1 /* $NetBSD: dst_api.c,v 1.3 2012/11/16 02:16:38 christos Exp $ */
2
3 /*
4 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
5 *
6 * Permission to use, copy modify, and distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
11 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
12 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
13 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
15 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
16 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
17 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
18 */
19 /*
20 * This file contains the interface between the DST API and the crypto API.
21 * This is the only file that needs to be changed if the crypto system is
22 * changed. Exported functions are:
23 * void dst_init() Initialize the toolkit
24 * int dst_check_algorithm() Function to determines if alg is suppored.
25 * int dst_compare_keys() Function to compare two keys for equality.
26 * int dst_sign_data() Incremental signing routine.
27 * int dst_verify_data() Incremental verify routine.
28 * int dst_generate_key() Function to generate new KEY
29 * DST_KEY *dst_read_key() Function to retrieve private/public KEY.
30 * void dst_write_key() Function to write out a key.
31 * DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST
32 * KEY structure.
33 * int dst_key_to_dnskey() Function to return a public key in DNS
34 * format binary
35 * DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY
36 * int *dst_key_to_buffer() Writes out DST_KEY key matterial in buffer
37 * void dst_free_key() Releases all memory referenced by key structure
38 */
39 #include <sys/cdefs.h>
40 #if 0
41 static const char rcsid[] = "Header: /proj/cvs/prod/libbind/dst/dst_api.c,v 1.17 2007/09/24 17:18:25 each Exp ";
42 #endif
43
44
45 #include "port_before.h"
46 #include <stdio.h>
47 #include <errno.h>
48 #include <fcntl.h>
49 #include <stdlib.h>
50 #include <unistd.h>
51 #include <string.h>
52 #include <memory.h>
53 #include <ctype.h>
54 #include <time.h>
55 #include <sys/param.h>
56 #include <sys/stat.h>
57 #include <sys/socket.h>
58 #include <netinet/in.h>
59 #include <arpa/nameser.h>
60 #include <resolv.h>
61
62 #include "dst_internal.h"
63 #include "port_after.h"
64
65 /* static variables */
66 static int done_init = 0;
67 dst_func *dst_t_func[DST_MAX_ALGS];
68 const char *dst_path = "";
69
70 /* internal I/O functions */
71 static DST_KEY *dst_s_read_public_key(const char *in_name,
72 const u_int16_t in_id, int in_alg);
73 static int dst_s_read_private_key_file(char *name, DST_KEY *pk_key,
74 u_int16_t in_id, int in_alg);
75 static int dst_s_write_public_key(const DST_KEY *key);
76 static int dst_s_write_private_key(const DST_KEY *key);
77
78 /* internal function to set up data structure */
79 static DST_KEY *dst_s_get_key_struct(const char *name, const int alg,
80 const int flags, const int protocol,
81 const int bits);
82
83 /*%
84 * dst_init
85 * This function initializes the Digital Signature Toolkit.
86 * Right now, it just checks the DSTKEYPATH environment variable.
87 * Parameters
88 * none
89 * Returns
90 * none
91 */
92 void
dst_init(void)93 dst_init(void)
94 {
95 char *s;
96 size_t len;
97
98 if (done_init != 0)
99 return;
100 done_init = 1;
101
102 s = getenv("DSTKEYPATH");
103 len = 0;
104 if (s) {
105 struct stat statbuf;
106
107 len = strlen(s);
108 if (len > PATH_MAX) {
109 EREPORT(("%s: %s is longer than %d characters,"
110 " ignoring\n", __func__, s, PATH_MAX));
111 } else if (stat(s, &statbuf) != 0 ||
112 !S_ISDIR(statbuf.st_mode)) {
113 EREPORT(("%s: %s is not a valid directory\n",
114 __func__, s));
115 } else {
116 char *tmp;
117 tmp = (char *) malloc(len + 2);
118 memcpy(tmp, s, len + 1);
119 if (tmp[strlen(tmp) - 1] != '/') {
120 tmp[strlen(tmp) + 1] = 0;
121 tmp[strlen(tmp)] = '/';
122 }
123 dst_path = tmp;
124 }
125 }
126 memset(dst_t_func, 0, sizeof(dst_t_func));
127 /* first one is selected */
128 dst_hmac_md5_init();
129 }
130
131 /*%
132 * dst_check_algorithm
133 * This function determines if the crypto system for the specified
134 * algorithm is present.
135 * Parameters
136 * alg 1 KEY_RSA
137 * 3 KEY_DSA
138 * 157 KEY_HMAC_MD5
139 * future algorithms TBD and registered with IANA.
140 * Returns
141 * 1 - The algorithm is available.
142 * 0 - The algorithm is not available.
143 */
144 int
dst_check_algorithm(const int alg)145 dst_check_algorithm(const int alg)
146 {
147 return (dst_t_func[alg] != NULL);
148 }
149
150 /*%
151 * dst_s_get_key_struct
152 * This function allocates key structure and fills in some of the
153 * fields of the structure.
