return 1;
}
-int set_full_environment(char **env) {
- int r;
-
- clearenv();
-
- STRV_FOREACH(e, env) {
- _cleanup_free_ char *k = NULL, *v = NULL;
-
- r = split_pair(*e, "=", &k, &v);
- if (r < 0)
- return r;
-
- if (setenv(k, v, /* overwrite= */ true) < 0)
- return -errno;
- }
-
- return 0;
-}
-
int setenvf(const char *name, bool overwrite, const char *valuef, ...) {
_cleanup_free_ char *value = NULL;
va_list ap;
int getenv_steal_erase(const char *name, char **ret);
-int set_full_environment(char **env);
-
int setenvf(const char *name, bool overwrite, const char *valuef, ...) _printf_(3,4);
return buffer;
}
-int ether_addr_to_string_alloc(const struct ether_addr *addr, char **ret) {
- char *buf;
-
- assert(addr);
- assert(ret);
-
- buf = new(char, ETHER_ADDR_TO_STRING_MAX);
- if (!buf)
- return -ENOMEM;
-
- ether_addr_to_string(addr, buf);
-
- *ret = buf;
- return 0;
-}
-
int ether_addr_compare(const struct ether_addr *a, const struct ether_addr *b) {
return memcmp(a, b, ETH_ALEN);
}
#define ETHER_ADDR_TO_STRING_MAX (3*6)
char* ether_addr_to_string(const struct ether_addr *addr, char buffer[ETHER_ADDR_TO_STRING_MAX]);
-int ether_addr_to_string_alloc(const struct ether_addr *addr, char **ret);
/* Use only as function argument, never stand-alone! */
#define ETHER_ADDR_TO_STR(addr) ether_addr_to_string((addr), (char[ETHER_ADDR_TO_STRING_MAX]){})
return unit_dbus_interface_from_type(t);
}
-const char* unit_type_to_capitalized_string(UnitType t) {
- const char *di = unit_dbus_interface_from_type(t);
- if (!di)
- return NULL;
-
- return ASSERT_PTR(startswith(di, "org.freedesktop.systemd1."));
-}
-
static const char* const unit_type_table[_UNIT_TYPE_MAX] = {
[UNIT_SERVICE] = "service",
[UNIT_SOCKET] = "socket",
const char* unit_type_to_string(UnitType i) _const_;
UnitType unit_type_from_string(const char *s) _pure_;
-const char* unit_type_to_capitalized_string(UnitType t);
-
const char* unit_load_state_to_string(UnitLoadState i) _const_;
UnitLoadState unit_load_state_from_string(const char *s) _pure_;
return 0;
}
-int crypt_dump_hex_string(const char *hex_str, char **ret_dump_str) {
-
- int r;
- size_t len;
- _cleanup_free_ char *dump_str = NULL;
-
- assert(hex_str);
- assert(ret_dump_str);
-
- len = strlen(hex_str) >> 1;
-
- for (size_t i = 0; i < len; i++) {
- /* crypt_dump() breaks line after every
- * 16th couple of chars in dumped hexstring */
- r = strextendf_with_separator(
- &dump_str,
- (i && !(i % 16)) ? CRYPT_DUMP_LINE_SEP : " ",
- "%.2s", hex_str + (i<<1));
- if (r < 0)
- return r;
- }
-
- *ret_dump_str = TAKE_PTR(dump_str);
-
- return 0;
-}
-
int crypt_normalize_pin(const void *pin, size_t pin_size, char **ret_pin_string) {
assert(pin || pin_size == 0);
assert(ret_pin_string);
size_t buf_size,
char **ret_dump_str);
-int crypt_dump_hex_string(const char *hex_str, char **ret_dump_str);
-
int crypt_normalize_pin(const void *pin, size_t pin_size, char **ret_pin_string);
return 0;
}
-int user_record_set_hashed_password(UserRecord *h, char **hashed_password) {
- _cleanup_(sd_json_variant_unrefp) sd_json_variant *priv = NULL;
- _cleanup_strv_free_ char **copy = NULL;
- int r;
-
- assert(h);
-
- priv = sd_json_variant_ref(sd_json_variant_by_key(h->json, "privileged"));
-
- if (strv_isempty(hashed_password))
- r = sd_json_variant_filter(&priv, STRV_MAKE("hashedPassword"));
- else {
- _cleanup_(sd_json_variant_unrefp) sd_json_variant *array = NULL;
-
- copy = strv_copy(hashed_password);
- if (!copy)
- return -ENOMEM;
-
- strv_uniq(copy);
-
- r = sd_json_variant_new_array_strv(&array, copy);
- if (r < 0)
- return r;
-
- r = sd_json_variant_set_field(&priv, "hashedPassword", array);
- }
- if (r < 0)
