1/* $NetBSD: dst_api.c,v 1.1.1.1 2009/04/12 15:33:31 christos Exp $ */ 2 3#ifndef LINT 4static const char rcsid[] = "Header: /proj/cvs/prod/libbind/dst/dst_api.c,v 1.17 2007/09/24 17:18:25 each Exp"; 5#endif 6 7/* 8 * Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc. 9 * 10 * Permission to use, copy modify, and distribute this software for any 11 * purpose with or without fee is hereby granted, provided that the above 12 * copyright notice and this permission notice appear in all copies. 13 * 14 * THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS 15 * DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL 16 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL 17 * TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT, 18 * INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING 19 * FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, 20 * NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION 21 * WITH THE USE OR PERFORMANCE OF THE SOFTWARE. 22 */ 23/* 24 * This file contains the interface between the DST API and the crypto API. 25 * This is the only file that needs to be changed if the crypto system is 26 * changed. Exported functions are: 27 * void dst_init() Initialize the toolkit 28 * int dst_check_algorithm() Function to determines if alg is suppored. 29 * int dst_compare_keys() Function to compare two keys for equality. 30 * int dst_sign_data() Incremental signing routine. 31 * int dst_verify_data() Incremental verify routine. 32 * int dst_generate_key() Function to generate new KEY 33 * DST_KEY *dst_read_key() Function to retrieve private/public KEY. 34 * void dst_write_key() Function to write out a key. 35 * DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST 36 * KEY structure. 37 * int dst_key_to_dnskey() Function to return a public key in DNS 38 * format binary 39 * DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY 40 * int *dst_key_to_buffer() Writes out DST_KEY key matterial in buffer 41 * void dst_free_key() Releases all memory referenced by key structure 42 */ 43 44#include "port_before.h" 45#include <stdio.h> 46#include <errno.h> 47#include <fcntl.h> 48#include <stdlib.h> 49#include <unistd.h> 50#include <string.h> 51#include <memory.h> 52#include <ctype.h> 53#include <time.h> 54#include <sys/param.h> 55#include <sys/stat.h> 56#include <sys/socket.h> 57#include <netinet/in.h> 58#include <arpa/nameser.h> 59#include <resolv.h> 60 61#include "dst_internal.h" 62#include "port_after.h" 63 64/* static variables */ 65static int done_init = 0; 66dst_func *dst_t_func[DST_MAX_ALGS]; 67const char *key_file_fmt_str = "Private-key-format: v%s\nAlgorithm: %d (%s)\n"; 68const char *dst_path = ""; 69 70/* internal I/O functions */ 71static DST_KEY *dst_s_read_public_key(const char *in_name, 72 const u_int16_t in_id, int in_alg); 73static int dst_s_read_private_key_file(char *name, DST_KEY *pk_key, 74 u_int16_t in_id, int in_alg); 75static int dst_s_write_public_key(const DST_KEY *key); 76static int dst_s_write_private_key(const DST_KEY *key); 77 78/* internal function to set up data structure */ 79static DST_KEY *dst_s_get_key_struct(const char *name, const int alg, 80 const int flags, const int protocol, 81 const int bits); 82 83/*% 84 * dst_init 85 * This function initializes the Digital Signature Toolkit. 86 * Right now, it just checks the DSTKEYPATH environment variable. 87 * Parameters 88 * none 89 * Returns 90 * none 91 */ 92void 93dst_init() 94{ 95 char *s; 96 int len; 97 98 if (done_init != 0) 99 return; 100 done_init = 1; 101 102 s = getenv("DSTKEYPATH"); 103 len = 0; 104 if (s) { 105 struct stat statbuf; 106 107 len = strlen(s); 108 if (len > PATH_MAX) { 109 EREPORT(("%s is longer than %d characters, ignoring\n", 110 s, PATH_MAX)); 111 } else if (stat(s, &statbuf) != 0 || !S_ISDIR(statbuf.st_mode)) { 112 EREPORT(("%s is not a valid directory\n", s)); 113 } else { 114 char *tmp; 115 tmp = (char *) malloc(len + 2); 116 memcpy(tmp, s, len + 1); 117 if (tmp[strlen(tmp) - 1] != '/') { 118 tmp[strlen(tmp) + 1] = 0; 119 tmp[strlen(tmp)] = '/'; 120 } 121 dst_path = tmp; 122 } 123 } 124 memset(dst_t_func, 0, sizeof(dst_t_func)); 125 /* first one is selected */ 126 dst_hmac_md5_init(); 127} 128 129/*% 130 * dst_check_algorithm 131 * This function determines if the crypto system for the specified 132 * algorithm is present. 