154 * Parameters:
155 * name: the name of the key
156 * alg: the algorithm number
157 * flags: the dns flags of the key
158 * protocol: the dns protocol of the key
159 * bits: the size of the key
160 * Returns:
161 * NULL if error
162 * valid pointer otherwise
163 */
164 static DST_KEY *
dst_s_get_key_struct(const char * name,const int alg,const int flags,const int protocol,const int bits)165 dst_s_get_key_struct(const char *name, const int alg, const int flags,
166 const int protocol, const int bits)
167 {
168 DST_KEY *new_key = NULL;
169
170 if (dst_check_algorithm(alg)) /*%< make sure alg is available */
171 new_key = (DST_KEY *) malloc(sizeof(*new_key));
172 if (new_key == NULL)
173 return (NULL);
174
175 memset(new_key, 0, sizeof(*new_key));
176 new_key->dk_key_name = strdup(name);
177 if (new_key->dk_key_name == NULL) {
178 free(new_key);
179 return (NULL);
180 }
181 new_key->dk_alg = alg;
182 new_key->dk_flags = flags;
183 new_key->dk_proto = protocol;
184 new_key->dk_KEY_struct = NULL;
185 new_key->dk_key_size = bits;
186 new_key->dk_func = dst_t_func[alg];
187 return (new_key);
188 }
189
190 /*%
191 * dst_compare_keys
192 * Compares two keys for equality.
193 * Parameters
194 * key1, key2 Two keys to be compared.
195 * Returns
196 * 0 The keys are equal.
197 * non-zero The keys are not equal.
198 */
199
200 int
dst_compare_keys(const DST_KEY * key1,const DST_KEY * key2)201 dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2)
202 {
203 if (key1 == key2)
204 return (0);
205 if (key1 == NULL || key2 == NULL)
206 return (4);
207 if (key1->dk_alg != key2->dk_alg)
208 return (1);
209 if (key1->dk_key_size != key2->dk_key_size)
210 return (2);
211 if (key1->dk_id != key2->dk_id)
212 return (3);
213 return (key1->dk_func->compare(key1, key2));
214 }
215
216 /*%
217 * dst_sign_data
218 * An incremental signing function. Data is signed in steps.
219 * First the context must be initialized (SIG_MODE_INIT).
220 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature
221 * itself is created (SIG_MODE_FINAL). This function can be called
222 * once with INIT, UPDATE and FINAL modes all set, or it can be
223 * called separately with a different mode set for each step. The
224 * UPDATE step can be repeated.
225 * Parameters
226 * mode A bit mask used to specify operation(s) to be performed.
227 * SIG_MODE_INIT 1 Initialize digest
228 * SIG_MODE_UPDATE 2 Add data to digest
229 * SIG_MODE_FINAL 4 Generate signature
230 * from signature
231 * SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL
232 * data Data to be signed.
233 * len The length in bytes of data to be signed.
234 * in_key Contains a private key to sign with.
235 * KEY structures should be handled (created, converted,
236 * compared, stored, freed) by the DST.
237 * signature
238 * The location to which the signature will be written.
239 * sig_len Length of the signature field in bytes.
240 * Return
241 * 0 Successfull INIT or Update operation
242 * >0 success FINAL (sign) operation
243 * <0 failure
244 */
245
246 int
dst_sign_data(const int mode,DST_KEY * in_key,void ** context,const u_char * data,const int len,u_char * signature,const int sig_len)247 dst_sign_data(const int mode, DST_KEY *in_key, void **context,
248 const u_char *data, const int len,
249 u_char *signature, const int sig_len)
250 {
251 DUMP(data, mode, len, "dst_sign_data()");
252
253 if (mode & SIG_MODE_FINAL &&
254 (in_key->dk_KEY_struct == NULL || signature == NULL))
255 return (MISSING_KEY_OR_SIGNATURE);
256
257 if (in_key->dk_func && in_key->dk_func->sign)
258 return (in_key->dk_func->sign(mode, in_key, context, data, len,
259 signature, sig_len));
260 return (UNKNOWN_KEYALG);
261 }
262
263 /*%
264 * dst_verify_data
265 * An incremental verify function. Data is verified in steps.
266 * First the context must be initialized (SIG_MODE_INIT).
267 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature
268 * is verified (SIG_MODE_FINAL). This function can be called
269 * once with INIT, UPDATE and FINAL modes all set, or it can be
270 * called separately with a different mode set for each step. The
271 * UPDATE step can be repeated.
272 * Parameters
273 * mode Operations to perform this time.
274 * SIG_MODE_INIT 1 Initialize digest
275 * SIG_MODE_UPDATE 2 add data to digest
276 * SIG_MODE_FINAL 4 verify signature
277 * SIG_MODE_ALL
278 * (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL)
279 * data Data to pass through the hash function.