- return r;
-
- r = sd_json_variant_set_field(&h->json, "privileged", priv);
- if (r < 0)
- return r;
-
- strv_free_and_replace(h->hashed_password, copy);
-
- SET_FLAG(h->mask, USER_RECORD_PRIVILEGED, !sd_json_variant_is_blank_object(priv));
- return 0;
-}
-
int user_record_set_password(UserRecord *h, char **password, bool prepend) {
_cleanup_(sd_json_variant_unrefp) sd_json_variant *w = NULL;
_cleanup_strv_free_erase_ char **e = NULL;
int user_record_set_disk_size(UserRecord *h, uint64_t disk_size);
int user_record_set_password(UserRecord *h, char **password, bool prepend);
int user_record_make_hashed_password(UserRecord *h, char **password, bool extend);
-int user_record_set_hashed_password(UserRecord *h, char **hashed_password);
int user_record_set_token_pin(UserRecord *h, char **pin, bool prepend);
int user_record_set_pkcs11_protected_authentication_path_permitted(UserRecord *h, int b);
int user_record_set_fido2_user_presence_permitted(UserRecord *h, int b);
return set_ensure_consume(options, &ndisc_option_hash_ops, p);
}
-int ndisc_option_set_raw(Set **options, size_t length, const uint8_t *bytes) {
- _cleanup_free_ uint8_t *copy = NULL;
-
- assert(options);
- assert(bytes);
-
- if (length == 0)
- return -EINVAL;
-
- copy = newdup(uint8_t, bytes, length);
- if (!copy)
- return -ENOMEM;
-
- sd_ndisc_option *p = ndisc_option_new(/* type = */ 0, /* offset = */ 0);
- if (!p)
- return -ENOMEM;
-
- p->raw = (sd_ndisc_raw) {
- .bytes = TAKE_PTR(copy),
- .length = length,
- };
-
- return ndisc_option_consume(options, p);
-}
-
static int ndisc_option_build_raw(const sd_ndisc_option *option, uint8_t **ret) {
assert(option);
assert(option->type == 0);
ndisc_option_remove(options, &(const sd_ndisc_option) { .type = type });
}
-int ndisc_option_set_raw(
- Set **options,
- size_t length,
- const uint8_t *bytes);
int ndisc_option_add_link_layer_address(
Set **options,
uint8_t type,
return 0;
}
-
-int bus_creds_extend_by_pid(sd_bus_creds *c, uint64_t mask, sd_bus_creds **ret) {
- _cleanup_(sd_bus_creds_unrefp) sd_bus_creds *n = NULL;
- int r;
-
- assert(c);
- assert(ret);
-
- if ((mask & ~c->mask) == 0 || (!(mask & SD_BUS_CREDS_AUGMENT))) {
- /* There's already all data we need, or augmentation
- * wasn't turned on. */
-
- *ret = sd_bus_creds_ref(c);
- return 0;
- }
-
- n = bus_creds_new();
- if (!n)
- return -ENOMEM;
-
- /* Copy the original data over */
-
- if (c->mask & mask & SD_BUS_CREDS_PID) {
- n->pid = c->pid;
- n->mask |= SD_BUS_CREDS_PID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_PIDFD) {
- n->pidfd = fcntl(c->pidfd, F_DUPFD_CLOEXEC, 3);
- if (n->pidfd < 0)
- return -errno;
- n->mask |= SD_BUS_CREDS_PIDFD;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_TID) {
- n->tid = c->tid;
- n->mask |= SD_BUS_CREDS_TID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_PPID) {
- n->ppid = c->ppid;
- n->mask |= SD_BUS_CREDS_PPID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_UID) {
- n->uid = c->uid;
- n->mask |= SD_BUS_CREDS_UID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_EUID) {
- n->euid = c->euid;
- n->mask |= SD_BUS_CREDS_EUID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_SUID) {
- n->suid = c->suid;
- n->mask |= SD_BUS_CREDS_SUID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_FSUID) {
- n->fsuid = c->fsuid;
- n->mask |= SD_BUS_CREDS_FSUID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_GID) {
- n->gid = c->gid;
- n->mask |= SD_BUS_CREDS_GID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_EGID) {
- n->egid = c->egid;
- n->mask |= SD_BUS_CREDS_EGID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_SGID) {
- n->sgid = c->sgid;
