encrypted file is scoped to the system, but user scope selected.");
1259 /* Now we know the minimum header size */
1260 if (input
->iov_len
< offsetof(struct encrypted_credential_header
, iv
))
1261 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
1263 /* Verify some basic header values */
1264 if (le32toh(h
->key_size
) != sizeof(md
))
1265 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected key size in header.");
1266 if (le32toh(h
->block_size
) <= 0 || le32toh(h
->block_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
1267 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected block size in header.");
1268 if (le32toh(h
->iv_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
1269 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "IV size too large.");
1270 if (le32toh(h
->tag_size
) != 16) /* FIXME: On OpenSSL 3, let's verify via EVP_CIPHER_CTX_get_tag_length() */
1271 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected tag size in header.");
1273 /* Ensure we have space for the full header now (we don't know the size of the name hence this is a
1274 * lower limit only) */
1275 if (input
->iov_len
<
1276 ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
)) +
1277 ALIGN8(with_tpm2
? offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) : 0) +
1278 ALIGN8(with_tpm2_pk
? offsetof(struct tpm2_public_key_credential_header
, data
) : 0) +
1279 ALIGN8(with_scope
? sizeof(struct scoped_credential_header
) : 0) +
1280 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
1281 le32toh(h
->tag_size
))
1282 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
1284 p
= ALIGN8(offsetof(struct encrypted_credential_header
, iv
) + le32toh(h
->iv_size
));
1288 struct tpm2_credential_header
* t
= (struct tpm2_credential_header
*) ((uint8_t*) input
->iov_base
+ p
);
1289 struct tpm2_public_key_credential_header
*z
= NULL
;
1291 if (!TPM2_PCR_MASK_VALID(t
->pcr_mask
))
1292 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR mask out of range.");
1293 if (!tpm2_hash_alg_to_string(le16toh(t
->pcr_bank
)))
1294 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR bank invalid or not supported");
1295 if (!tpm2_asym_alg_to_string(le16toh(t
->primary_alg
)))
1296 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 primary key algorithm invalid or not supported.");
1297 if (le32toh(t
->blob_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
1298 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected TPM2 blob size.");
1299 if (le32toh(t
->policy_hash_size
) > CREDENTIAL_FIELD_SIZE_MAX
)
1300 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected TPM2 policy hash size.");
1302 /* Ensure we have space for the full TPM2 header now (still don't know the name, and its size
1303 * though, hence still just a lower limit test only) */
1304 if (input
->iov_len
<
1306 ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) + le32toh(t
->blob_size
) + le32toh(t
->policy_hash_size
)) +
1307 ALIGN8(with_tpm2_pk
? offsetof(struct tpm2_public_key_credential_header
, data
) : 0) +
1308 ALIGN8(with_scope
? sizeof(struct scoped_credential_header
) : 0) +
1309 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
1310 le32toh(h
->tag_size
))
1311 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
1313 p
+= ALIGN8(offsetof(struct tpm2_credential_header
, policy_hash_and_blob
) +
1314 le32toh(t
->blob_size
) +
1315 le32toh(t
->policy_hash_size
));
1318 z
= (struct tpm2_public_key_credential_header
*) ((uint8_t*) input
->iov_base
+ p
);
1320 if (!TPM2_PCR_MASK_VALID(le64toh(z
->pcr_mask
)) || le64toh(z
->pcr_mask
) == 0)
1321 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "TPM2 PCR mask out of range.");
1322 if (le32toh(z
->size
) > PUBLIC_KEY_MAX
)
1323 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected public key size.");
1325 if (input
->iov_len
<
1327 ALIGN8(offsetof(struct tpm2_public_key_credential_header
, data
) + le32toh(z
->size
)) +
1328 ALIGN8(with_scope
? sizeof(struct scoped_credential_header
) : 0) +
1329 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
1330 le32toh(h
->tag_size
))
1331 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
1333 p
+= ALIGN8(offsetof(struct tpm2_public_key_credential_header
, data
) +
1337 _cleanup_(tpm2_context_unrefp
) Tpm2Context
*tpm2_context
= NULL
;
1338 r
= tpm2_context_new(tpm2_device
, &tpm2_context
);
1342 // TODO: Add the SRK data to the credential structure so it can be plumbed
1343 // through and used to verify the TPM session.
