1/* $NetBSD: dst_api.c,v 1.3 2012/11/16 02:16:38 christos Exp $ */ 2 3/* 4 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc. 5 * 6 * Permission to use, copy modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS 11 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL 12 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL 13 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, 14 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING 15 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, 16 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION 17 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE. 18 */ 19/* 20 * This file contains the interface between the DST API and the crypto API. 21 * This is the only file that needs to be changed if the crypto system is 22 * changed. Exported functions are: 23 * void dst_init() Initialize the toolkit 24 * int dst_check_algorithm() Function to determines if alg is suppored. 25 * int dst_compare_keys() Function to compare two keys for equality. 26 * int dst_sign_data() Incremental signing routine. 27 * int dst_verify_data() Incremental verify routine. 28 * int dst_generate_key() Function to generate new KEY 29 * DST_KEY *dst_read_key() Function to retrieve private/public KEY. 30 * void dst_write_key() Function to write out a key. 31 * DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST 32 * KEY structure. 33 * int dst_key_to_dnskey() Function to return a public key in DNS 34 * format binary 35 * DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY 36 * int *dst_key_to_buffer() Writes out DST_KEY key matterial in buffer 37 * void dst_free_key() Releases all memory referenced by key structure 38 */ 39#include <sys/cdefs.h> 40#if 0 41static const char rcsid[] = "Header: /proj/cvs/prod/libbind/dst/dst_api.c,v 1.17 2007/09/24 17:18:25 each Exp "; 42#endif 43 44 45#include "port_before.h" 46#include <stdio.h> 47#include <errno.h> 48#include <fcntl.h> 49#include <stdlib.h> 50#include <unistd.h> 51#include <string.h> 52#include <memory.h> 53#include <ctype.h> 54#include <time.h> 55#include <sys/param.h> 56#include <sys/stat.h> 57#include <sys/socket.h> 58#include <netinet/in.h> 59#include <arpa/nameser.h> 60#include <resolv.h> 61 62#include "dst_internal.h" 63#include "port_after.h" 64 65/* static variables */ 66static int done_init = 0; 67dst_func *dst_t_func[DST_MAX_ALGS]; 68const char *dst_path = ""; 69 70/* internal I/O functions */ 71static DST_KEY *dst_s_read_public_key(const char *in_name, 72 const u_int16_t in_id, int in_alg); 73static int dst_s_read_private_key_file(char *name, DST_KEY *pk_key, 74 u_int16_t in_id, int in_alg); 75static int dst_s_write_public_key(const DST_KEY *key); 76static int dst_s_write_private_key(const DST_KEY *key); 77 78/* internal function to set up data structure */ 79static DST_KEY *dst_s_get_key_struct(const char *name, const int alg, 80 const int flags, const int protocol, 81 const int bits); 82 83/*% 84 * dst_init 85 * This function initializes the Digital Signature Toolkit. 86 * Right now, it just checks the DSTKEYPATH environment variable. 87 * Parameters 88 * none 89 * Returns 90 * none 91 */ 92void 93dst_init(void) 94{ 95 char *s; 96 size_t len; 97 98 if (done_init != 0) 99 return; 100 done_init = 1; 101 102 s = getenv("DSTKEYPATH"); 103 len = 0; 104 if (s) { 105 struct stat statbuf; 106 107 len = strlen(s); 108 if (len > PATH_MAX) { 109 EREPORT(("%s: %s is longer than %d characters," 110 " ignoring\n", __func__, s, PATH_MAX)); 111 } else if (stat(s, &statbuf) != 0 || 112 !S_ISDIR(statbuf.st_mode)) { 113 EREPORT(("%s: %s is not a valid directory\n", 114 __func__, s)); 115 } else { 116 char *tmp; 117 tmp = (char *) malloc(len + 2); 118 memcpy(tmp, s, len + 1); 119 if (tmp[strlen(tmp) - 1] != '/') { 120 tmp[strlen(tmp) + 1] = 0; 121 tmp[strlen(tmp)] = '/'; 122 } 123 dst_path = tmp; 124 } 125 } 126 memset(dst_t_func, 0, sizeof(dst_t_func)); 127 /* first one is selected */ 128 dst_hmac_md5_init(); 129} 130 131/*% 132 * dst_check_algorithm 133 * This function determines if the crypto system for the specified 134 * algorithm is present. 