diff options
author | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
---|---|---|
committer | Daniel Baumann <daniel.baumann@progress-linux.org> | 2024-06-12 03:50:40 +0000 |
commit | fc53809803cd2bc2434e312b19a18fa36776da12 (patch) | |
tree | b4b43bd6538f51965ce32856e9c053d0f90919c8 /src/home/homectl-pkcs11.c | |
parent | Adding upstream version 255.5. (diff) | |
download | systemd-fc53809803cd2bc2434e312b19a18fa36776da12.tar.xz systemd-fc53809803cd2bc2434e312b19a18fa36776da12.zip |
Adding upstream version 256.upstream/256
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
Diffstat (limited to 'src/home/homectl-pkcs11.c')
-rw-r--r-- | src/home/homectl-pkcs11.c | 183 |
1 files changed, 80 insertions, 103 deletions
diff --git a/src/home/homectl-pkcs11.c b/src/home/homectl-pkcs11.c index 2539af0..bb582d7 100644 --- a/src/home/homectl-pkcs11.c +++ b/src/home/homectl-pkcs11.c @@ -8,62 +8,55 @@ #include "memory-util.h" #include "openssl-util.h" #include "pkcs11-util.h" -#include "random-util.h" #include "strv.h" -static int add_pkcs11_encrypted_key( - JsonVariant **v, - const char *uri, - const void *encrypted_key, size_t encrypted_key_size, - const void *decrypted_key, size_t decrypted_key_size) { - - _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL; - _cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL; - ssize_t base64_encoded_size; +int identity_add_token_pin(JsonVariant **v, const char *pin) { + _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL; + _cleanup_strv_free_erase_ char **pins = NULL; int r; assert(v); - assert(uri); - assert(encrypted_key); - assert(encrypted_key_size > 0); - assert(decrypted_key); - assert(decrypted_key_size > 0); - /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends - * expect a NUL terminated string, and we use a binary key */ - base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); - if (base64_encoded_size < 0) - return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); + if (isempty(pin)) + return 0; - r = hash_password(base64_encoded, &hashed); + w = json_variant_ref(json_variant_by_key(*v, "secret")); + l = json_variant_ref(json_variant_by_key(w, "tokenPin")); + + r = json_variant_strv(l, &pins); if (r < 0) - return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m"); + return log_error_errno(r, "Failed to convert PIN array: %m"); - r = json_build(&e, JSON_BUILD_OBJECT( - JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)), - JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)), - JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(hashed)))); + if (strv_contains(pins, pin)) + return 0; + + r = strv_extend(&pins, pin); if (r < 0) - return log_error_errno(r, "Failed to build encrypted JSON key object: %m"); + return log_oom(); - w = json_variant_ref(json_variant_by_key(*v, "privileged")); - l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey")); + strv_uniq(pins); - r = json_variant_append_array(&l, e); + l = json_variant_unref(l); + + r = json_variant_new_array_strv(&l, pins); if (r < 0) - return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m"); + return log_error_errno(r, "Failed to allocate new PIN array JSON: %m"); - r = json_variant_set_field(&w, "pkcs11EncryptedKey", l); + json_variant_sensitive(l); + + r = json_variant_set_field(&w, "tokenPin", l); if (r < 0) - return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m"); + return log_error_errno(r, "Failed to update PIN field: %m"); - r = json_variant_set_field(v, "privileged", w); + r = json_variant_set_field(v, "secret", w); if (r < 0) - return log_error_errno(r, "Failed to update privileged field: %m"); + return log_error_errno(r, "Failed to update secret object: %m"); - return 0; + return 1; } +#if HAVE_P11KIT + static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) { _cleanup_(json_variant_unrefp) JsonVariant *w = NULL; _cleanup_strv_free_ char **l = NULL; @@ -98,100 +91,82 @@ static int add_pkcs11_token_uri(JsonVariant **v, const char *uri) { return 0; } -int identity_add_token_pin(JsonVariant **v, const char *pin) { - _cleanup_(json_variant_unrefp) JsonVariant *w = NULL, *l = NULL; - _cleanup_strv_free_erase_ char **pins = NULL; +static int add_pkcs11_encrypted_key( + JsonVariant **v, + const char *uri, + const void *encrypted_key, size_t encrypted_key_size, + const void *decrypted_key, size_t decrypted_key_size) { + + _cleanup_(json_variant_unrefp) JsonVariant *l = NULL, *w = NULL, *e = NULL; + _cleanup_(erase_and_freep) char *base64_encoded = NULL, *hashed = NULL; + ssize_t base64_encoded_size; int r; assert(v); + assert(uri); + assert(encrypted_key); + assert(encrypted_key_size > 0); + assert(decrypted_key); + assert(decrypted_key_size > 0); - if (isempty(pin)) - return 