1344 r
= tpm2_unseal(tpm2_context
,
1345 le64toh(t
->pcr_mask
),
1346 le16toh(t
->pcr_bank
),
1347 z
? &IOVEC_MAKE(z
->data
, le32toh(z
->size
)) : NULL
,
1348 z
? le64toh(z
->pcr_mask
) : 0,
1351 /* pcrlock_policy= */ NULL
,
1352 le16toh(t
->primary_alg
),
1353 &IOVEC_MAKE(t
->policy_hash_and_blob
, le32toh(t
->blob_size
)),
1354 &IOVEC_MAKE(t
->policy_hash_and_blob
+ le32toh(t
->blob_size
), le32toh(t
->policy_hash_size
)),
1358 return log_error_errno(r
, "Failed to unseal secret using TPM2: %m");
1360 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Credential requires TPM2 support, but TPM2 support not available.");
1365 struct scoped_credential_header
* sh
= (struct scoped_credential_header
*) ((uint8_t*) input
->iov_base
+ p
);
1367 if (le64toh(sh
->flags
) != SCOPE_HASH_DATA_BASE_FLAGS
)
1368 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Scoped credential with unsupported flags.");
1370 if (input
->iov_len
<
1372 sizeof(struct scoped_credential_header
) +
1373 ALIGN8(offsetof(struct metadata_credential_header
, name
)) +
1374 le32toh(h
->tag_size
))
1375 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Encrypted file too short.");
1377 p
+= sizeof(struct scoped_credential_header
);
1380 if (with_host_key
) {
1381 r
= get_credential_host_secret(/* flags= */ 0, &host_key
);
1383 return log_error_errno(r
, "Failed to determine local credential key: %m");
1386 if (with_null
&& !FLAGS_SET(flags
, CREDENTIAL_ALLOW_NULL
))
1387 log_warning("Warning: using a null key for decryption and authentication. Confidentiality or authenticity are not provided.");
1389 sha256_hash_host_and_tpm2_key(&host_key
, &tpm2_key
, md
);
1392 r
= mangle_uid_into_key(uid
, md
);
1397 assert_se(cc
= EVP_aes_256_gcm());
1399 /* Make sure cipher expectations match the header */
1400 if (EVP_CIPHER_key_length(cc
) != (int) le32toh(h
->key_size
))
1401 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected key size in header.");
1402 if (EVP_CIPHER_block_size(cc
) != (int) le32toh(h
->block_size
))
1403 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Unexpected block size in header.");
1405 context
= EVP_CIPHER_CTX_new();
1407 return log_error_errno(SYNTHETIC_ERRNO(ENOMEM
), "Failed to allocate decryption object: %s",
1408 ERR_error_string(ERR_get_error(), NULL
));
1410 if (EVP_DecryptInit_ex(context
, cc
, NULL
, NULL
, NULL
) != 1)
1411 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to initialize decryption context: %s",
1412 ERR_error_string(ERR_get_error(), NULL
));
1414 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_SET_IVLEN
, le32toh(h
->iv_size
), NULL
) != 1)
1415 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set IV size on decryption context: %s",
1416 ERR_error_string(ERR_get_error(), NULL
));
1418 if (EVP_DecryptInit_ex(context
, NULL
, NULL
, md
, h
->iv
) != 1)
1419 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set IV and key: %s",
1420 ERR_error_string(ERR_get_error(), NULL
));
1422 if (EVP_DecryptUpdate(context
, NULL
, &added
, input
->iov_base
, p
) != 1)
1423 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to write AAD data: %s",
1424 ERR_error_string(ERR_get_error(), NULL
));
1426 plaintext
.iov_base
= malloc(input
->iov_len
- p
- le32toh(h
->tag_size
));
1427 if (!plaintext
.iov_base
)
1430 if (EVP_DecryptUpdate(
1434 (uint8_t*) input
->iov_base
+ p
,
1435 input
->iov_len
- p
- le32toh(h
->tag_size
)) != 1)
1436 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to decrypt data: %s",
1437 ERR_error_string(ERR_get_error(), NULL
));
1440 assert((size_t) added
<= input
->iov_len
- p
- le32toh(h
->tag_size
));
1441 plaintext
.iov_len
= added
;
1443 if (EVP_CIPHER_CTX_ctrl(context
, EVP_CTRL_GCM_SET_TAG
, le32toh(h
->tag_size
), (uint8_t*) input
->iov_base
+ input
->iov_len
- le32toh(h
->tag_size
)) != 1)
1444 return log_error_errno(SYNTHETIC_ERRNO(EINVAL
), "Failed to set tag: %s",
1445 ERR_error_string(ERR_get_error(), NULL
));
1447 if (EVP_DecryptFinal_ex(context
, (uint8_t*) plaintext
.iov_base
+ plaintext
.iov_len