135 * Parameters 136 * alg 1 KEY_RSA 137 * 3 KEY_DSA 138 * 157 KEY_HMAC_MD5 139 * future algorithms TBD and registered with IANA. 140 * Returns 141 * 1 - The algorithm is available. 142 * 0 - The algorithm is not available. 143 */ 144int 145dst_check_algorithm(const int alg) 146{ 147 return (dst_t_func[alg] != NULL); 148} 149 150/*% 151 * dst_s_get_key_struct 152 * This function allocates key structure and fills in some of the 153 * fields of the structure. 154 * Parameters: 155 * name: the name of the key 156 * alg: the algorithm number 157 * flags: the dns flags of the key 158 * protocol: the dns protocol of the key 159 * bits: the size of the key 160 * Returns: 161 * NULL if error 162 * valid pointer otherwise 163 */ 164static DST_KEY * 165dst_s_get_key_struct(const char *name, const int alg, const int flags, 166 const int protocol, const int bits) 167{ 168 DST_KEY *new_key = NULL; 169 170 if (dst_check_algorithm(alg)) /*%< make sure alg is available */ 171 new_key = (DST_KEY *) malloc(sizeof(*new_key)); 172 if (new_key == NULL) 173 return (NULL); 174 175 memset(new_key, 0, sizeof(*new_key)); 176 new_key->dk_key_name = strdup(name); 177 if (new_key->dk_key_name == NULL) { 178 free(new_key); 179 return (NULL); 180 } 181 new_key->dk_alg = alg; 182 new_key->dk_flags = flags; 183 new_key->dk_proto = protocol; 184 new_key->dk_KEY_struct = NULL; 185 new_key->dk_key_size = bits; 186 new_key->dk_func = dst_t_func[alg]; 187 return (new_key); 188} 189 190/*% 191 * dst_compare_keys 192 * Compares two keys for equality. 193 * Parameters 194 * key1, key2 Two keys to be compared. 195 * Returns 196 * 0 The keys are equal. 197 * non-zero The keys are not equal. 198 */ 199 200int 201dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2) 202{ 203 if (key1 == key2) 204 return (0); 205 if (key1 == NULL || key2 == NULL) 206 return (4); 207 if (key1->dk_alg != key2->dk_alg) 208 return (1); 209 if (key1->dk_key_size != key2->dk_key_size) 210 return (2); 211 if (key1->dk_id != key2->dk_id) 212 return (3); 213 return (key1->dk_func->compare(key1, key2)); 214} 215 216/*% 217 * dst_sign_data 218 * An incremental signing function. Data is signed in steps. 219 * First the context must be initialized (SIG_MODE_INIT). 220 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature 221 * itself is created (SIG_MODE_FINAL). This function can be called 222 * once with INIT, UPDATE and FINAL modes all set, or it can be 223 * called separately with a different mode set for each step. The 224 * UPDATE step can be repeated. 225 * Parameters 226 * mode A bit mask used to specify operation(s) to be performed. 227 * SIG_MODE_INIT 1 Initialize digest 228 * SIG_MODE_UPDATE 2 Add data to digest 229 * SIG_MODE_FINAL 4 Generate signature 230 * from signature 231 * SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL 232 * data Data to be signed. 233 * len The length in bytes of data to be signed. 234 * in_key Contains a private key to sign with. 235 * KEY structures should be handled (created, converted, 236 * compared, stored, freed) by the DST. 237 * signature 238 * The location to which the signature will be written. 239 * sig_len Length of the signature field in bytes. 240 * Return 241 * 0 Successfull INIT or Update operation 242 * >0 success FINAL (sign) operation 243 * <0 failure 244 */ 245 246int 247dst_sign_data(const int mode, DST_KEY *in_key, void **context, 248 const u_char *data, const int len, 249 u_char *signature, const int sig_len) 250{ 251 DUMP(data, mode, len, "dst_sign_data()"); 252 253 if (mode & SIG_MODE_FINAL && 254 (in_key->dk_KEY_struct == NULL || signature == NULL)) 255 return (MISSING_KEY_OR_SIGNATURE); 256 257 if (in_key->dk_func && in_key->dk_func->sign) 258 return (in_key->dk_func->sign(mode, in_key, context, data, len, 259 signature, sig_len)); 260 return (UNKNOWN_KEYALG); 261} 262 263/*% 264 * dst_verify_data 265 * An incremental verify function. Data is verified in steps. 