- n->mask |= SD_BUS_CREDS_SGID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_FSGID) {
- n->fsgid = c->fsgid;
- n->mask |= SD_BUS_CREDS_FSGID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_SUPPLEMENTARY_GIDS) {
- if (c->supplementary_gids) {
- n->supplementary_gids = newdup(gid_t, c->supplementary_gids, c->n_supplementary_gids);
- if (!n->supplementary_gids)
- return -ENOMEM;
- n->n_supplementary_gids = c->n_supplementary_gids;
- } else {
- n->supplementary_gids = NULL;
- n->n_supplementary_gids = 0;
- }
-
- n->mask |= SD_BUS_CREDS_SUPPLEMENTARY_GIDS;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_COMM) {
- assert(c->comm);
-
- n->comm = strdup(c->comm);
- if (!n->comm)
- return -ENOMEM;
-
- n->mask |= SD_BUS_CREDS_COMM;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_TID_COMM) {
- assert(c->tid_comm);
-
- n->tid_comm = strdup(c->tid_comm);
- if (!n->tid_comm)
- return -ENOMEM;
-
- n->mask |= SD_BUS_CREDS_TID_COMM;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_EXE) {
- if (c->exe) {
- n->exe = strdup(c->exe);
- if (!n->exe)
- return -ENOMEM;
- } else
- n->exe = NULL;
-
- n->mask |= SD_BUS_CREDS_EXE;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_CMDLINE) {
- if (c->cmdline) {
- n->cmdline = memdup(c->cmdline, c->cmdline_size);
- if (!n->cmdline)
- return -ENOMEM;
-
- n->cmdline_size = c->cmdline_size;
- } else {
- n->cmdline = NULL;
- n->cmdline_size = 0;
- }
-
- n->mask |= SD_BUS_CREDS_CMDLINE;
- }
-
- if (c->mask & mask & (SD_BUS_CREDS_CGROUP|SD_BUS_CREDS_SESSION|SD_BUS_CREDS_UNIT|SD_BUS_CREDS_USER_UNIT|SD_BUS_CREDS_SLICE|SD_BUS_CREDS_USER_SLICE|SD_BUS_CREDS_OWNER_UID)) {
- assert(c->cgroup);
-
- n->cgroup = strdup(c->cgroup);
- if (!n->cgroup)
- return -ENOMEM;
-
- n->cgroup_root = strdup(c->cgroup_root);
- if (!n->cgroup_root)
- return -ENOMEM;
-
- n->mask |= mask & (SD_BUS_CREDS_CGROUP|SD_BUS_CREDS_SESSION|SD_BUS_CREDS_UNIT|SD_BUS_CREDS_USER_UNIT|SD_BUS_CREDS_SLICE|SD_BUS_CREDS_USER_SLICE|SD_BUS_CREDS_OWNER_UID);
- }
-
- if (c->mask & mask & (SD_BUS_CREDS_EFFECTIVE_CAPS|SD_BUS_CREDS_PERMITTED_CAPS|SD_BUS_CREDS_INHERITABLE_CAPS|SD_BUS_CREDS_BOUNDING_CAPS)) {
- assert(c->capability);
-
- n->capability = memdup(c->capability, DIV_ROUND_UP(cap_last_cap()+1, 32U) * 4 * 4);
- if (!n->capability)
- return -ENOMEM;
-
- n->mask |= c->mask & mask & (SD_BUS_CREDS_EFFECTIVE_CAPS|SD_BUS_CREDS_PERMITTED_CAPS|SD_BUS_CREDS_INHERITABLE_CAPS|SD_BUS_CREDS_BOUNDING_CAPS);
- }
-
- if (c->mask & mask & SD_BUS_CREDS_SELINUX_CONTEXT) {
- assert(c->label);
-
- n->label = strdup(c->label);
- if (!n->label)
- return -ENOMEM;
- n->mask |= SD_BUS_CREDS_SELINUX_CONTEXT;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_AUDIT_SESSION_ID) {
- n->audit_session_id = c->audit_session_id;
- n->mask |= SD_BUS_CREDS_AUDIT_SESSION_ID;
- }
- if (c->mask & mask & SD_BUS_CREDS_AUDIT_LOGIN_UID) {
- n->audit_login_uid = c->audit_login_uid;
- n->mask |= SD_BUS_CREDS_AUDIT_LOGIN_UID;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_TTY) {
- if (c->tty) {
- n->tty = strdup(c->tty);
- if (!n->tty)
- return -ENOMEM;
- } else
- n->tty = NULL;
- n->mask |= SD_BUS_CREDS_TTY;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_UNIQUE_NAME) {
- assert(c->unique_name);
-
- n->unique_name = strdup(c->unique_name);
- if (!n->unique_name)
- return -ENOMEM;
- n->mask |= SD_BUS_CREDS_UNIQUE_NAME;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_WELL_KNOWN_NAMES) {
- if (strv_isempty(c->well_known_names))
- n->well_known_names = NULL;
- else {
- n->well_known_names = strv_copy(c->well_known_names);
- if (!n->well_known_names)
- return -ENOMEM;
- }
- n->well_known_names_driver = c->well_known_names_driver;