, &added
) != 1)
1448 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Decryption failed (incorrect key?): %s",
1449 ERR_error_string(ERR_get_error(), NULL
));
1451 plaintext
.iov_len
+= added
;
1453 if (plaintext
.iov_len
< ALIGN8(offsetof(struct metadata_credential_header
, name
)))
1454 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Metadata header incomplete.");
1456 m
= plaintext
.iov_base
;
1458 if (le64toh(m
->timestamp
) != USEC_INFINITY
&&
1459 le64toh(m
->not_after
) != USEC_INFINITY
&&
1460 le64toh(m
->timestamp
) >= le64toh(m
->not_after
))
1461 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Timestamps of credential are not in order, refusing.");
1463 if (le32toh(m
->name_size
) > CREDENTIAL_NAME_MAX
)
1464 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name too long, refusing.");
1466 hs
= ALIGN8(offsetof(struct metadata_credential_header
, name
) + le32toh(m
->name_size
));
1467 if (plaintext
.iov_len
< hs
)
1468 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Metadata header incomplete.");
1470 if (le32toh(m
->name_size
) > 0) {
1471 _cleanup_free_
char *embedded_name
= NULL
;
1473 r
= make_cstring(m
->name
, le32toh(m
->name_size
), MAKE_CSTRING_REFUSE_TRAILING_NUL
, &embedded_name
);
1475 return log_error_errno(r
, "Unable to convert embedded credential name to C string: %m");
1477 if (!credential_name_valid(embedded_name
))
1478 return log_error_errno(SYNTHETIC_ERRNO(EBADMSG
), "Embedded credential name is not valid, refusing.");
1480 if (validate_name
&& !streq(embedded_name
, validate_name
)) {
1482 r
= getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NAME");
1483 if (r
< 0 && r
!= -ENXIO
)
1484 log_debug_errno(r
, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NAME: %m");
1486 return log_error_errno(SYNTHETIC_ERRNO(EREMOTE
), "Embedded credential name '%s' does not match filename '%s', refusing.", embedded_name
, validate_name
);
1488 log_debug("Embedded credential name '%s' does not match expected name '%s', but configured to use credential anyway.", embedded_name
, validate_name
);
1492 if (validate_timestamp
!= USEC_INFINITY
) {
1493 if (le64toh(m
->timestamp
) != USEC_INFINITY
&& le64toh(m
->timestamp
) > validate_timestamp
)
1494 log_debug("Credential timestamp is from the future, assuming clock skew.");
1496 if (le64toh(m
->not_after
) != USEC_INFINITY
&& le64toh(m
->not_after
) < validate_timestamp
) {
1498 r
= getenv_bool_secure("SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER");
1499 if (r
< 0 && r
!= -ENXIO
)
1500 log_debug_errno(r
, "Failed to parse $SYSTEMD_CREDENTIAL_VALIDATE_NOT_AFTER: %m");
1502 return log_error_errno(SYNTHETIC_ERRNO(ESTALE
), "Credential's time passed, refusing to use.");
1504 log_debug("Credential not-after timestamp has passed, but configured to use credential anyway.");
1509 _cleanup_(iovec_done_erase
) struct iovec without_metadata
= {};
1511 without_metadata
.iov_len
= plaintext
.iov_len
- hs
;
1512 without_metadata
.iov_base
= memdup_suffix0((uint8_t*) plaintext
.iov_base
+ hs
, without_metadata
.iov_len
);
1513 if (!without_metadata
.iov_base
)
1516 *ret
= TAKE_STRUCT(without_metadata
);
1524 int get_credential_host_secret(CredentialSecretFlags flags
, struct iovec
*ret
) {
1525 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");
1528 int encrypt_credential_and_warn(sd_id128_t with_key
, const char *name
, usec_t timestamp
, usec_t not_after
, const char *tpm2_device
, uint32_t tpm2_hash_pcr_mask
, const char *tpm2_pubkey_path
, uint32_t tpm2_pubkey_pcr_mask
, uid_t uid
, const struct iovec
*input
, CredentialFlags flags
, struct iovec
*ret
) {
1529 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");
1532 int decrypt_credential_and_warn(const char *validate_name
, usec_t validate_timestamp
, const char *tpm2_device
, const char *tpm2_signature_path
, uid_t uid
, const struct iovec
*input
, CredentialFlags flags
, struct iovec
*ret
) {
1533 return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP
), "Support for encrypted credentials not available.");