280 * len Length of the data in bytes.
281 * in_key Key for verification.
282 * signature Location of signature.
283 * sig_len Length of the signature in bytes.
284 * Returns
285 * 0 Verify success
286 * Non-Zero Verify Failure
287 */
288
289 int
dst_verify_data(const int mode,DST_KEY * in_key,void ** context,const u_char * data,const int len,const u_char * signature,const int sig_len)290 dst_verify_data(const int mode, DST_KEY *in_key, void **context,
291 const u_char *data, const int len,
292 const u_char *signature, const int sig_len)
293 {
294 DUMP(data, mode, len, "dst_verify_data()");
295 if (mode & SIG_MODE_FINAL &&
296 (in_key->dk_KEY_struct == NULL || signature == NULL))
297 return (MISSING_KEY_OR_SIGNATURE);
298
299 if (in_key->dk_func == NULL || in_key->dk_func->verify == NULL)
300 return (UNSUPPORTED_KEYALG);
301 return (in_key->dk_func->verify(mode, in_key, context, data, len,
302 signature, sig_len));
303 }
304
305 /*%
306 * dst_read_private_key
307 * Access a private key. First the list of private keys that have
308 * already been read in is searched, then the key accessed on disk.
309 * If the private key can be found, it is returned. If the key cannot
310 * be found, a null pointer is returned. The options specify required
311 * key characteristics. If the private key requested does not have
312 * these characteristics, it will not be read.
313 * Parameters
314 * in_keyname The private key name.
315 * in_id The id of the private key.
316 * options DST_FORCE_READ Read from disk - don't use a previously
317 * read key.
318 * DST_CAN_SIGN The key must be useable for signing.
319 * DST_NO_AUTHEN The key must be useable for authentication.
320 * DST_STANDARD Return any key
321 * Returns
322 * NULL If there is no key found in the current directory or
323 * this key has not been loaded before.
324 * !NULL Success - KEY structure returned.
325 */
326
327 DST_KEY *
dst_read_key(const char * in_keyname,const u_int16_t in_id,const int in_alg,const int type)328 dst_read_key(const char *in_keyname, const u_int16_t in_id,
329 const int in_alg, const int type)
330 {
331 char keyname[PATH_MAX];
332 DST_KEY *dg_key = NULL, *pubkey = NULL;
333
334 if (!dst_check_algorithm(in_alg)) { /*%< make sure alg is available */
335 EREPORT(("%s: Algorithm %d not suppored\n", __func__, in_alg));
336 return (NULL);
337 }
338 if ((type & (DST_PUBLIC | DST_PRIVATE)) == 0)
339 return (NULL);
340 if (in_keyname == NULL) {
341 EREPORT(("%s: Null key name passed in\n", __func__));
342 return (NULL);
343 } else if (strlen(in_keyname) >= sizeof(keyname)) {
344 EREPORT(("%s: keyname too big\n", __func__));
345 return (NULL);
346 } else
347 strcpy(keyname, in_keyname);
348
349 /* before I read in the public key, check if it is allowed to sign */
350 if ((pubkey = dst_s_read_public_key(keyname, in_id, in_alg)) == NULL)
351 return (NULL);
352
353 if (type == DST_PUBLIC)
354 return pubkey;
355
356 if (!(dg_key = dst_s_get_key_struct(keyname, pubkey->dk_alg,
357 (int)pubkey->dk_flags,
358 pubkey->dk_proto, 0)))
359 return (dg_key);
360 /* Fill in private key and some fields in the general key structure */
361 if (dst_s_read_private_key_file(keyname, dg_key, pubkey->dk_id,
362 pubkey->dk_alg) == 0)
363 dg_key = dst_free_key(dg_key);
364
365 (void)dst_free_key(pubkey);
366 return (dg_key);
367 }
368
369 int
dst_write_key(const DST_KEY * key,const int type)370 dst_write_key(const DST_KEY *key, const int type)
371 {
372 int pub = 0, priv = 0;
373
374 if (key == NULL)
375 return (0);
376 if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */
377 EREPORT(("%s: Algorithm %d not suppored\n", __func__,
378 key->dk_alg));
379 return (UNSUPPORTED_KEYALG);
380 }
381 if ((type & (DST_PRIVATE|DST_PUBLIC)) == 0)
382 return (0);
383
384 if (type & DST_PUBLIC)
385 if ((pub = dst_s_write_public_key(key)) < 0)
386 return (pub);
387 if (type & DST_PRIVATE)
388 if ((priv = dst_s_write_private_key(key)) < 0)
389 return (priv);
390 return (priv+pub);
391 }
392
393 /*%
394 * dst_write_private_key
395 * Write a private key to disk. The filename will be of the form:
396 * K<key->dk_name>+<key->dk_alg+><key-d>k_id.><private key suffix>.