- n->well_known_names_local = c->well_known_names_local;
- n->mask |= SD_BUS_CREDS_WELL_KNOWN_NAMES;
- }
-
- if (c->mask & mask & SD_BUS_CREDS_DESCRIPTION) {
- assert(c->description);
- n->description = strdup(c->description);
- if (!n->description)
- return -ENOMEM;
- n->mask |= SD_BUS_CREDS_DESCRIPTION;
- }
-
- n->augmented = c->augmented & n->mask;
-
- /* Get more data */
-
- r = bus_creds_add_more(n, mask, /* pidref = */ NULL, /* tid = */ 0);
- if (r < 0)
- return r;
-
- *ret = TAKE_PTR(n);
-
- return 0;
-}
void bus_creds_done(sd_bus_creds *c);
int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, PidRef *pidref, pid_t tid);
-
-int bus_creds_extend_by_pid(sd_bus_creds *c, uint64_t mask, sd_bus_creds **ret);
return k < 0 ? k : has_partitions;
}
-int block_device_has_partitions(sd_device *dev) {
- _cleanup_(sd_device_enumerator_unrefp) sd_device_enumerator *e = NULL;
- int r;
-
- assert(dev);
-
- /* Checks if the specified device currently has partitions. */
-
- r = partition_enumerator_new(dev, &e);
- if (r < 0)
- return r;
-
- return !!sd_device_enumerator_get_device_first(e);
-}
int blockdev_reread_partition_table(sd_device *dev) {
_cleanup_close_ int fd = -EBADF;
int block_device_resize_partition(int fd, int nr, uint64_t start, uint64_t size);
int partition_enumerator_new(sd_device *dev, sd_device_enumerator **ret);
int block_device_remove_all_partitions(sd_device *dev, int fd);
-int block_device_has_partitions(sd_device *dev);
int blockdev_reread_partition_table(sd_device *dev);
int blockdev_get_sector_size(int fd, uint32_t *ret);
return 0;
}
-/* Generate a new RSA key with the specified number of bits. */
-int rsa_pkey_new(size_t bits, EVP_PKEY **ret) {
- assert(ret);
-
- _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_RSA, NULL);
- if (!ctx)
- return log_openssl_errors("Failed to create new EVP_PKEY_CTX");
-
- if (EVP_PKEY_keygen_init(ctx) <= 0)
- return log_openssl_errors("Failed to initialize EVP_PKEY_CTX");
-
- if (EVP_PKEY_CTX_set_rsa_keygen_bits(ctx, (int) bits) <= 0)
- return log_openssl_errors("Failed to set RSA bits to %zu", bits);
-
- _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL;
- if (EVP_PKEY_keygen(ctx, &pkey) <= 0)
- return log_openssl_errors("Failed to generate ECC key");
-
- *ret = TAKE_PTR(pkey);
-
- return 0;
-}
-
/* Generate ECC public key from provided curve ID and x/y points. */
int ecc_pkey_from_curve_x_y(
int curve_id,
int rsa_pkey_to_suitable_key_size(EVP_PKEY *pkey, size_t *ret_suitable_key_size);
-int rsa_pkey_new(size_t bits, EVP_PKEY **ret);
-
int rsa_pkey_from_n_e(const void *n, size_t n_size, const void *e, size_t e_size, EVP_PKEY **ret);
int rsa_pkey_to_n_e(const EVP_PKEY *pkey, void **ret_n, size_t *ret_n_size, void **ret_e, size_t *ret_e_size);
return PAM_SUCCESS;
}
-int pam_release_bus_connection(pam_handle_t *handle, const char *module_name) {
- _cleanup_free_ char *cache_id = NULL;
- int r;
-
- assert(module_name);
-
- cache_id = pam_make_bus_cache_id(module_name);
- if (!cache_id)
- return pam_log_oom(handle);
-
- r = pam_set_data(handle, cache_id, NULL, NULL);
- if (r != PAM_SUCCESS)
- return pam_syslog_pam_error(handle, LOG_ERR, r, "Failed to release PAM user record data: @PAMERR@");
-
- return PAM_SUCCESS;
-}
-
int pam_get_bus_data(
pam_handle_t *handle,
const char *module_name,
/* Use a different module name per different PAM module. They are all loaded in the same namespace, and this
* helps avoid a clash in the internal data structures of sd-bus. It will be used as key for cache items. */
int pam_acquire_bus_connection(pam_handle_t *handle, const char *module_name, bool debug, sd_bus **ret_bus, PamBusData **ret_bus_data);