0; - - w = json_variant_ref(json_variant_by_key(*v, "secret")); - l = json_variant_ref(json_variant_by_key(w, "tokenPin")); + /* Before using UNIX hashing on the supplied key we base64 encode it, since crypt_r() and friends + * expect a NUL terminated string, and we use a binary key */ + base64_encoded_size = base64mem(decrypted_key, decrypted_key_size, &base64_encoded); + if (base64_encoded_size < 0) + return log_error_errno(base64_encoded_size, "Failed to base64 encode secret key: %m"); - r = json_variant_strv(l, &pins); + r = hash_password(base64_encoded, &hashed); if (r < 0) - return log_error_errno(r, "Failed to convert PIN array: %m"); - - if (strv_contains(pins, pin)) - return 0; + return log_error_errno(errno_or_else(EINVAL), "Failed to UNIX hash secret key: %m"); - r = strv_extend(&pins, pin); + r = json_build(&e, JSON_BUILD_OBJECT( + JSON_BUILD_PAIR("uri", JSON_BUILD_STRING(uri)), + JSON_BUILD_PAIR("data", JSON_BUILD_BASE64(encrypted_key, encrypted_key_size)), + JSON_BUILD_PAIR("hashedPassword", JSON_BUILD_STRING(hashed)))); if (r < 0) - return log_oom(); - - strv_uniq(pins); + return log_error_errno(r, "Failed to build encrypted JSON key object: %m"); - l = json_variant_unref(l); + w = json_variant_ref(json_variant_by_key(*v, "privileged")); + l = json_variant_ref(json_variant_by_key(w, "pkcs11EncryptedKey")); - r = json_variant_new_array_strv(&l, pins); + r = json_variant_append_array(&l, e); if (r < 0) - return log_error_errno(r, "Failed to allocate new PIN array JSON: %m"); - - json_variant_sensitive(l); + return log_error_errno(r, "Failed append PKCS#11 encrypted key: %m"); - r = json_variant_set_field(&w, "tokenPin", l); + r = json_variant_set_field(&w, "pkcs11EncryptedKey", l); if (r < 0) - return log_error_errno(r, "Failed to update PIN field: %m"); + return log_error_errno(r, "Failed to set PKCS#11 encrypted key: %m"); - r = json_variant_set_field(v, "secret", w); + r = json_variant_set_field(v, "privileged", w); if (r < 0) - return log_error_errno(r, "Failed to update secret object: %m"); - - return 1; -} + return log_error_errno(r, "Failed to update privileged field: %m"); -static int acquire_pkcs11_certificate( - const char *uri, - const char *askpw_friendly_name, - const char *askpw_icon_name, - X509 **ret_cert, - char **ret_pin_used) { -#if HAVE_P11KIT - return pkcs11_acquire_certificate(uri, askpw_friendly_name, askpw_icon_name, ret_cert, ret_pin_used); -#else - return log_error_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), - "PKCS#11 tokens not supported on this build."); -#endif + return 0; } int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) { - _cleanup_(erase_and_freep) void *decrypted_key = NULL, *encrypted_key = NULL; + _cleanup_(erase_and_freep) void *decrypted_key = NULL, *saved_key = NULL; _cleanup_(erase_and_freep) char *pin = NULL; - size_t decrypted_key_size, encrypted_key_size; - _cleanup_(X509_freep) X509 *cert = NULL; - EVP_PKEY *pkey; + size_t decrypted_key_size, saved_key_size; + _cleanup_(EVP_PKEY_freep) EVP_PKEY *pkey = NULL; int r; assert(v); - r = acquire_pkcs11_certificate(uri, "home directory operation", "user-home", &cert, &pin); + r = pkcs11_acquire_public_key( + uri, + "home directory operation", + "user-home", + "home.token-pin", + /* askpw_flags= */ 0, + &pkey, + &pin); if (r < 0) return r; - pkey = X509_get0_pubkey(cert); - if (!pkey) - return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to extract public key from X.509 certificate."); - - r = rsa_pkey_to_suitable_key_size(pkey, &decrypted_key_size); + r = pkey_generate_volume_keys(pkey, &decrypted_key, &decrypted_key_size, &saved_key, &saved_key_size); if (r < 0) - return log_error_errno(r, "Failed to extract RSA key size from X509 certificate."); - - log_debug("Generating %zu bytes random key.", decrypted_key_size); - - decrypted_key = malloc(decrypted_key_size); - if (!decrypted_key) - return log_oom(); - - r = crypto_random_bytes(decrypted_key, decrypted_key_size); - if (r < 0) - return log_error_errno(r, "Failed to generate random key: %m"); - - r = rsa_encrypt_bytes(pkey, decrypted_key, decrypted_key_size, &encrypted_key, &encrypted_key_size); - if (r < 0) - return log_error_errno(r, "Failed to encrypt key: %m"); + return log_error_errno(r, "Failed to generate volume keys: %m"); /* Add the token URI to the public part of the record. */ r = add_pkcs11_token_uri(v, uri); @@ -202,7 +177,7 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) { r = add_pkcs11_encrypted_key( v, uri, - encrypted_key, encrypted_key_size, + saved_key, saved_key_size, decrypted_key, decrypted_key_size); if (r < 0) return r; @@ -216,3 +191,5 @@ int identity_add_pkcs11_key_data(JsonVariant **v, const char *uri) { return 0; } + +#endif |