397 * If there is already a file with this name, an error is returned.
398 *
399 * Parameters
400 * key A DST managed key structure that contains
401 * all information needed about a key.
402 * Return
403 * >= 0 Correct behavior. Returns length of encoded key value
404 * written to disk.
405 * < 0 error.
406 */
407
408 static int
dst_s_write_private_key(const DST_KEY * key)409 dst_s_write_private_key(const DST_KEY *key)
410 {
411 u_char encoded_block[RAW_KEY_SIZE];
412 char file[PATH_MAX];
413 int len;
414 FILE *fp;
415
416 /* First encode the key into the portable key format */
417 if (key == NULL)
418 return (-1);
419 if (key->dk_KEY_struct == NULL)
420 return (0); /*%< null key has no private key */
421 if (key->dk_func == NULL || key->dk_func->to_file_fmt == NULL) {
422 EREPORT(("%s: Unsupported operation %d\n", __func__,
423 key->dk_alg));
424 return (-5);
425 } else if ((len = key->dk_func->to_file_fmt(key, (char *)encoded_block,
426 (int)sizeof(encoded_block))) <= 0) {
427 EREPORT(("%s: Failed encoding private RSA bsafe key %d\n",
428 __func__, len));
429 return (-8);
430 }
431 /* Now I can create the file I want to use */
432 dst_s_build_filename(file, key->dk_key_name, key->dk_id, key->dk_alg,
433 PRIVATE_KEY, PATH_MAX);
434
435 /* Do not overwrite an existing file */
436 if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) {
437 ssize_t nn;
438 nn = fwrite(encoded_block, 1, len, fp);
439 if (nn != len) {
440 EREPORT(("%s: Write failure on %s %d != %zd"
441 " errno=%d\n", __func__, file, len, nn, errno));
442
443 fclose(fp);
444 return (-5);
445 }
446 fclose(fp);
447 } else {
448 EREPORT(("%s: Can not create file %s\n", __func__,
449 file));
450 return (-6);
451 }
452 memset(encoded_block, 0, len);
453 return (len);
454 }
455
456 /*%
457 *
458 * dst_read_public_key
459 * Read a public key from disk and store in a DST key structure.
460 * Parameters
461 * in_name K<in_name><in_id>.<public key suffix> is the
462 * filename of the key file to be read.
463 * Returns
464 * NULL If the key does not exist or no name is supplied.
465 * NON-NULL Initialized key structure if the key exists.
466 */
467
468 static DST_KEY *
dst_s_read_public_key(const char * in_name,const u_int16_t in_id,int in_alg)469 dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg)
470 {
471 int flags, proto, alg, dlen;
472 size_t len;
473 int c;
474 char name[PATH_MAX], enckey[RAW_KEY_SIZE], *notspace;
475 u_char deckey[RAW_KEY_SIZE];
476 FILE *fp;
477
478 if (in_name == NULL) {
479 EREPORT(("%s: No key name given\n", __func__));
480 return (NULL);
481 }
482 if (dst_s_build_filename(name, in_name, in_id, in_alg, PUBLIC_KEY,
483 PATH_MAX) == -1) {
484 EREPORT(("%s: Cannot make filename from %s, %d, and %s\n",
485 __func__, in_name, in_id, PUBLIC_KEY));
486 return (NULL);
487 }
488 /*
489 * Open the file and read it's formatted contents up to key
490 * File format:
491 * domain.name [ttl] [IN] KEY <flags> <protocol> <algorithm> <key>
492 * flags, proto, alg stored as decimal (or hex numbers FIXME).
493 * (FIXME: handle parentheses for line continuation.)