-int pam_release_bus_connection(pam_handle_t *handle, const char *module_name);
int pam_get_bus_data(pam_handle_t *handle, const char *module_name, PamBusData **ret);
void pam_cleanup_free(pam_handle_t *handle, void *data, int error_status);
return log_error_errno(SYNTHETIC_ERRNO(EPERM), "Too many attempts to log into token '%s'.", token_label);
}
-int pkcs11_token_find_x509_certificate(
- CK_FUNCTION_LIST *m,
- CK_SESSION_HANDLE session,
- P11KitUri *search_uri,
- CK_OBJECT_HANDLE *ret_object) {
-
- bool found_class = false, found_certificate_type = false;
- _cleanup_free_ CK_ATTRIBUTE *attributes_buffer = NULL;
- CK_ULONG n_attributes, a, n_objects;
- CK_ATTRIBUTE *attributes = NULL;
- CK_OBJECT_HANDLE objects[2];
- CK_RV rv, rv2;
- int r;
-
- assert(m);
- assert(search_uri);
- assert(ret_object);
-
- r = dlopen_p11kit();
- if (r < 0)
- return r;
-
- attributes = sym_p11_kit_uri_get_attributes(search_uri, &n_attributes);
- for (a = 0; a < n_attributes; a++) {
-
- /* We use the URI's included match attributes, but make them more strict. This allows users
- * to specify a token URL instead of an object URL and the right thing should happen if
- * there's only one suitable key on the token. */
-
- switch (attributes[a].type) {
-
- case CKA_CLASS: {
- CK_OBJECT_CLASS c;
-
- if (attributes[a].ulValueLen != sizeof(c))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CLASS attribute size.");
-
- memcpy(&c, attributes[a].pValue, sizeof(c));
- if (c != CKO_CERTIFICATE)
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
-
- found_class = true;
- break;
- }
-
- case CKA_CERTIFICATE_TYPE: {
- CK_CERTIFICATE_TYPE t;
-
- if (attributes[a].ulValueLen != sizeof(t))
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid PKCS#11 CKA_CERTIFICATE_TYPE attribute size.");
-
- memcpy(&t, attributes[a].pValue, sizeof(t));
- if (t != CKC_X_509)
- return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Selected PKCS#11 object is not an X.509 certificate, refusing.");
-
- found_certificate_type = true;
- break;
- }}
- }
-
- if (!found_class || !found_certificate_type) {
- /* Hmm, let's slightly extend the attribute list we search for */
-
- attributes_buffer = new(CK_ATTRIBUTE, n_attributes + !found_class + !found_certificate_type);
- if (!attributes_buffer)
- return log_oom();
-
- memcpy(attributes_buffer, attributes, sizeof(CK_ATTRIBUTE) * n_attributes);
-
- if (!found_class) {
- static const CK_OBJECT_CLASS class = CKO_CERTIFICATE;
-
- attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
- .type = CKA_CLASS,
- .pValue = (CK_OBJECT_CLASS*) &class,
- .ulValueLen = sizeof(class),
- };
- }
-
- if (!found_certificate_type) {
- static const CK_CERTIFICATE_TYPE type = CKC_X_509;
-
- attributes_buffer[n_attributes++] = (CK_ATTRIBUTE) {
- .type = CKA_CERTIFICATE_TYPE,
- .pValue = (CK_CERTIFICATE_TYPE*) &type,
- .ulValueLen = sizeof(type),
- };
- }
-
- attributes = attributes_buffer;
- }
-
- rv = m->C_FindObjectsInit(session, attributes, n_attributes);
- if (rv != CKR_OK)
- return log_error_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to initialize object find call: %s", sym_p11_kit_strerror(rv));
-
- rv = m->C_FindObjects(session, objects, ELEMENTSOF(objects), &n_objects);
- rv2 = m->C_FindObjectsFinal(session);
- if (rv != CKR_OK)
- return log_error_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to find objects: %s", sym_p11_kit_strerror(rv));
- if (rv2 != CKR_OK)
- return log_error_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to finalize object find call: %s", sym_p11_kit_strerror(rv2));
- if (n_objects == 0)
- return log_error_errno(SYNTHETIC_ERRNO(ENOENT),
- "Failed to find selected X509 certificate on token.");
