1 /* SPDX-License-Identifier: LGPL-2.1-or-later */
3 #include "creds-util.h"
5 #include "format-util.h"
7 #include "id128-util.h"
8 #include "iovec-util.h"
12 #include "tmpfile-util.h"
13 #include "tpm2-util.h"
14 #include "user-util.h"
16 TEST(read_credential_strings
) {
17 _cleanup_free_
char *x
= NULL
, *y
= NULL
, *saved
= NULL
, *p
= NULL
;
18 _cleanup_(rm_rf_physical_and_freep
) char *tmp
= NULL
;
19 _cleanup_fclose_
FILE *f
= NULL
;
21 const char *e
= getenv("CREDENTIALS_DIRECTORY");
23 assert_se(saved
= strdup(e
));
25 assert_se(read_credential_strings_many("foo", &x
, "bar", &y
) == 0);
29 assert_se(mkdtemp_malloc(NULL
, &tmp
) >= 0);
31 assert_se(setenv("CREDENTIALS_DIRECTORY", tmp
, /* override= */ true) >= 0);
33 assert_se(read_credential_strings_many("foo", &x
, "bar", &y
) == 0);
37 assert_se(p
= path_join(tmp
, "bar"));
38 assert_se(write_string_file(p
, "piff", WRITE_STRING_FILE_CREATE
|WRITE_STRING_FILE_AVOID_NEWLINE
) >= 0);
40 assert_se(read_credential_strings_many("foo", &x
, "bar", &y
) == 0);
42 assert_se(streq(y
, "piff"));
44 assert_se(write_string_file(p
, "paff", WRITE_STRING_FILE_TRUNCATE
|WRITE_STRING_FILE_AVOID_NEWLINE
) >= 0);
46 assert_se(read_credential_strings_many("foo", &x
, "bar", &y
) == 0);
48 assert_se(streq(y
, "paff"));
51 assert_se(p
= path_join(tmp
, "foo"));
52 assert_se(write_string_file(p
, "knurz", WRITE_STRING_FILE_CREATE
|WRITE_STRING_FILE_AVOID_NEWLINE
) >= 0);
54 assert_se(read_credential_strings_many("foo", &x
, "bar", &y
) >= 0);
55 assert_se(streq(x
, "knurz"));
56 assert_se(streq(y
, "paff"));
59 assert_se(p
= path_join(tmp
, "bazz"));
60 assert_se(f
= fopen(p
, "w"));
61 assert_se(fwrite("x\0y", 1, 3, f
) == 3); /* embedded NUL byte should result in EBADMSG when reading back with read_credential_strings_many() */
66 assert_se(read_credential_strings_many("bazz", &x
, "bar", &y
) == -EBADMSG
);
67 assert_se(streq(x
, "knurz"));
68 assert_se(streq(y
, "paff"));
71 assert_se(setenv("CREDENTIALS_DIRECTORY", saved
, /* override= */ 1) >= 0);
73 assert_se(unsetenv("CREDENTIALS_DIRECTORY") >= 0);
76 TEST(credential_name_valid
) {
79 assert_se(!credential_name_valid(NULL
));
80 assert_se(!credential_name_valid(""));
81 assert_se(!credential_name_valid("."));
82 assert_se(!credential_name_valid(".."));
83 assert_se(!credential_name_valid("foo/bar"));
84 assert_se(credential_name_valid("foo"));
86 memset(buf
, 'x', sizeof(buf
)-1);
87 buf
[sizeof(buf
)-1] = 0;
88 assert_se(!credential_name_valid(buf
));
90 buf
[sizeof(buf
)-2] = 0;
91 assert_se(credential_name_valid(buf
));
94 TEST(credential_glob_valid
) {
97 assert_se(!credential_glob_valid(NULL
));
98 assert_se(!credential_glob_valid(""));
99 assert_se(!credential_glob_valid("."));
100 assert_se(!credential_glob_valid(".."));
101 assert_se(!credential_glob_valid("foo/bar"));
102 assert_se(credential_glob_valid("foo"));
103 assert_se(credential_glob_valid("foo*"));
104 assert_se(credential_glob_valid("x*"));
105 assert_se(credential_glob_valid("*"));
106 assert_se(!credential_glob_valid("?"));
107 assert_se(!credential_glob_valid("*a"));
108 assert_se(!credential_glob_valid("a?"));
109 assert_se(!credential_glob_valid("a[abc]"));
110 assert_se(!credential_glob_valid("a[abc]"));
112 memset(buf
, 'x', sizeof(buf
)-1);
113 buf
[sizeof(buf
)-1] = 0;
114 assert_se(!credential_glob_valid(buf
));
116 buf
[sizeof(buf
)-2] = 0;
117 assert_se(credential_glob_valid(buf
));
119 buf
[sizeof(buf
)-2] = '*';
120 assert_se(credential_glob_valid(buf
));
123 static void test_encrypt_decrypt_with(sd_id128_t mode
, uid_t uid
) {
124 static const struct iovec plaintext
= CONST_IOVEC_MAKE_STRING("this is a super secret string");
127 if (uid_is_valid(uid
))
128 log_notice("Running encryption/decryption test with mode " SD_ID128_FORMAT_STR
" for UID " UID_FMT
".", SD_ID128_FORMAT_VAL(mode
), uid
);