266 * First the context must be initialized (SIG_MODE_INIT). 267 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature 268 * is verified (SIG_MODE_FINAL). This function can be called 269 * once with INIT, UPDATE and FINAL modes all set, or it can be 270 * called separately with a different mode set for each step. The 271 * UPDATE step can be repeated. 272 * Parameters 273 * mode Operations to perform this time. 274 * SIG_MODE_INIT 1 Initialize digest 275 * SIG_MODE_UPDATE 2 add data to digest 276 * SIG_MODE_FINAL 4 verify signature 277 * SIG_MODE_ALL 278 * (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL) 279 * data Data to pass through the hash function. 280 * len Length of the data in bytes. 281 * in_key Key for verification. 282 * signature Location of signature. 283 * sig_len Length of the signature in bytes. 284 * Returns 285 * 0 Verify success 286 * Non-Zero Verify Failure 287 */ 288 289int 290dst_verify_data(const int mode, DST_KEY *in_key, void **context, 291 const u_char *data, const int len, 292 const u_char *signature, const int sig_len) 293{ 294 DUMP(data, mode, len, "dst_verify_data()"); 295 if (mode & SIG_MODE_FINAL && 296 (in_key->dk_KEY_struct == NULL || signature == NULL)) 297 return (MISSING_KEY_OR_SIGNATURE); 298 299 if (in_key->dk_func == NULL || in_key->dk_func->verify == NULL) 300 return (UNSUPPORTED_KEYALG); 301 return (in_key->dk_func->verify(mode, in_key, context, data, len, 302 signature, sig_len)); 303} 304 305/*% 306 * dst_read_private_key 307 * Access a private key. First the list of private keys that have 308 * already been read in is searched, then the key accessed on disk. 309 * If the private key can be found, it is returned. If the key cannot 310 * be found, a null pointer is returned. The options specify required 311 * key characteristics. If the private key requested does not have 312 * these characteristics, it will not be read. 313 * Parameters 314 * in_keyname The private key name. 315 * in_id The id of the private key. 316 * options DST_FORCE_READ Read from disk - don't use a previously 317 * read key. 318 * DST_CAN_SIGN The key must be useable for signing. 319 * DST_NO_AUTHEN The key must be useable for authentication. 320 * DST_STANDARD Return any key 321 * Returns 322 * NULL If there is no key found in the current directory or 323 * this key has not been loaded before. 324 * !NULL Success - KEY structure returned. 325 */ 326 327DST_KEY * 328dst_read_key(const char *in_keyname, const u_int16_t in_id, 329 const int in_alg, const int type) 330{ 331 char keyname[PATH_MAX]; 332 DST_KEY *dg_key = NULL, *pubkey = NULL; 333 334 if (!dst_check_algorithm(in_alg)) { /*%< make sure alg is available */ 335 EREPORT(("%s: Algorithm %d not suppored\n", __func__, in_alg)); 336 return (NULL); 337 } 338 if ((type & (DST_PUBLIC | DST_PRIVATE)) == 0) 339 return (NULL); 340 if (in_keyname == NULL) { 341 EREPORT(("%s: Null key name passed in\n", __func__)); 342 return (NULL); 343 } else if (strlen(in_keyname) >= sizeof(keyname)) { 344 EREPORT(("%s: keyname too big\n", __func__)); 345 return (NULL); 346 } else 347 strcpy(keyname, in_keyname); 348 349 /* before I read in the public key, check if it is allowed to sign */ 350 if ((pubkey = dst_s_read_public_key(keyname, in_id, in_alg)) == NULL) 351 return (NULL); 352 353 if (type == DST_PUBLIC) 354 return pubkey; 355 356 if (!