diff options
| author | Lennart Poettering <lennart@poettering.net> | 2023-11-20 18:00:35 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2024-01-05 17:20:05 +0100 |
| commit | 9c3d8db990ae9601ac434f56e9f1d2f82026bda6 (patch) | |
| tree | 363c4f12e908ad6701ed26229fc2483afc530ff2 /src/shared/creds-util.h | |
| parent | Merge pull request #30754 from poettering/iovecification (diff) | |
| download | systemd-9c3d8db990ae9601ac434f56e9f1d2f82026bda6.tar.xz systemd-9c3d8db990ae9601ac434f56e9f1d2f82026bda6.zip | |
creds-util: optionally, allow NULL credentials even with TPM
Diffstat (limited to 'src/shared/creds-util.h')
| -rw-r--r-- | src/shared/creds-util.h | 8 |
1 files changed, 6 insertions, 2 deletions
diff --git a/src/shared/creds-util.h b/src/shared/creds-util.h index 38d5086e8c..9362d4e52c 100644 --- a/src/shared/creds-util.h +++ b/src/shared/creds-util.h @@ -57,6 +57,10 @@ int get_credential_host_secret(CredentialSecretFlags flags, struct iovec *ret); int get_credential_user_password(const char *username, char **ret_password, bool *ret_is_hashed); +typedef enum CredentialFlags { + CREDENTIAL_ALLOW_NULL = 1 << 0, /* allow decryption of NULL key, even if TPM is around */ +} CredentialFlags; + /* The four modes we support: keyed only by on-disk key, only by TPM2 HMAC key, and by the combination of * both, as well as one with a fixed zero length key if TPM2 is missing (the latter of course provides no * authenticity or confidentiality, but is still useful for integrity protection, and makes things simpler @@ -77,5 +81,5 @@ int get_credential_user_password(const char *username, char **ret_password, bool #define _CRED_AUTO SD_ID128_MAKE(a2,19,cb,07,85,b2,4c,04,b1,6d,18,ca,b9,d2,ee,01) #define _CRED_AUTO_INITRD SD_ID128_MAKE(02,dc,8e,de,3a,02,43,ab,a9,ec,54,9c,05,e6,a0,71) -int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const struct iovec *input, struct iovec *ret); -int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const struct iovec *input, struct iovec *ret); +int encrypt_credential_and_warn(sd_id128_t with_key, const char *name, usec_t timestamp, usec_t not_after, const char *tpm2_device, uint32_t tpm2_hash_pcr_mask, const char *tpm2_pubkey_path, uint32_t tpm2_pubkey_pcr_mask, const struct iovec *input, CredentialFlags flags, struct iovec *ret); +int decrypt_credential_and_warn(const char *validate_name, usec_t validate_timestamp, const char *tpm2_device, const char *tpm2_signature_path, const struct iovec *input, CredentialFlags flags, struct iovec *ret); |