130 log_notice("Running encryption/decryption test with mode " SD_ID128_FORMAT_STR
".", SD_ID128_FORMAT_VAL(mode
));
132 _cleanup_(iovec_done
) struct iovec encrypted
= {};
133 r
= encrypt_credential_and_warn(
136 /* timestamp= */ USEC_INFINITY
,
137 /* not_after=*/ USEC_INFINITY
,
138 /* tpm2_device= */ NULL
,
139 /* tpm2_hash_pcr_mask= */ 0,
140 /* tpm2_pubkey_path= */ NULL
,
141 /* tpm2_pubkey_pcr_mask= */ 0,
144 CREDENTIAL_ALLOW_NULL
,
146 if (ERRNO_IS_NEG_MACHINE_ID_UNSET(r
)) {
147 log_notice_errno(r
, "Skipping test encryption mode " SD_ID128_FORMAT_STR
", because /etc/machine-id is not initialized.", SD_ID128_FORMAT_VAL(mode
));
150 if (ERRNO_IS_NEG_NOT_SUPPORTED(r
)) {
151 log_notice_errno(r
, "Skipping test encryption mode " SD_ID128_FORMAT_STR
", because encrypted credentials are not supported.", SD_ID128_FORMAT_VAL(mode
));
157 _cleanup_(iovec_done
) struct iovec decrypted
= {};
158 r
= decrypt_credential_and_warn(
160 /* validate_timestamp= */ USEC_INFINITY
,
161 /* tpm2_device= */ NULL
,
162 /* tpm2_signature_path= */ NULL
,
165 CREDENTIAL_ALLOW_NULL
,
167 assert_se(r
== -EREMOTE
); /* name didn't match */
169 r
= decrypt_credential_and_warn(
171 /* validate_timestamp= */ USEC_INFINITY
,
172 /* tpm2_device= */ NULL
,
173 /* tpm2_signature_path= */ NULL
,
176 CREDENTIAL_ALLOW_NULL
,
180 assert_se(iovec_memcmp(&plaintext
, &decrypted
) == 0);
183 static bool try_tpm2(void) {
185 _cleanup_(tpm2_context_unrefp
) Tpm2Context
*tpm2_context
= NULL
;
188 r
= tpm2_context_new(/* device= */ NULL
, &tpm2_context
);
190 log_notice_errno(r
, "Failed to create TPM2 context, assuming no TPM2 support or privileges: %m");
198 TEST(credential_encrypt_decrypt
) {
199 _cleanup_(rm_rf_physical_and_freep
) char *d
= NULL
;
200 _cleanup_free_
char *j
= NULL
;
202 log_set_max_level(LOG_DEBUG
);
204 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_NULL
, UID_INVALID
);
206 assert_se(mkdtemp_malloc(NULL
, &d
) >= 0);
207 j
= path_join(d
, "secret");
210 const char *e
= getenv("SYSTEMD_CREDENTIAL_SECRET");
211 _cleanup_free_
char *ec
= NULL
;
214 assert_se(ec
= strdup(e
));
216 assert_se(setenv("SYSTEMD_CREDENTIAL_SECRET", j
, true) >= 0);
218 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST
, UID_INVALID
);
219 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST_SCOPED
, 0);
222 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_TPM2_HMAC
, UID_INVALID
);
223 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
, UID_INVALID
);
224 test_encrypt_decrypt_with(CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
, 0);
228 assert_se(setenv("SYSTEMD_CREDENTIAL_SECRET", ec
, true) >= 0);
231 TEST(mime_type_matches
) {
233 static const sd_id128_t tags
[] = {
234 CRED_AES256_GCM_BY_HOST
,
235 CRED_AES256_GCM_BY_HOST_SCOPED
,
236 CRED_AES256_GCM_BY_TPM2_HMAC
,
237 CRED_AES256_GCM_BY_TPM2_HMAC_WITH_PK
,
238 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC
,
239 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_SCOPED
,
240 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK
,
241 CRED_AES256_GCM_BY_HOST_AND_TPM2_HMAC_WITH_PK_SCOPED
,
242 CRED_AES256_GCM_BY_NULL
,
245 /* Generates the right <match/> expressions for these credentials according to the shared mime-info spec */
246 FOREACH_ARRAY(t
, tags
, ELEMENTSOF(tags
)) {
247 _cleanup_free_
char *encoded
= NULL
;
249 assert_se(base64mem(t
, sizeof(sd_id128_t
), &encoded
) >= 0);
251 /* Validate that the size matches expectations for the 4/3 factor size increase (rounding up) */
252 assert_se(strlen(encoded
) == DIV_ROUND_UP((128U / 8U), 3U) * 4U);
254 /* Cut off rounded string where the ID ends, but now round down to get rid of characters that might contain follow-up data */
255 encoded
[128 / 6] = 0;
257 printf("<match type=\"string\" value=\"%s\" offset=\"0\"/>\n", encoded
);
261 DEFINE_TEST_MAIN(LOG_INFO
);