494 */
495 if ((fp = dst_s_fopen(name, "r", 0)) == NULL) {
496 EREPORT(("%s: Public Key not found %s\n", __func__, name));
497 return (NULL);
498 }
499 /* Skip domain name, which ends at first blank */
500 while ((c = getc(fp)) != EOF)
501 if (isspace(c))
502 break;
503 /* Skip blank to get to next field */
504 while ((c = getc(fp)) != EOF)
505 if (!isspace(c))
506 break;
507
508 /* Skip optional TTL -- if initial digit, skip whole word. */
509 if (isdigit(c)) {
510 while ((c = getc(fp)) != EOF)
511 if (isspace(c))
512 break;
513 while ((c = getc(fp)) != EOF)
514 if (!isspace(c))
515 break;
516 }
517 /* Skip optional "IN" */
518 if (c == 'I' || c == 'i') {
519 while ((c = getc(fp)) != EOF)
520 if (isspace(c))
521 break;
522 while ((c = getc(fp)) != EOF)
523 if (!isspace(c))
524 break;
525 }
526 /* Locate and skip "KEY" */
527 if (c != 'K' && c != 'k') {
528 EREPORT(("%s: \"KEY\" doesn't appear in file: %s", __func__,
529 name));
530 return NULL;
531 }
532 while ((c = getc(fp)) != EOF)
533 if (isspace(c))
534 break;
535 while ((c = getc(fp)) != EOF)
536 if (!isspace(c))
537 break;
538 ungetc(c, fp); /*%< return the charcter to the input field */
539 /* Handle hex!! FIXME. */
540
541 if (fscanf(fp, "%d %d %d", &flags, &proto, &alg) != 3) {
542 EREPORT(("%s: Can not read flag/proto/alg field from %s\n",
543 __func__, name));
544 return (NULL);
545 }
546 /* read in the key string */
547 fgets(enckey, (int)sizeof(enckey), fp);
548
549 /* If we aren't at end-of-file, something is wrong. */
550 while ((c = getc(fp)) != EOF)
551 if (!isspace(c))
552 break;
553 if (!feof(fp)) {
554 EREPORT(("%s: Key too long in file: %s", __func__, name));
555 return NULL;
556 }
557 fclose(fp);
558
559 if ((len = strlen(enckey)) == 0)
560 return (NULL);
561
562 /* discard \n */
563 enckey[--len] = '\0';
564
565 /* remove leading spaces */
566 for (notspace = (char *) enckey; isspace((*notspace)&0xff); len--)
567 notspace++;
568
569 dlen = b64_pton(notspace, deckey, sizeof(deckey));
570 if (dlen < 0) {
571 EREPORT(("%s: bad return from b64_pton = %d", __func__, dlen));
572 return (NULL);
573 }
574 /* store key and info in a key structure that is returned */
575 /* return dst_store_public_key(in_name, alg, proto, 666, flags, deckey,
576 dlen);*/
577 return dst_buffer_to_key(in_name, alg, flags, proto, deckey, dlen);
578 }
579
580 /*%
581 * dst_write_public_key
582 * Write a key to disk in DNS format.
583 * Parameters
584 * key Pointer to a DST key structure.
585 * Returns
586 * 0 Failure
587 * 1 Success
588 */
589
590 static int
dst_s_write_public_key(const DST_KEY * key)591 dst_s_write_public_key(const DST_KEY *key)
592 {
593 FILE *fp;
594 char filename[PATH_MAX];
595 u_char out_key[RAW_KEY_SIZE];
596 char enc_key[RAW_KEY_SIZE];
597 int len = 0;
598 int mode;
599
600 memset(out_key, 0, sizeof(out_key));
601 if (key == NULL) {
602 EREPORT(("%s: No key specified \n", __func__));
603 return (0);
604 } else if ((len = dst_key_to_dnskey(key, out_key,
605 (int)sizeof(out_key)))< 0)
606 return (0);
607
608 /* Make the filename */
609 if (dst_s_build_filename(filename, key->dk_key_name, key->dk_id,
610 key->dk_alg, PUBLIC_KEY, PATH_MAX) == -1) {
611 EREPORT(("%s: Cannot make filename from %s, %d, and %s\n",
612 __func__, key->dk_key_name, key->dk_id, PUBLIC_KEY));
613 return (0);
614 }
615 /* XXX in general this should be a check for symmetric keys */
616 mode = (key->dk_alg == KEY_HMAC_MD5) ? 0600 : 0644;
617 /* create public key file */
618 if ((fp = dst_s_fopen(filename, "w+", mode)) == NULL) {
619 EREPORT(("%s: open of file:%s failed (errno=%d)\n",
620 __func__, filename, errno));
621 return (0);
622 }
623 /*write out key first base64 the key data */
624 if (key->dk_flags & DST_EXTEND_FLAG)
625 b64_ntop(&out_key[6], len - 6, enc_key, sizeof(enc_key));
626 else
627 b64_ntop(&out_key[4], len - 4, enc_key, sizeof(enc_key));
628 fprintf(fp, "%s IN KEY %d %d %d %s\n",
629 key->dk_key_name,
630 key->dk_flags, key->dk_proto, key->dk_alg, enc_key);
631 fclose(fp);
632 return (1);
633 }
634
635 /*%
636 * dst_dnskey_to_public_key
637 * This function converts the contents of a DNS KEY RR into a DST
638 * key structure.
639 * Paramters
640 * len Length of the RDATA of the KEY RR RDATA
641 * rdata A pointer to the the KEY RR RDATA.
642 * in_name Key name to be stored in key structure.
643 * Returns
644 * NULL Failure
645 * NON-NULL Success. Pointer to key structure.
646 * Caller's responsibility to free() it.