- if (n_objects > 1)
- return log_error_errno(SYNTHETIC_ERRNO(ENOTUNIQ),
- "Configured URI matches multiple certificates, refusing.");
-
- *ret_object = objects[0];
- return 0;
-}
-
#if HAVE_OPENSSL
static int read_public_key_info(
CK_FUNCTION_LIST *m,
int pkcs11_token_login(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_SLOT_ID slotid, const CK_TOKEN_INFO *token_info, const char *friendly_name, const char *icon_name, const char *key_name, const char *credential_name, usec_t until, AskPasswordFlags ask_password_flags, char **ret_used_pin);
int pkcs11_token_find_related_object(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE prototype, CK_OBJECT_CLASS class, CK_OBJECT_HANDLE *ret_object);
-int pkcs11_token_find_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, P11KitUri *search_uri, CK_OBJECT_HANDLE *ret_object);
#if HAVE_OPENSSL
int pkcs11_token_read_public_key(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, EVP_PKEY **ret_pkey);
int pkcs11_token_read_x509_certificate(CK_FUNCTION_LIST *m, CK_SESSION_HANDLE session, CK_OBJECT_HANDLE object, X509 **ret_cert);
return smack_fix_fd(inode_fd, label_path, flags);
}
-
-int mac_smack_copy(const char *dest, const char *src) {
- _cleanup_free_ char *label = NULL;
- int r;
-
- assert(dest);
- assert(src);
-
- r = mac_smack_read(src, SMACK_ATTR_ACCESS, &label);
- if (r < 0)
- return r;
-
- r = mac_smack_apply(dest, SMACK_ATTR_ACCESS, label);
- if (r < 0)
- return r;
-
- return r;
-}
#endif
int renameat_and_apply_smack_floor_label(int fdf, const char *from, int fdt, const char *to) {
int mac_smack_apply_at(int fd, const char *path, SmackAttr attr, const char *label);
int mac_smack_apply_pid(pid_t pid, const char *label);
-int mac_smack_copy(const char *dest, const char *src);
int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags);
#else
return 0;
}
-static inline int mac_smack_copy(const char *dest, const char *src) {
- return 0;
-}
-
static inline int mac_smack_fix_full(int atfd, const char *inode_path, const char *label_path, LabelFixFlags flags) {
return 0;
}
tpm2_tpml_pcr_selection_add_tpms_pcr_selection(l, &tpms);
}
-/* Remove the PCR selections in the mask, with the provided hash. */
-void tpm2_tpml_pcr_selection_sub_mask(TPML_PCR_SELECTION *l, TPMI_ALG_HASH hash, uint32_t mask) {
- TPMS_PCR_SELECTION tpms;
-
- assert(l);
-
- tpm2_tpms_pcr_selection_from_mask(mask, hash, &tpms);
- tpm2_tpml_pcr_selection_sub_tpms_pcr_selection(l, &tpms);
-}
-
/* Add all PCR selections in 'b' to 'a'. */
void tpm2_tpml_pcr_selection_add(TPML_PCR_SELECTION *a, const TPML_PCR_SELECTION *b) {
assert(a);
typesafe_qsort(pcr_values, n_pcr_values, cmp_pcr_values);
}
-int tpm2_pcr_values_from_mask(uint32_t mask, TPMI_ALG_HASH hash, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values) {
- _cleanup_free_ Tpm2PCRValue *pcr_values = NULL;
- size_t n_pcr_values = 0;
-
- assert(ret_pcr_values);
- assert(ret_n_pcr_values);
-
- FOREACH_PCR_IN_MASK(index, mask)
- if (!GREEDY_REALLOC_APPEND(
- pcr_values,
- n_pcr_values,
- &TPM2_PCR_VALUE_MAKE(index, hash, {}),
- 1))
- return log_oom_debug();
-
- *ret_pcr_values = TAKE_PTR(pcr_values);
- *ret_n_pcr_values = n_pcr_values;
-
- return 0;
-}
-
int tpm2_pcr_values_to_mask(
const Tpm2PCRValue *pcr_values,
size_t n_pcr_values,
return 0;
}
-/* Return a string representing the array of PCR values. The format is as described in
- * tpm2_pcr_values_from_string(). This does not check for validity. */
-char* tpm2_pcr_values_to_string(const Tpm2PCRValue *pcr_values, size_t n_pcr_values) {
- _cleanup_free_ char *s = NULL;
-
- FOREACH_ARRAY(v, pcr_values, n_pcr_values) {
- _cleanup_free_ char *pcrstr = tpm2_pcr_value_to_string(v);