(dg_key = dst_s_get_key_struct(keyname, pubkey->dk_alg, 357 (int)pubkey->dk_flags, 358 pubkey->dk_proto, 0))) 359 return (dg_key); 360 /* Fill in private key and some fields in the general key structure */ 361 if (dst_s_read_private_key_file(keyname, dg_key, pubkey->dk_id, 362 pubkey->dk_alg) == 0) 363 dg_key = dst_free_key(dg_key); 364 365 (void)dst_free_key(pubkey); 366 return (dg_key); 367} 368 369int 370dst_write_key(const DST_KEY *key, const int type) 371{ 372 int pub = 0, priv = 0; 373 374 if (key == NULL) 375 return (0); 376 if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */ 377 EREPORT(("%s: Algorithm %d not suppored\n", __func__, 378 key->dk_alg)); 379 return (UNSUPPORTED_KEYALG); 380 } 381 if ((type & (DST_PRIVATE|DST_PUBLIC)) == 0) 382 return (0); 383 384 if (type & DST_PUBLIC) 385 if ((pub = dst_s_write_public_key(key)) < 0) 386 return (pub); 387 if (type & DST_PRIVATE) 388 if ((priv = dst_s_write_private_key(key)) < 0) 389 return (priv); 390 return (priv+pub); 391} 392 393/*% 394 * dst_write_private_key 395 * Write a private key to disk. The filename will be of the form: 396 * K<key->dk_name>+<key->dk_alg+><key-d>k_id.><private key suffix>. 397 * If there is already a file with this name, an error is returned. 398 * 399 * Parameters 400 * key A DST managed key structure that contains 401 * all information needed about a key. 402 * Return 403 * >= 0 Correct behavior. Returns length of encoded key value 404 * written to disk. 405 * < 0 error. 406 */ 407 408static int 409dst_s_write_private_key(const DST_KEY *key) 410{ 411 u_char encoded_block[RAW_KEY_SIZE]; 412 char file[PATH_MAX]; 413 int len; 414 FILE *fp; 415 416 /* First encode the key into the portable key format */ 417 if (key == NULL) 418 return (-1); 419 if (key->dk_KEY_struct == NULL) 420 return (0); /*%< null key has no private key */ 421 if (key->dk_func == NULL || key->dk_func->to_file_fmt == NULL) { 422 EREPORT(("%s: Unsupported operation %d\n", __func__, 423 key->dk_alg)); 424 return (-5); 425 } else if ((len = key->dk_func->to_file_fmt(key, (char *)encoded_block, 426 (int)sizeof(encoded_block))) <= 0) { 427 EREPORT(("%s: Failed encoding private RSA bsafe key %d\n", 428 __func__, len)); 429 return (-8); 430 } 431 /* Now I can create the file I want to use */ 432 dst_s_build_filename(file, key->dk_key_name, key->dk_id, key->dk_alg, 433 PRIVATE_KEY, PATH_MAX); 434 435 /* Do not overwrite an existing file */ 436 if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) { 437 ssize_t nn; 438 nn = fwrite(encoded_block, 1, len, fp); 439 if (nn != len) { 440 EREPORT(("%s: Write failure on %s %d != %zd" 441 " errno=%d\n", __func__, file, len, nn, errno)); 442 443 fclose(fp); 444 return (-5); 445 } 446 fclose(fp); 447 } else { 448 EREPORT(("%s: Can not create file %s\n", __func__, 449 file)); 450 return (-6); 451 } 452 memset(encoded_block, 0, len); 453 return (len); 454} 455 456/*% 457* 458 * dst_read_public_key 459 * Read a public key from disk and store in a DST key structure. 460 * Parameters 461 * in_name K<in_name><in_id>.<public key suffix> is the 462 * filename of the key file to be read. 463 * Returns 464 * NULL If the key does not exist or no name is supplied. 465 * NON-NULL Initialized key structure if the key exists. 466 */ 467 468static DST_KEY * 469dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg) 470{ 471 int flags, proto, alg, dlen; 472 size_t len; 473 int c; 474 char name[PATH_MAX], enckey[RAW_KEY_SIZE], *notspace; 475 u_char deckey[RAW_KEY_SIZE]; 476 FILE *fp; 477 478 if (in_name == NULL) { 479 EREPORT(("%s: No key name given\n", __func__)); 480 return (NULL); 481 } 482 if (dst_s_build_filename(name, in_name, in_id, in_alg, PUBLIC_KEY, 483 PATH_MAX) == -1) { 484 EREPORT(("%s: Cannot make filename from %s, %d, and %s\n", 485 __func__, in_name, in_id, PUBLIC_KEY)); 486 return (NULL); 487 } 488 /* 489 * Open the file and read it's formatted contents up to key 490 * File format: 491 * domain.name [ttl] [IN] KEY <flags> <protocol> <algorithm> <key> 492 * flags, proto, alg stored as decimal (or hex numbers FIXME). 493 * (FIXME: handle parentheses for line continuation.) 