647 */
648
649 DST_KEY *
dst_dnskey_to_key(const char * in_name,const u_char * rdata,const int len)650 dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len)
651 {
652 DST_KEY *key_st;
653 int alg ;
654 int start = DST_KEY_START;
655
656 if (rdata == NULL || len <= DST_KEY_ALG) /*%< no data */
657 return (NULL);
658 alg = (u_int8_t) rdata[DST_KEY_ALG];
659 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
660 EREPORT(("%s: Algorithm %d not suppored\n", __func__,
661 alg));
662 return (NULL);
663 }
664
665 if (in_name == NULL)
666 return (NULL);
667
668 if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL)
669 return (NULL);
670
671 key_st->dk_id = dst_s_dns_key_id(rdata, len);
672 key_st->dk_flags = dst_s_get_int16(rdata);
673 key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT];
674 if (key_st->dk_flags & DST_EXTEND_FLAG) {
675 u_int32_t ext_flags;
676 ext_flags = (u_int32_t) dst_s_get_int16(&rdata[DST_EXT_FLAG]);
677 key_st->dk_flags = key_st->dk_flags | (ext_flags << 16);
678 start += 2;
679 }
680 /*
681 * now point to the begining of the data representing the encoding
682 * of the key
683 */
684 if (key_st->dk_func && key_st->dk_func->from_dns_key) {
685 if (key_st->dk_func->from_dns_key(key_st, &rdata[start],
686 len - start) > 0)
687 return (key_st);
688 } else
689 EREPORT(("%s: unsuppored alg %d\n", __func__,
690 alg));
691
692 SAFE_FREE(key_st);
693 return (NULL);
694 }
695
696 /*%
697 * dst_public_key_to_dnskey
698 * Function to encode a public key into DNS KEY wire format
699 * Parameters
700 * key Key structure to encode.
701 * out_storage Location to write the encoded key to.
702 * out_len Size of the output array.
703 * Returns
704 * <0 Failure
705 * >=0 Number of bytes written to out_storage
706 */
707
708 int
dst_key_to_dnskey(const DST_KEY * key,u_char * out_storage,const int out_len)709 dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage,
710 const int out_len)
711 {
712 u_int16_t val;
713 int loc = 0;
714 int enc_len = 0;
715 if (key == NULL)
716 return (-1);
717
718 if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */
719 EREPORT(("%s: Algorithm %d not suppored\n", __func__,
720 key->dk_alg));
721 return (UNSUPPORTED_KEYALG);
722 }
723 memset(out_storage, 0, out_len);
724 val = (u_int16_t)(key->dk_flags & 0xffff);
725 dst_s_put_int16(out_storage, val);
726 loc += 2;
727
728 out_storage[loc++] = (u_char) key->dk_proto;
729 out_storage[loc++] = (u_char) key->dk_alg;
730
731 if (key->dk_flags > 0xffff) { /*%< Extended flags */
732 val = (u_int16_t)((key->dk_flags >> 16) & 0xffff);
733 dst_s_put_int16(&out_storage[loc], val);
734 loc += 2;
735 }
736 if (key->dk_KEY_struct == NULL)
737 return (loc);
738 if (key->dk_func && key->dk_func->to_dns_key) {
739 enc_len = key->dk_func->to_dns_key(key,
740 (u_char *) &out_storage[loc],
741 out_len - loc);
742 if (enc_len > 0)
743 return (enc_len + loc);
744 else
745 return (-1);
746 } else
747 EREPORT(("%s: Unsupported ALG %d\n", __func__, key->dk_alg));
748 return (-1);
749 }
750
751 /*%
752 * dst_buffer_to_key
753 * Function to encode a string of raw data into a DST key
754 * Parameters
755 * alg The algorithm (HMAC only)
756 * key A pointer to the data
757 * keylen The length of the data
758 * Returns
759 * NULL an error occurred
760 * NON-NULL the DST key
761 */
762 DST_KEY *
dst_buffer_to_key(const char * key_name,const int alg,const int flags,const int protocol,const u_char * key_buf,const int key_len)763 dst_buffer_to_key(const char *key_name, /*!< name of the key */
764 const int alg, /*!< algorithm */
765 const int flags, /*!< dns flags */
766 const int protocol, /*!< dns protocol */
767 const u_char *key_buf, /*!< key in dns wire fmt */
768 const int key_len) /*!< size of key */
769 {
770
771 DST_KEY *dkey = NULL;
772 int dnslen;
773 u_char dns[2048];
774
775 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
776 EREPORT(("%s: Algorithm %d not suppored\n", __func__, alg));
777 return (NULL);
778 }
779
780 dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1);
781
782 if (dkey == NULL || dkey->dk_func == NULL ||
783 dkey->dk_func->from_dns_key == NULL)
784 return (dst_free_key(dkey));
785
786 if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) {
787 EREPORT(("%s: dst_buffer_to_hmac failed\n", __func__));
788 return (dst_free_key(dkey));
789 }
790
791 dnslen = dst_key_to_dnskey(dkey, dns, (int)sizeof(dns));
792 dkey->dk_id = dst_s_dns_key_id(dns, dnslen);
793 return (dkey);
794 }
795
796 int
dst_key_to_buffer(DST_KEY * key,u_char * out_buff,int buf_len)797 dst_key_to_buffer(DST_KEY *key, u_char *out_buff, int buf_len)
798 {
799 int len;
800 /* this function will extrac the secret of HMAC into a buffer */
801 if (key == NULL)
802 return (0);
803 if (key->dk_func != NULL && key->dk_func->to_dns_key != NULL) {
804 len = key->dk_func->to_dns_key(key, out_buff, buf_len);
805 if (len < 0)
806 return (0);
807 return (len);
808 }
809 return (0);
810 }
811
812 /*%
813 * dst_s_read_private_key_file
814 * Function reads in private key from a file.