- if (!pcrstr || !strextend_with_separator(&s, "+", pcrstr))
- return NULL;
- }
-
- return s ? TAKE_PTR(s) : strdup("");
-}
-
void tpm2_log_debug_tpml_pcr_selection(const TPML_PCR_SELECTION *l, const char *msg) {
if (!DEBUG_LOGGING || !l)
return;
return 0;
}
-/* This calls TPM2_CreateLoaded() directly, without checking if the TPM supports it. Callers should instead
- * use tpm2_create_loaded(). */
-static int _tpm2_create_loaded(
- Tpm2Context *c,
- const Tpm2Handle *parent,
- const Tpm2Handle *session,
- const TPMT_PUBLIC *template,
- const TPMS_SENSITIVE_CREATE *sensitive,
- TPM2B_PUBLIC **ret_public,
- TPM2B_PRIVATE **ret_private,
- Tpm2Handle **ret_handle) {
-
- usec_t ts;
- TSS2_RC rc;
- int r;
-
- assert(c);
- assert(parent);
- assert(template);
-
- log_debug("Creating loaded object on TPM.");
-
- ts = now(CLOCK_MONOTONIC);
-
- /* Copy the input template and zero the unique area. */
- TPMT_PUBLIC template_copy = *template;
- zero(template_copy.unique);
-
- TPM2B_TEMPLATE tpm2b_template;
- size_t size = 0;
- rc = sym_Tss2_MU_TPMT_PUBLIC_Marshal(
- &template_copy,
- tpm2b_template.buffer,
- sizeof(tpm2b_template.buffer),
- &size);
- if (rc != TSS2_RC_SUCCESS)
- return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
- "Failed to marshal public key template: %s", sym_Tss2_RC_Decode(rc));
- assert(size <= UINT16_MAX);
- tpm2b_template.size = size;
-
- TPM2B_SENSITIVE_CREATE tpm2b_sensitive;
- if (sensitive)
- tpm2b_sensitive = (TPM2B_SENSITIVE_CREATE) {
- .size = sizeof(*sensitive),
- .sensitive = *sensitive,
- };
- else
- tpm2b_sensitive = (TPM2B_SENSITIVE_CREATE) {};
-
- _cleanup_(tpm2_handle_freep) Tpm2Handle *handle = NULL;
- r = tpm2_handle_new(c, &handle);
- if (r < 0)
- return r;
-
- _cleanup_(Esys_Freep) TPM2B_PUBLIC *public = NULL;
- _cleanup_(Esys_Freep) TPM2B_PRIVATE *private = NULL;
- rc = sym_Esys_CreateLoaded(
- c->esys_context,
- parent->esys_handle,
- session ? session->esys_handle : ESYS_TR_PASSWORD,
- ESYS_TR_NONE,
- ESYS_TR_NONE,
- &tpm2b_sensitive,
- &tpm2b_template,
- &handle->esys_handle,
- &private,
- &public);
- if (rc != TSS2_RC_SUCCESS)
- return log_debug_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE),
- "Failed to generate loaded object in TPM: %s",
- sym_Tss2_RC_Decode(rc));
-
- log_debug("Successfully created loaded object on TPM in %s.",
- FORMAT_TIMESPAN(now(CLOCK_MONOTONIC) - ts, USEC_PER_MSEC));
-
- if (ret_public)
- *ret_public = TAKE_PTR(public);
- if (ret_private)
- *ret_private = TAKE_PTR(private);
- if (ret_handle)
- *ret_handle = TAKE_PTR(handle);
-
- return 0;
-}
-
-/* This calls TPM2_CreateLoaded() if the TPM supports it, otherwise it calls TPM2_Create() and TPM2_Load()
- * separately. Do not use this to create primary keys, because some HW TPMs refuse to allow that; instead use
- * tpm2_create_primary(). */
-int tpm2_create_loaded(
- Tpm2Context *c,
- const Tpm2Handle *parent,
- const Tpm2Handle *session,
- const TPMT_PUBLIC *template,
- const TPMS_SENSITIVE_CREATE *sensitive,
- TPM2B_PUBLIC **ret_public,
- TPM2B_PRIVATE **ret_private,
- Tpm2Handle **ret_handle) {
-
- int r;
-
- if (tpm2_supports_command(c, TPM2_CC_CreateLoaded))
- return _tpm2_create_loaded(c, parent, session, template, sensitive, ret_public, ret_private, ret_handle);
-
- /* Unfortunately, this TPM doesn't support CreateLoaded (added at spec revision 130) so we need to
- * create and load manually. */
- _cleanup_(Esys_Freep) TPM2B_PUBLIC *public = NULL;
- _cleanup_(Esys_Freep) TPM2B_PRIVATE *private = NULL;
- r = tpm2_create(c, parent, session, template, sensitive, &public, &private);
- if (r < 0)
- return r;
-
- _cleanup_(tpm2_handle_freep) Tpm2Handle *handle = NULL;