494 */ 495 if ((fp = dst_s_fopen(name, "r", 0)) == NULL) { 496 EREPORT(("%s: Public Key not found %s\n", __func__, name)); 497 return (NULL); 498 } 499 /* Skip domain name, which ends at first blank */ 500 while ((c = getc(fp)) != EOF) 501 if (isspace(c)) 502 break; 503 /* Skip blank to get to next field */ 504 while ((c = getc(fp)) != EOF) 505 if (!isspace(c)) 506 break; 507 508 /* Skip optional TTL -- if initial digit, skip whole word. */ 509 if (isdigit(c)) { 510 while ((c = getc(fp)) != EOF) 511 if (isspace(c)) 512 break; 513 while ((c = getc(fp)) != EOF) 514 if (!isspace(c)) 515 break; 516 } 517 /* Skip optional "IN" */ 518 if (c == 'I' || c == 'i') { 519 while ((c = getc(fp)) != EOF) 520 if (isspace(c)) 521 break; 522 while ((c = getc(fp)) != EOF) 523 if (!isspace(c)) 524 break; 525 } 526 /* Locate and skip "KEY" */ 527 if (c != 'K' && c != 'k') { 528 EREPORT(("%s: \"KEY\" doesn't appear in file: %s", __func__, 529 name)); 530 return NULL; 531 } 532 while ((c = getc(fp)) != EOF) 533 if (isspace(c)) 534 break; 535 while ((c = getc(fp)) != EOF) 536 if (!isspace(c)) 537 break; 538 ungetc(c, fp); /*%< return the charcter to the input field */ 539 /* Handle hex!! FIXME. */ 540 541 if (fscanf(fp, "%d %d %d", &flags, &proto, &alg) != 3) { 542 EREPORT(("%s: Can not read flag/proto/alg field from %s\n", 543 __func__, name)); 544 return (NULL); 545 } 546 /* read in the key string */ 547 fgets(enckey, (int)sizeof(enckey), fp); 548 549 /* If we aren't at end-of-file, something is wrong. */ 550 while ((c = getc(fp)) != EOF) 551 if (!isspace(c)) 552 break; 553 if (!feof(fp)) { 554 EREPORT(("%s: Key too long in file: %s", __func__, name)); 555 return NULL; 556 } 557 fclose(fp); 558 559 if ((len = strlen(enckey)) == 0) 560 return (NULL); 561 562 /* discard \n */ 563 enckey[--len] = '\0'; 564 565 /* remove leading spaces */ 566 for (notspace = (char *) enckey; isspace((*notspace)&0xff); len--) 567 notspace++; 568 569 dlen = b64_pton(notspace, deckey, sizeof(deckey)); 570 if (dlen < 0) { 571 EREPORT(("%s: bad return from b64_pton = %d", __func__, dlen)); 572 return (NULL); 573 } 574 /* store key and info in a key structure that is returned */ 575/* return dst_store_public_key(in_name, alg, proto, 666, flags, deckey, 576 dlen);*/ 577 return dst_buffer_to_key(in_name, alg, flags, proto, deckey, dlen); 578} 579 580/*% 581 * dst_write_public_key 582 * Write a key to disk in DNS format. 583 * Parameters 584 * key Pointer to a DST key structure. 585 * Returns 586 * 0 Failure 587 * 1 Success 588 */ 589 590static int 591dst_s_write_public_key(const DST_KEY *key) 592{ 593 FILE *fp; 594 char filename[PATH_MAX]; 595 u_char out_key[RAW_KEY_SIZE]; 596 char enc_key[RAW_KEY_SIZE]; 597 int len = 0; 598 int mode; 599 600 memset(out_key, 0, sizeof(out_key)); 601 if (key == NULL) { 602 EREPORT(("%s: No key specified \n", __func__)); 603 return (0); 604 } else if ((len = dst_key_to_dnskey(key, out_key, 605 (int)sizeof(out_key)))< 0) 606 return (0); 607 608 /* Make the filename */ 609 if (dst_s_build_filename(filename, key->dk_key_name, key->dk_id, 610 key->dk_alg, PUBLIC_KEY, PATH_MAX) == -1) { 611 EREPORT(("%s: Cannot make filename from %s, %d, and %s\n", 612 __func__, key->dk_key_name, key->dk_id, PUBLIC_KEY)); 613 return (0); 614 } 615 /* XXX in general this should be a check for symmetric keys */ 616 mode = (key->dk_alg == KEY_HMAC_MD5) ? 0600 : 0644; 617 /* create public key file */ 618 if ((fp = dst_s_fopen(filename, "w+", mode)) == NULL) { 619 EREPORT(("%s: open of file:%s failed (errno=%d)\n", 620 __func__, filename, errno)); 621 return (0); 622 } 623 /*write out key first base64 the key data */ 624 if (key->dk_flags & DST_EXTEND_FLAG) 625 b64_ntop(&out_key[6], len - 6, enc_key, sizeof(enc_key)); 626 else 627 b64_ntop(&out_key[4], len - 4, enc_key, sizeof(enc_key)); 628 fprintf(fp, "%s IN KEY %d %d %d %s\n", 629 key->dk_key_name, 630 key->dk_flags, key->dk_proto, key->dk_alg, enc_key); 631 fclose(fp); 632 return (1); 633} 634 635/*% 636 * dst_dnskey_to_public_key 637 * This function converts the contents of a DNS KEY RR into a DST 638 * key structure. 639 * Paramters 640 * len Length of the RDATA of the KEY RR RDATA 641 * rdata A pointer to the the KEY RR RDATA. 