815 * Fills out the KEY structure.
816 * Parameters
817 * name Name of the key to be read.
818 * pk_key Structure that the key is returned in.
819 * in_id Key identifier (tag)
820 * Return
821 * 1 if everthing works
822 * 0 if there is any problem
823 */
824
825 static int
dst_s_read_private_key_file(char * name,DST_KEY * pk_key,u_int16_t in_id,int in_alg)826 dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id,
827 int in_alg)
828 {
829 int alg, major, minor, file_major, file_minor;
830 ssize_t cnt;
831 size_t len;
832 int ret, id;
833 char filename[PATH_MAX];
834 u_char in_buff[RAW_KEY_SIZE], *p;
835 FILE *fp;
836 int dnslen;
837 u_char dns[2048];
838
839 if (name == NULL || pk_key == NULL) {
840 EREPORT(("%s: No key name given\n", __func__));
841 return (0);
842 }
843 /* Make the filename */
844 if (dst_s_build_filename(filename, name, in_id, in_alg, PRIVATE_KEY,
845 PATH_MAX) == -1) {
846 EREPORT(("%s: Cannot make filename from %s, %d, and %s\n",
847 __func__, name, in_id, PRIVATE_KEY));
848 return (0);
849 }
850 /* first check if we can find the key file */
851 if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) {
852 EREPORT(("%s: Could not open file %s in directory %s\n",
853 __func__, filename, dst_path[0] ? dst_path :
854 getcwd(NULL, PATH_MAX - 1)));
855 return (0);
856 }
857 /* now read the header info from the file */
858 if ((cnt = fread(in_buff, 1, sizeof(in_buff), fp)) < 5) {
859 fclose(fp);
860 EREPORT(("%s: error reading file %s (empty file)\n",
861 __func__, filename));
862 return (0);
863 }
864 len = cnt;
865 /* decrypt key */
866 fclose(fp);
867 if (memcmp(in_buff, "Private-key-format: v", 20) != 0)
868 goto fail;
869 p = in_buff;
870
871 if (!dst_s_verify_str((const char **) (void *)&p,
872 "Private-key-format: v")) {
873 EREPORT(("%s: Not a Key file/Decrypt failed %s\n", __func__,
874 name));
875 goto fail;
876 }
877 /* read in file format */
878 sscanf((char *)p, "%d.%d", &file_major, &file_minor);
879 sscanf(KEY_FILE_FORMAT, "%d.%d", &major, &minor);
880 if (file_major < 1) {
881 EREPORT(("%s: Unknown keyfile %d.%d version for %s\n",
882 __func__, file_major, file_minor, name));
883 goto fail;
884 } else if (file_major > major || file_minor > minor)
885 EREPORT(("%s: Keyfile %s version higher than mine %d.%d MAY"
886 " FAIL\n", __func__, name, file_major, file_minor));
887
888 while (*p++ != '\n') ; /*%< skip to end of line */
889
890 if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: "))
891 goto fail;
892
893 if (sscanf((char *)p, "%d", &alg) != 1)
894 goto fail;
895 while (*p++ != '\n') ; /*%< skip to end of line */
896
897 if (pk_key->dk_key_name && !strcmp(pk_key->dk_key_name, name))
898 SAFE_FREE2(pk_key->dk_key_name, strlen(pk_key->dk_key_name));
899 pk_key->dk_key_name = strdup(name);
900
901 /* allocate and fill in key structure */
902 if (pk_key->dk_func == NULL || pk_key->dk_func->from_file_fmt == NULL)
903 goto fail;
904
905 ret = pk_key->dk_func->from_file_fmt(pk_key, (char *)p,
906 (int)(&in_buff[len] - p));
907 if (ret < 0)
908 goto fail;
909
910 dnslen = dst_key_to_dnskey(pk_key, dns, (int)sizeof(dns));
911 id = dst_s_dns_key_id(dns, dnslen);
912
913 /* Make sure the actual key tag matches the input tag used in the
914 * filename */
915 if (id != in_id) {
916 EREPORT(("%s: actual tag of key read %d != input tag used to"
917 "build filename %d.\n", __func__, id, in_id));
918 goto fail;
919 }
920 pk_key->dk_id = (u_int16_t) id;
921 pk_key->dk_alg = alg;
922 memset(in_buff, 0, len);
923 return (1);
924
925 fail:
926 memset(in_buff, 0, len);
927 return (0);
928 }
929
930 /*%
931 * Generate and store a public/private keypair.
