diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
commit | fc53809803cd2bc2434e312b19a18fa36776da12 (patch) | |
tree | b4b43bd6538f51965ce32856e9c053d0f90919c8 /src/cryptsetup/cryptsetup-tokens | |
parent | Adding upstream version 255.5. (diff) | |
download | systemd-fc53809803cd2bc2434e312b19a18fa36776da12.tar.xz systemd-fc53809803cd2bc2434e312b19a18fa36776da12.zip |
Adding upstream version 256.upstream/256
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/cryptsetup/cryptsetup-tokens')
7 files changed, 69 insertions, 85 deletions
diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c index fdb3b17..1efb7c5 100644 --- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c +++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-fido2.c @@ -18,7 +18,7 @@ /* for libcryptsetup debug purpose */ _public_ const char *cryptsetup_token_version(void) { - return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR " systemd-v" STRINGIFY(PROJECT_VERSION) " (" GIT_VERSION ")"; + return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR " systemd-v" PROJECT_VERSION_FULL " (" GIT_VERSION ")"; } _public_ int cryptsetup_token_open_pin( @@ -34,7 +34,7 @@ _public_ int cryptsetup_token_open_pin( const char *json; _cleanup_(erase_and_freep) char *pin_string = NULL; - assert(!pin || pin_size); + assert(pin || pin_size == 0); assert(token >= 0); /* This must not fail at this moment (internal error) */ @@ -87,7 +87,7 @@ _public_ void cryptsetup_token_buffer_free(void *buffer, size_t buffer_len) { */ _public_ void cryptsetup_token_dump( struct crypt_device *cd /* is always LUKS2 context */, - const char *json /* validated 'systemd-tpm2' token if cryptsetup_token_validate is defined */) { + const char *json /* validated 'systemd-fido2' token if cryptsetup_token_validate is defined */) { int r; Fido2EnrollFlags required; @@ -154,7 +154,7 @@ _public_ void cryptsetup_token_dump( */ _public_ int cryptsetup_token_validate( struct crypt_device *cd, /* is always LUKS2 context */ - const char *json /* contains valid 'type' and 'keyslots' fields. 'type' is 'systemd-tpm2' */) { + const char *json /* contains valid 'type' and 'keyslots' fields. 'type' is 'systemd-fido2' */) { int r; JsonVariant *w; @@ -172,7 +172,7 @@ _public_ int cryptsetup_token_validate( return 1; } - r = unbase64mem(json_variant_string(w), SIZE_MAX, NULL, NULL); + r = unbase64mem(json_variant_string(w), NULL, NULL); if (r < 0) return crypt_log_debug_errno(cd, r, "Invalid base64 data in 'fido2-credential' field: %m"); @@ -182,7 +182,7 @@ _public_ int cryptsetup_token_validate( return 1; } - r = unbase64mem(json_variant_string(w), SIZE_MAX, NULL, NULL); + r = unbase64mem(json_variant_string(w), NULL, NULL); if (r < 0) return crypt_log_debug_errno(cd, r, "Failed to decode base64 encoded salt: %m."); diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c index 2ac8a27..a9898ba 100644 --- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c +++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-pkcs11.c @@ -18,7 +18,7 @@ /* for libcryptsetup debug purpose */ _public_ const char *cryptsetup_token_version(void) { - return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR " systemd-v" STRINGIFY(PROJECT_VERSION) " (" GIT_VERSION ")"; + return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR " systemd-v" PROJECT_VERSION_FULL " (" GIT_VERSION ")"; } _public_ int cryptsetup_token_open_pin( @@ -33,7 +33,7 @@ _public_ int cryptsetup_token_open_pin( const char *json; int r; - assert(!pin || pin_size); + assert(pin || pin_size == 0); assert(token >= 0); /* This must not fail at this moment (internal error) */ @@ -136,7 +136,7 @@ _public_ int cryptsetup_token_validate( return 1; } - r = unbase64mem(json_variant_string(w), SIZE_MAX, NULL, NULL); + r = unbase64mem(json_variant_string(w), NULL, NULL); if (r < 0) return crypt_log_debug_errno(cd, r, "Failed to decode base64 encoded key: %m."); diff --git a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c index 6fee831..8b4754a 100644 --- a/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c @@ -20,7 +20,7 @@ /* for libcryptsetup debug purpose */ _public_ const char *cryptsetup_token_version(void) { - return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR " systemd-v" STRINGIFY(PROJECT_VERSION) " (" GIT_VERSION ")"; + return TOKEN_VERSION_MAJOR "." TOKEN_VERSION_MINOR " systemd-v" PROJECT_VERSION_FULL " (" GIT_VERSION ")"; } static int log_debug_open_error(struct crypt_device *cd, int r) { @@ -42,9 +42,8 @@ _public_ int cryptsetup_token_open_pin( void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) { _cleanup_(erase_and_freep) char *base64_encoded = NULL, *pin_string = NULL; - _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL, *srk_buf = NULL; - size_t blob_size, policy_hash_size, decrypted_key_size, pubkey_size, salt_size = 0, srk_buf_size = 0; - _cleanup_(erase_and_freep) void *decrypted_key = NULL; + _cleanup_(iovec_done) struct iovec blob = {}, pubkey = {}, policy_hash = {}, salt = {}, srk = {}, pcrlock_nv = {}; + _cleanup_(iovec_done_erase) struct iovec decrypted_key = {}; _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; uint32_t hash_pcr_mask, pubkey_pcr_mask; systemd_tpm2_plugin_params params = { @@ -57,7 +56,7 @@ _public_ int cryptsetup_token_open_pin( int r; assert(token >= 0); - assert(!pin || pin_size > 0); + assert(pin || pin_size == 0); assert(ret_password); assert(ret_password_len); @@ -79,21 +78,17 @@ _public_ int cryptsetup_token_open_pin( r = tpm2_parse_luks2_json( v, - NULL, + /* ret_keyslot= */ NULL, &hash_pcr_mask, &pcr_bank, &pubkey, - &pubkey_size, &pubkey_pcr_mask, &primary_alg, &blob, - &blob_size, &policy_hash, - &policy_hash_size, &salt, - &salt_size, - &srk_buf, - &srk_buf_size, + &srk, + &pcrlock_nv, &flags); if (r < 0) return log_debug_open_error(cd, r); @@ -105,28 +100,24 @@ _public_ int cryptsetup_token_open_pin( params.device, hash_pcr_mask, pcr_bank, - pubkey, pubkey_size, + &pubkey, pubkey_pcr_mask, params.signature_path, pin_string, params.pcrlock_path, primary_alg, - blob, - blob_size, - policy_hash, - policy_hash_size, - salt, - salt_size, - srk_buf, - srk_buf_size, + &blob, + &policy_hash, + &salt, + &srk, + &pcrlock_nv, flags, - &decrypted_key, - &decrypted_key_size); + &decrypted_key); if (r < 0) return log_debug_open_error(cd, r); /* Before using this key as passphrase we base64 encode it, for compat with homed */ - base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + base64_encoded_size = base64mem(decrypted_key.iov_base, decrypted_key.iov_len, &base64_encoded); if (base64_encoded_size < 0) return log_debug_open_error(cd, base64_encoded_size); @@ -177,9 +168,8 @@ _public_ void cryptsetup_token_dump( const char *json /* validated 'systemd-tpm2' token if cryptsetup_token_validate is defined */) { _cleanup_free_ char *hash_pcrs_str = NULL, *pubkey_pcrs_str = NULL, *blob_str = NULL, *policy_hash_str = NULL, *pubkey_str = NULL; - _cleanup_free_ void *blob = NULL, *pubkey = NULL, *policy_hash = NULL, *salt = NULL, *srk_buf = NULL; + _cleanup_(iovec_done) struct iovec blob = {}, pubkey = {}, policy_hash = {}, salt = {}, srk = {}, pcrlock_nv = {}; _cleanup_(json_variant_unrefp) JsonVariant *v = NULL; - size_t blob_size, policy_hash_size, pubkey_size, salt_size = 0, srk_buf_size = 0; uint32_t hash_pcr_mask, pubkey_pcr_mask; uint16_t pcr_bank, primary_alg; TPM2Flags flags = 0; @@ -197,17 +187,13 @@ _public_ void cryptsetup_token_dump( &hash_pcr_mask, &pcr_bank, &pubkey, - &pubkey_size, &pubkey_pcr_mask, &primary_alg, &blob, - &blob_size, &policy_hash, - &policy_hash_size, &salt, - &salt_size, - &srk_buf, - &srk_buf_size, + &srk, + &pcrlock_nv, &flags); if (r < 0) return (void) crypt_log_debug_errno(cd, r, "Failed to parse " TOKEN_NAME " JSON fields: %m"); @@ -220,15 +206,15 @@ _public_ void cryptsetup_token_dump( if (!pubkey_pcrs_str) return (void) crypt_log_debug_errno(cd, ENOMEM, "Cannot format PCR hash mask: %m"); - r = crypt_dump_buffer_to_hex_string(blob, blob_size, &blob_str); + r = crypt_dump_buffer_to_hex_string(blob.iov_base, blob.iov_len, &blob_str); if (r < 0) return (void) crypt_log_debug_errno(cd, r, "Cannot dump " TOKEN_NAME " content: %m"); - r = crypt_dump_buffer_to_hex_string(pubkey, pubkey_size, &pubkey_str); + r = crypt_dump_buffer_to_hex_string(pubkey.iov_base, pubkey.iov_len, &pubkey_str); if (r < 0) return (void) crypt_log_debug_errno(cd, r, "Cannot dump " TOKEN_NAME " content: %m"); - r = crypt_dump_buffer_to_hex_string(policy_hash, policy_hash_size, &policy_hash_str); + r = crypt_dump_buffer_to_hex_string(policy_hash.iov_base, policy_hash.iov_len, &policy_hash_str); if (r < 0) return (void) crypt_log_debug_errno(cd, r, "Cannot dump " TOKEN_NAME " content: %m"); @@ -241,8 +227,9 @@ _public_ void cryptsetup_token_dump( crypt_log(cd, "\ttpm2-policy-hash:" CRYPT_DUMP_LINE_SEP "%s\n", policy_hash_str); crypt_log(cd, "\ttpm2-pin: %s\n", true_false(flags & TPM2_FLAGS_USE_PIN)); crypt_log(cd, "\ttpm2-pcrlock: %s\n", true_false(flags & TPM2_FLAGS_USE_PCRLOCK)); - crypt_log(cd, "\ttpm2-salt: %s\n", true_false(salt)); - crypt_log(cd, "\ttpm2-srk: %s\n", true_false(srk_buf)); + crypt_log(cd, "\ttpm2-salt: %s\n", true_false(iovec_is_set(&salt))); + crypt_log(cd, "\ttpm2-srk: %s\n", true_false(iovec_is_set(&srk))); + crypt_log(cd, "\ttpm2-pcrlock-nv: %s\n", true_false(iovec_is_set(&pcrlock_nv))); } /* @@ -326,7 +313,7 @@ _public_ int cryptsetup_token_validate( return 1; } - r = unbase64mem(json_variant_string(w), SIZE_MAX, NULL, NULL); + r = unbase64mem(json_variant_string(w), NULL, NULL); if (r < 0) return crypt_log_debug_errno(cd, r, "Invalid base64 data in 'tpm2-blob' field: %m"); @@ -336,7 +323,7 @@ _public_ int cryptsetup_token_validate( return 1; } - r = unhexmem(json_variant_string(w), SIZE_MAX, NULL, NULL); + r = unhexmem(json_variant_string(w), NULL, NULL); if (r < 0) return crypt_log_debug_errno(cd, r, "Invalid base64 data in 'tpm2-policy-hash' field: %m"); diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c b/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c index a1c85e6..5b38613 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-fido2.c @@ -104,7 +104,7 @@ int parse_luks2_fido2_data( if (!w) return -EINVAL; - r = unbase64mem(json_variant_string(w), SIZE_MAX, &cid, &cid_size); + r = unbase64mem(json_variant_string(w), &cid, &cid_size); if (r < 0) return crypt_log_error_errno(cd, r, "Failed to parse 'fido2-credentials' field: %m"); @@ -112,7 +112,7 @@ int parse_luks2_fido2_data( if (!w) return -EINVAL; - r = unbase64mem(json_variant_string(w), SIZE_MAX, &salt, &salt_size); + r = unbase64mem(json_variant_string(w), &salt, &salt_size); if (r < 0) return crypt_log_error_errno(cd, r, "Failed to parse 'fido2-salt' field: %m"); diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c index 178fc7a..ac5100f 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-pkcs11.c @@ -157,7 +157,7 @@ static int acquire_luks2_key_systemd( assert(params); data.friendly_name = params->friendly_name; - data.headless = params->headless; + data.askpw_credential = params->askpw_credential; data.askpw_flags = params->askpw_flags; data.until = params->until; @@ -260,7 +260,7 @@ int parse_luks2_pkcs11_data( if (!w) return -EINVAL; - r = unbase64mem(json_variant_string(w), SIZE_MAX, &key, &key_size); + r = unbase64mem(json_variant_string(w), &key, &key_size); if (r < 0) return crypt_log_debug_errno(cd, r, "Failed to decode base64 encoded key: %m."); diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c index 846679f..08f901c 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.c @@ -17,33 +17,27 @@ int acquire_luks2_key( const char *device, uint32_t hash_pcr_mask, uint16_t pcr_bank, - const void *pubkey, - size_t pubkey_size, + const struct iovec *pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, const char *pin, const char *pcrlock_path, uint16_t primary_alg, - const void *key_data, - size_t key_data_size, - const void *policy_hash, - size_t policy_hash_size, - const void *salt, - size_t salt_size, - const void *srk_buf, - size_t srk_buf_size, + const struct iovec *blob, + const struct iovec *policy_hash, + const struct iovec *salt, + const struct iovec *srk, + const struct iovec *pcrlock_nv, TPM2Flags flags, - void **ret_decrypted_key, - size_t *ret_decrypted_key_size) { + struct iovec *ret_decrypted_key) { _cleanup_(json_variant_unrefp) JsonVariant *signature_json = NULL; _cleanup_free_ char *auto_device = NULL; _cleanup_(erase_and_freep) char *b64_salted_pin = NULL; int r; - assert(salt || salt_size == 0); + assert(iovec_is_valid(salt)); assert(ret_decrypted_key); - assert(ret_decrypted_key_size); if (!device) { r = tpm2_find_device_auto(&auto_device); @@ -58,10 +52,10 @@ int acquire_luks2_key( if ((flags & TPM2_FLAGS_USE_PIN) && !pin) return -ENOANO; - if (pin && salt_size > 0) { + if (pin && iovec_is_set(salt)) { uint8_t salted_pin[SHA256_DIGEST_SIZE] = {}; CLEANUP_ERASE(salted_pin); - r = tpm2_util_pbkdf2_hmac_sha256(pin, strlen(pin), salt, salt_size, salted_pin); + r = tpm2_util_pbkdf2_hmac_sha256(pin, strlen(pin), salt->iov_base, salt->iov_len, salted_pin); if (r < 0) return log_error_errno(r, "Failed to perform PBKDF2: %m"); @@ -82,6 +76,14 @@ int acquire_luks2_key( r = tpm2_pcrlock_policy_load(pcrlock_path, &pcrlock_policy); if (r < 0) return r; + if (r == 0) { + /* Not found? Then search among passed credentials */ + r = tpm2_pcrlock_policy_from_credentials(srk, pcrlock_nv, &pcrlock_policy); + if (r < 0) + return r; + if (r == 0) + return log_error_errno(SYNTHETIC_ERRNO(EREMOTE), "Couldn't find pcrlock policy for volume."); + } } _cleanup_(tpm2_context_unrefp) Tpm2Context *tpm2_context = NULL; @@ -92,16 +94,16 @@ int acquire_luks2_key( r = tpm2_unseal(tpm2_context, hash_pcr_mask, pcr_bank, - pubkey, pubkey_size, + pubkey, pubkey_pcr_mask, signature_json, pin, FLAGS_SET(flags, TPM2_FLAGS_USE_PCRLOCK) ? &pcrlock_policy : NULL, primary_alg, - key_data, key_data_size, - policy_hash, policy_hash_size, - srk_buf, srk_buf_size, - ret_decrypted_key, ret_decrypted_key_size); + blob, + policy_hash, + srk, + ret_decrypted_key); if (r < 0) return log_error_errno(r, "Failed to unseal secret using TPM2: %m"); diff --git a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h index 8408bab..c3a01df 100644 --- a/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h +++ b/src/cryptsetup/cryptsetup-tokens/luks2-tpm2.h @@ -10,21 +10,16 @@ int acquire_luks2_key( const char *device, uint32_t pcr_mask, uint16_t pcr_bank, - const void *pubkey, - size_t pubkey_size, + const struct iovec *pubkey, uint32_t pubkey_pcr_mask, const char *signature_path, const char *pin, const char *pcrlock_path, uint16_t primary_alg, - const void *key_data, - size_t key_data_size, - const void *policy_hash, - size_t policy_hash_size, - const void *salt, - size_t salt_size, - const void *srk_buf, - size_t srk_buf_size, + const struct iovec *key_data, + const struct iovec *policy_hash, + const struct iovec *salt, + const struct iovec *srk, + const struct iovec *pcrlock_nv, TPM2Flags flags, - void **ret_decrypted_key, - size_t *ret_decrypted_key_size); + struct iovec *decrypted_key); |