642 * in_name Key name to be stored in key structure. 643 * Returns 644 * NULL Failure 645 * NON-NULL Success. Pointer to key structure. 646 * Caller's responsibility to free() it. 647 */ 648 649DST_KEY * 650dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len) 651{ 652 DST_KEY *key_st; 653 int alg ; 654 int start = DST_KEY_START; 655 656 if (rdata == NULL || len <= DST_KEY_ALG) /*%< no data */ 657 return (NULL); 658 alg = (u_int8_t) rdata[DST_KEY_ALG]; 659 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */ 660 EREPORT(("%s: Algorithm %d not suppored\n", __func__, 661 alg)); 662 return (NULL); 663 } 664 665 if (in_name == NULL) 666 return (NULL); 667 668 if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL) 669 return (NULL); 670 671 key_st->dk_id = dst_s_dns_key_id(rdata, len); 672 key_st->dk_flags = dst_s_get_int16(rdata); 673 key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT]; 674 if (key_st->dk_flags & DST_EXTEND_FLAG) { 675 u_int32_t ext_flags; 676 ext_flags = (u_int32_t) dst_s_get_int16(&rdata[DST_EXT_FLAG]); 677 key_st->dk_flags = key_st->dk_flags | (ext_flags << 16); 678 start += 2; 679 } 680 /* 681 * now point to the begining of the data representing the encoding 682 * of the key 683 */ 684 if (key_st->dk_func && key_st->dk_func->from_dns_key) { 685 if (key_st->dk_func->from_dns_key(key_st, &rdata[start], 686 len - start) > 0) 687 return (key_st); 688 } else 689 EREPORT(("%s: unsuppored alg %d\n", __func__, 690 alg)); 691 692 SAFE_FREE(key_st); 693 return (NULL); 694} 695 696/*% 697 * dst_public_key_to_dnskey 698 * Function to encode a public key into DNS KEY wire format 699 * Parameters 700 * key Key structure to encode. 701 * out_storage Location to write the encoded key to. 702 * out_len Size of the output array. 703 * Returns 704 * <0 Failure 705 * >=0 Number of bytes written to out_storage 706 */ 707 708int 709dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage, 710 const int out_len) 711{ 712 u_int16_t val; 713 int loc = 0; 714 int enc_len = 0; 715 if (key == NULL) 716 return (-1); 717 718 if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */ 719 EREPORT(("%s: Algorithm %d not suppored\n", __func__, 720 key->dk_alg)); 721 return (UNSUPPORTED_KEYALG); 722 } 723 memset(out_storage, 0, out_len); 724 val = (u_int16_t)(key->dk_flags & 0xffff); 725 dst_s_put_int16(out_storage, val); 726 loc += 2; 727 728 out_storage[loc++] = (u_char) key->dk_proto; 729 out_storage[loc++] = (u_char) key->dk_alg; 730 731 if (key->dk_flags > 0xffff) { /*%< Extended flags */ 732 val = (u_int16_t)((key->dk_flags >> 16) & 0xffff); 733 dst_s_put_int16(&out_storage[loc], val); 734 loc += 2; 735 } 736 if (key->dk_KEY_struct == NULL) 737 return (loc); 738 if (key->dk_func && key->dk_func->to_dns_key) { 739 enc_len = key->dk_func->to_dns_key(key, 740 (u_char *) &out_storage[loc], 741 out_len - loc); 742 if (enc_len > 0) 743 return (enc_len + loc); 744 else 745 return (-1); 746 } else 747 EREPORT(("%s: Unsupported ALG %d\n", __func__, key->dk_alg)); 748 return (-1); 749} 750 751/*% 752 * dst_buffer_to_key 753 * Function to encode a string of raw data into a DST key 754 * Parameters 755 * alg The algorithm (HMAC only) 756 * key A pointer to the data 757 * keylen The length of the data 758 * Returns 759 * NULL an error occurred 760 * NON-NULL the DST key 761 */ 762DST_KEY * 763dst_buffer_to_key(const char *key_name, /*!< name of the key */ 764 const int alg, /*!< algorithm */ 765 const int flags, /*!< dns flags */ 766 const int protocol, /*!< dns protocol */ 767 const u_char *key_buf, /*!< key in dns wire fmt */ 768 const int key_len) /*!