932 * Keys will be stored in formatted files.
933 *
934 * Parameters
935 &
936 *\par name Name of the new key. Used to create key files
937 *\li K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private.
938 *\par bits Size of the new key in bits.
939 *\par exp What exponent to use:
940 *\li 0 use exponent 3
941 *\li non-zero use Fermant4
942 *\par flags The default value of the DNS Key flags.
943 *\li The DNS Key RR Flag field is defined in RFC2065,
944 * section 3.3. The field has 16 bits.
945 *\par protocol
946 *\li Default value of the DNS Key protocol field.
947 *\li The DNS Key protocol field is defined in RFC2065,
948 * section 3.4. The field has 8 bits.
949 *\par alg What algorithm to use. Currently defined:
950 *\li KEY_RSA 1
951 *\li KEY_DSA 3
952 *\li KEY_HMAC 157
953 *\par out_id The key tag is returned.
954 *
955 * Return
956 *\li NULL Failure
957 *\li non-NULL the generated key pair
958 * Caller frees the result, and its dk_name pointer.
959 */
960 DST_KEY *
dst_generate_key(const char * name,const int bits,const int exp,const int flags,const int protocol,const int alg)961 dst_generate_key(const char *name, const int bits, const int exp,
962 const int flags, const int protocol, const int alg)
963 {
964 DST_KEY *new_key = NULL;
965 int dnslen;
966 u_char dns[2048];
967
968 if (name == NULL)
969 return (NULL);
970
971 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */
972 EREPORT(("%s: Algorithm %d not suppored\n", __func__, alg));
973 return (NULL);
974 }
975
976 new_key = dst_s_get_key_struct(name, alg, flags, protocol, bits);
977 if (new_key == NULL)
978 return (NULL);
979 if (bits == 0) /*%< null key we are done */
980 return (new_key);
981 if (new_key->dk_func == NULL || new_key->dk_func->generate == NULL) {
982 EREPORT(("%s: Unsupported algorithm %d\n", __func__, alg));
983 return (dst_free_key(new_key));
984 }
985 if (new_key->dk_func->generate(new_key, exp) <= 0) {
986 EREPORT(("%s: Key generation failure %s %d %d %d\n", __func__,
987 new_key->dk_key_name, new_key->dk_alg,
988 new_key->dk_key_size, exp));
989 return (dst_free_key(new_key));
990 }
991
992 dnslen = dst_key_to_dnskey(new_key, dns, (int)sizeof(dns));
993 if (dnslen != UNSUPPORTED_KEYALG)
994 new_key->dk_id = dst_s_dns_key_id(dns, dnslen);
995 else
996 new_key->dk_id = 0;
997
998 return (new_key);
999 }
1000
1001 /*%
1002 * Release all data structures pointed to by a key structure.
1003 *
1004 * Parameters
1005 *\li f_key Key structure to be freed.
1006 */
1007
1008 DST_KEY *
dst_free_key(DST_KEY * f_key)1009 dst_free_key(DST_KEY *f_key)
1010 {
1011
1012 if (f_key == NULL)
1013 return (f_key);
1014 if (f_key->dk_func && f_key->dk_func->destroy)
1015 f_key->dk_KEY_struct =
1016 f_key->dk_func->destroy(f_key->dk_KEY_struct);
1017 else {
1018 EREPORT(("%s: Unknown key alg %d\n", __func__, f_key->dk_alg));
1019 }
1020 if (f_key->dk_KEY_struct) {
1021 free(f_key->dk_KEY_struct);
1022 f_key->dk_KEY_struct = NULL;
1023 }
1024 if (f_key->dk_key_name)
1025 SAFE_FREE(f_key->dk_key_name);
1026 SAFE_FREE(f_key);
1027 return (NULL);
1028 }
1029
1030 /*%
1031 * Return the maximim size of signature from the key specified in bytes
1032 *
1033 * Parameters
1034 *\li key
1035 *
1036 * Returns
1037 * \li bytes
1038 */
1039 int
dst_sig_size(DST_KEY * key)1040 dst_sig_size(DST_KEY *key) {
1041 switch (key->dk_alg) {
1042 case KEY_HMAC_MD5:
1043 return (16);
1044 case KEY_HMAC_SHA1:
1045 return (20);
1046 case KEY_RSA:
1047 return (key->dk_key_size + 7) / 8;
1048 case KEY_DSA:
1049 return (40);
1050 default:
1051 EREPORT(("%s: Unknown key alg %d\n", __func__, key->dk_alg));
1052 return -1;
1053 }
1054 }
1055
1056 /*! \file */
1057