- r = tpm2_load(c, parent, session, public, private, &handle);
- if (r < 0)
- return r;
-
- if (ret_public)
- *ret_public = TAKE_PTR(public);
- if (ret_private)
- *ret_private = TAKE_PTR(private);
- if (ret_handle)
- *ret_handle = TAKE_PTR(handle);
-
- return 0;
-}
-
static int tpm2_marshal_private(const TPM2B_PRIVATE *private, void **ret, size_t *ret_size) {
size_t max_size = sizeof(*private), blob_size = 0;
_cleanup_free_ void *blob = NULL;
}
}
-int tpm2_sym_alg_from_string(const char *alg) {
-#if HAVE_TPM2
- if (strcaseeq_ptr(alg, "aes"))
- return TPM2_ALG_AES;
-#endif
- return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Unknown symmetric algorithm name '%s'", alg);
-}
-
const char* tpm2_sym_mode_to_string(uint16_t mode) {
switch (mode) {
#if HAVE_TPM2
bool tpm2_pcr_values_valid(const Tpm2PCRValue *pcr_values, size_t n_pcr_values);
void tpm2_sort_pcr_values(Tpm2PCRValue *pcr_values, size_t n_pcr_values);
-int tpm2_pcr_values_from_mask(uint32_t mask, TPMI_ALG_HASH hash, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values);
int tpm2_pcr_values_to_mask(const Tpm2PCRValue *pcr_values, size_t n_pcr_values, TPMI_ALG_HASH hash, uint32_t *ret_mask);
int tpm2_pcr_values_from_string(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values);
-char* tpm2_pcr_values_to_string(const Tpm2PCRValue *pcr_values, size_t n_pcr_values);
int tpm2_pcr_values_hash_count(const Tpm2PCRValue *pcr_values, size_t n_pcr_values, size_t *ret_count);
int tpm2_tpml_pcr_selection_from_pcr_values(const Tpm2PCRValue *pcr_values, size_t n_pcr_values, TPML_PCR_SELECTION *ret_selection, TPM2B_DIGEST **ret_values, size_t *ret_n_values);
int tpm2_create_primary(Tpm2Context *c, const Tpm2Handle *session, const TPM2B_PUBLIC *template, const TPM2B_SENSITIVE_CREATE *sensitive, TPM2B_PUBLIC **ret_public, Tpm2Handle **ret_handle);
int tpm2_create(Tpm2Context *c, const Tpm2Handle *parent, const Tpm2Handle *session, const TPMT_PUBLIC *template, const TPMS_SENSITIVE_CREATE *sensitive, TPM2B_PUBLIC **ret_public, TPM2B_PRIVATE **ret_private);
-int tpm2_create_loaded(Tpm2Context *c, const Tpm2Handle *parent, const Tpm2Handle *session, const TPMT_PUBLIC *template, const TPMS_SENSITIVE_CREATE *sensitive, TPM2B_PUBLIC **ret_public, TPM2B_PRIVATE **ret_private, Tpm2Handle **ret_handle);
int tpm2_load(Tpm2Context *c, const Tpm2Handle *parent, const Tpm2Handle *session, const TPM2B_PUBLIC *public, const TPM2B_PRIVATE *private, Tpm2Handle **ret_handle);
int tpm2_marshal_public(const TPM2B_PUBLIC *public, void **ret, size_t *ret_size);
int tpm2_marshal_nv_public(const TPM2B_NV_PUBLIC *nv_public, void **ret, size_t *ret_size);
void tpm2_tpml_pcr_selection_from_mask(uint32_t mask, TPMI_ALG_HASH hash, TPML_PCR_SELECTION *ret);
bool tpm2_tpml_pcr_selection_has_mask(const TPML_PCR_SELECTION *l, TPMI_ALG_HASH hash, uint32_t mask);
void tpm2_tpml_pcr_selection_add_mask(TPML_PCR_SELECTION *l, TPMI_ALG_HASH hash, uint32_t mask);
-void tpm2_tpml_pcr_selection_sub_mask(TPML_PCR_SELECTION *l, TPMI_ALG_HASH hash, uint32_t mask);
void tpm2_tpml_pcr_selection_add_tpms_pcr_selection(TPML_PCR_SELECTION *l, const TPMS_PCR_SELECTION *s);
void tpm2_tpml_pcr_selection_sub_tpms_pcr_selection(TPML_PCR_SELECTION *l, const TPMS_PCR_SELECTION *s);
void tpm2_tpml_pcr_selection_add(TPML_PCR_SELECTION *a, const TPML_PCR_SELECTION *b);
int tpm2_asym_alg_from_string(const char *alg) _pure_;
const char* tpm2_sym_alg_to_string(uint16_t alg) _const_;
-int tpm2_sym_alg_from_string(const char *alg) _pure_;
-
const char* tpm2_sym_mode_to_string(uint16_t mode) _const_;
int tpm2_sym_mode_from_string(const char *mode) _pure_;
projects / thirdparty / systemd.git / commitdiff