< size of key */ 769{ 770 771 DST_KEY *dkey = NULL; 772 int dnslen; 773 u_char dns[2048]; 774 775 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */ 776 EREPORT(("%s: Algorithm %d not suppored\n", __func__, alg)); 777 return (NULL); 778 } 779 780 dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1); 781 782 if (dkey == NULL || dkey->dk_func == NULL || 783 dkey->dk_func->from_dns_key == NULL) 784 return (dst_free_key(dkey)); 785 786 if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) { 787 EREPORT(("%s: dst_buffer_to_hmac failed\n", __func__)); 788 return (dst_free_key(dkey)); 789 } 790 791 dnslen = dst_key_to_dnskey(dkey, dns, (int)sizeof(dns)); 792 dkey->dk_id = dst_s_dns_key_id(dns, dnslen); 793 return (dkey); 794} 795 796int 797dst_key_to_buffer(DST_KEY *key, u_char *out_buff, int buf_len) 798{ 799 int len; 800 /* this function will extrac the secret of HMAC into a buffer */ 801 if (key == NULL) 802 return (0); 803 if (key->dk_func != NULL && key->dk_func->to_dns_key != NULL) { 804 len = key->dk_func->to_dns_key(key, out_buff, buf_len); 805 if (len < 0) 806 return (0); 807 return (len); 808 } 809 return (0); 810} 811 812/*% 813 * dst_s_read_private_key_file 814 * Function reads in private key from a file. 815 * Fills out the KEY structure. 816 * Parameters 817 * name Name of the key to be read. 818 * pk_key Structure that the key is returned in. 819 * in_id Key identifier (tag) 820 * Return 821 * 1 if everthing works 822 * 0 if there is any problem 823 */ 824 825static int 826dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id, 827 int in_alg) 828{ 829 int alg, major, minor, file_major, file_minor; 830 ssize_t cnt; 831 size_t len; 832 int ret, id; 833 char filename[PATH_MAX]; 834 u_char in_buff[RAW_KEY_SIZE], *p; 835 FILE *fp; 836 int dnslen; 837 u_char dns[2048]; 838 839 if (name == NULL || pk_key == NULL) { 840 EREPORT(("%s: No key name given\n", __func__)); 841 return (0); 842 } 843 /* Make the filename */ 844 if (dst_s_build_filename(filename, name, in_id, in_alg, PRIVATE_KEY, 845 PATH_MAX) == -1) { 846 EREPORT(("%s: Cannot make filename from %s, %d, and %s\n", 847 __func__, name, in_id, PRIVATE_KEY)); 848 return (0); 849 } 850 /* first check if we can find the key file */ 851 if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) { 852 EREPORT(("%s: Could not open file %s in directory %s\n", 853 __func__, filename, dst_path[0] ? dst_path : 854 getcwd(NULL, PATH_MAX - 1))); 855 return (0); 856 } 857 /* now read the header info from the file */ 858 if ((cnt = fread(in_buff, 1, sizeof(in_buff), fp)) < 5) { 859 fclose(fp); 860 EREPORT(("%s: error reading file %s (empty file)\n", 861 __func__, filename)); 862 return (0); 863 } 864 len = cnt; 865 /* decrypt key */ 866 fclose(fp); 867 if (memcmp(in_buff, "Private-key-format: v", 20) != 0) 868 goto fail; 869 p = in_buff; 870 871 if (!dst_s_verify_str((const char **) (void *)&p, 872 "Private-key-format: v")) { 873 EREPORT(("%s: Not a Key file/Decrypt failed %s\n", __func__, 874 name)); 875 goto fail; 876 } 877 /* read in file format */ 878 sscanf((char *)p, "%d.%d", &file_major, &file_minor); 879 sscanf(KEY_FILE_FORMAT, "%d.%d", &major, &minor); 880 if (file_major < 1) { 881 EREPORT(("%s: Unknown keyfile %d.%d version for %s\n", 882 __func__, file_major, file_minor, name)); 883 goto fail; 884 } else if (file_major > major || file_minor > minor) 885 EREPORT(("%s: Keyfile %s version higher than mine %d.%d MAY" 886 " FAIL\n", __func__, name, file_major, file_minor)); 887 888 while (*p++ != '\n') ; /*%< skip to end of line */ 889 890 if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: ")) 891 goto fail; 892 893 if (sscanf((char *)p, "%d", &alg) != 1) 894 goto fail; 895 while (*p++ != '\n') ; /*%< skip to end of line */ 896 897 if (pk_key->dk_key_name && !strcmp(pk_key->dk_key_name, name)) 898 SAFE_FREE2(pk_key->dk_key_name, strlen(pk_key->dk_key_name)); 899 pk_key->dk_key_name = strdup(name); 900 901 /* allocate and fill in key structure */ 902 if (pk_key->dk_func == NULL || pk_key->dk_func->from_file_fmt == NULL) 903 goto fail; 904 905 ret = pk_key->dk_func->from_file_fmt(pk_key, (char *)p, 906 (int)(&in_buff[len] - p)); 907 if (ret < 0) 908 goto fail; 909 910 dnslen = dst_key_to_dnskey(pk_key, dns, (int)sizeof(dns)); 911 id = dst_s_dns_key_id(dns, dnslen); 912 913 /* Make sure the actual key tag matches the input tag used in the 914 * filename */ 915 if (id != in_id) { 916 EREPORT(("%s: actual tag of key read %d != input tag used to" 917 "build filename %d.\n", __func__, id, in_id)); 918 goto fail; 919 } 920 pk_key->dk_id = (u_int16_t) id; 921 pk_key->dk_alg = alg; 922 memset(in_buff, 0, len); 923 return (1); 924 925 fail: 926 memset(in_buff, 0, len); 927 return (0); 928} 929 930/*% 931 * Generate and store a public/private keypair. 932 * Keys will be stored in formatted files. 933 * 934 * Parameters 935 & 936 *\par name Name of the new key. Used to create key files 937 *\li K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private. 938 *\par bits Size of the new key in bits. 939 *\par exp What exponent to use: 940 *\li 0 use exponent 3 941 *\li non-zero use Fermant4 942 *\par flags The default value of the DNS Key flags. 943 *\li The DNS Key RR Flag field is defined in RFC2065, 944 * section 3.3. The field has 16 bits. 945 *\par protocol 946 *\li Default value of the DNS Key protocol field. 947 *\li The DNS Key protocol field is defined in RFC2065, 948 * section 3.4. The field has 8 bits. 949 *\par alg What algorithm to use. Currently defined: 950 *\li KEY_RSA 1 951 *\li KEY_DSA 3 952 *\li KEY_HMAC 157 953 *\par out_id The key tag is returned. 954 * 955 * Return 956 *\li NULL Failure 957 *\li non-NULL the generated key pair 958 * Caller frees the result, and its dk_name pointer. 959 */ 960DST_KEY * 961dst_generate_key(const char *name, const int bits, const int exp, 962 const int flags, const int protocol, const int alg) 963{ 964 DST_KEY *new_key = NULL; 965 int dnslen; 966 u_char dns[2048]; 967 968 if (name == NULL) 969 return (NULL); 970 971 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */ 972 EREPORT(("%s: Algorithm %d not suppored\n", __func__, alg)); 973 return (NULL); 974 } 975 976 new_key = dst_s_get_key_struct(name, alg, flags, protocol, bits); 977 if (new_key == NULL) 978 return (NULL); 979 if (bits == 0) /*%< null key we are done */ 980 return (new_key); 981 if (new_key->dk_func == NULL || new_key->dk_func->generate == NULL) { 982 EREPORT(("%s: Unsupported algorithm %d\n", __func__, alg)); 983 return (dst_free_key(new_key)); 984 } 985 if (new_key->dk_func->generate(new_key, exp) <= 0) { 986 EREPORT(("%s: Key generation failure %s %d %d %d\n", __func__, 987 new_key->dk_key_name, new_key->dk_alg, 988 new_key->dk_key_size, exp)); 989 return (dst_free_key(new_key)); 990 } 991 992 dnslen = dst_key_to_dnskey(new_key, dns, (int)sizeof(dns)); 993 if (dnslen != UNSUPPORTED_KEYALG) 994 new_key->dk_id = dst_s_dns_key_id(dns, dnslen); 995 else 996 new_key->dk_id = 0; 997 998 return (new_key); 999} 1000 1001/*% 1002 * Release all data structures pointed to by a key structure. 1003 * 1004 * Parameters 1005 *\li f_key Key structure to be freed. 1006 */ 1007 1008DST_KEY * 1009dst_free_key(DST_KEY *f_key) 1010{ 1011 1012 if (f_key == NULL) 1013 return (f_key); 1014 if (f_key->dk_func && f_key->dk_func->destroy) 1015 f_key->dk_KEY_struct = 1016 f_key->dk_func->destroy(f_key->dk_KEY_struct); 1017 else { 1018 EREPORT(("%s: Unknown key alg %d\n", __func__, f_key->dk_alg)); 1019 } 1020 if (f_key->dk_KEY_struct) { 1021 free(f_key->dk_KEY_struct); 1022 f_key->dk_KEY_struct = NULL; 1023 } 1024 if (f_key->dk_key_name) 1025 SAFE_FREE(f_key->dk_key_name); 1026 SAFE_FREE(f_key); 1027 return (NULL); 1028} 1029 1030/*% 1031 * Return the maximim size of signature from the key specified in bytes 1032 * 1033 * Parameters 1034 *\li key 1035 * 1036 * Returns 1037 * \li bytes 1038 */ 1039int 1040dst_sig_size(DST_KEY *key) { 1041 switch (key->dk_alg) { 1042 case KEY_HMAC_MD5: 1043 return (16); 1044 case KEY_HMAC_SHA1: 1045 return (20); 1046 case KEY_RSA: 1047 return (key->dk_key_size + 7) / 8; 1048 case KEY_DSA: 1049 return (40); 1050 default: 1051 EREPORT(("%s: Unknown key alg %d\n", __func__, key->dk_alg)); 1052 return -1; 1053 } 1054} 1055 1056/*! \file */ 1057