133 * Parameters 134 * alg 1 KEY_RSA 135 * 3 KEY_DSA 136 * 157 KEY_HMAC_MD5 137 * future algorithms TBD and registered with IANA. 138 * Returns 139 * 1 - The algorithm is available. 140 * 0 - The algorithm is not available. 141 */ 142int 143dst_check_algorithm(const int alg) 144{ 145 return (dst_t_func[alg] != NULL); 146} 147 148/*% 149 * dst_s_get_key_struct 150 * This function allocates key structure and fills in some of the 151 * fields of the structure. 152 * Parameters: 153 * name: the name of the key 154 * alg: the algorithm number 155 * flags: the dns flags of the key 156 * protocol: the dns protocol of the key 157 * bits: the size of the key 158 * Returns: 159 * NULL if error 160 * valid pointer otherwise 161 */ 162static DST_KEY * 163dst_s_get_key_struct(const char *name, const int alg, const int flags, 164 const int protocol, const int bits) 165{ 166 DST_KEY *new_key = NULL; 167 168 if (dst_check_algorithm(alg)) /*%< make sure alg is available */ 169 new_key = (DST_KEY *) malloc(sizeof(*new_key)); 170 if (new_key == NULL) 171 return (NULL); 172 173 memset(new_key, 0, sizeof(*new_key)); 174 new_key->dk_key_name = strdup(name); 175 if (new_key->dk_key_name == NULL) { 176 free(new_key); 177 return (NULL); 178 } 179 new_key->dk_alg = alg; 180 new_key->dk_flags = flags; 181 new_key->dk_proto = protocol; 182 new_key->dk_KEY_struct = NULL; 183 new_key->dk_key_size = bits; 184 new_key->dk_func = dst_t_func[alg]; 185 return (new_key); 186} 187 188/*% 189 * dst_compare_keys 190 * Compares two keys for equality. 191 * Parameters 192 * key1, key2 Two keys to be compared. 193 * Returns 194 * 0 The keys are equal. 195 * non-zero The keys are not equal. 196 */ 197 198int 199dst_compare_keys(const DST_KEY *key1, const DST_KEY *key2) 200{ 201 if (key1 == key2) 202 return (0); 203 if (key1 == NULL || key2 == NULL) 204 return (4); 205 if (key1->dk_alg != key2->dk_alg) 206 return (1); 207 if (key1->dk_key_size != key2->dk_key_size) 208 return (2); 209 if (key1->dk_id != key2->dk_id) 210 return (3); 211 return (key1->dk_func->compare(key1, key2)); 212} 213 214/*% 215 * dst_sign_data 216 * An incremental signing function. Data is signed in steps. 217 * First the context must be initialized (SIG_MODE_INIT). 218 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature 219 * itself is created (SIG_MODE_FINAL). This function can be called 220 * once with INIT, UPDATE and FINAL modes all set, or it can be 221 * called separately with a different mode set for each step. The 222 * UPDATE step can be repeated. 223 * Parameters 224 * mode A bit mask used to specify operation(s) to be performed. 225 * SIG_MODE_INIT 1 Initialize digest 226 * SIG_MODE_UPDATE 2 Add data to digest 227 * SIG_MODE_FINAL 4 Generate signature 228 * from signature 229 * SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL 230 * data Data to be signed. 231 * len The length in bytes of data to be signed. 232 * in_key Contains a private key to sign with. 233 * KEY structures should be handled (created, converted, 234 * compared, stored, freed) by the DST. 235 * signature 236 * The location to which the signature will be written. 237 * sig_len Length of the signature field in bytes. 238 * Return 239 * 0 Successfull INIT or Update operation 240 * >0 success FINAL (sign) operation 241 * <0 failure 242 */ 243 244int 245dst_sign_data(const int mode, DST_KEY *in_key, void **context, 246 const u_char *data, const int len, 247 u_char *signature, const int sig_len) 248{ 249 DUMP(data, mode, len, "dst_sign_data()"); 250 251 if (mode & SIG_MODE_FINAL && 252 (in_key->dk_KEY_struct == NULL || signature == NULL)) 253 return (MISSING_KEY_OR_SIGNATURE); 254 255 if (in_key->dk_func && in_key->dk_func->sign) 256 return (in_key->dk_func->sign(mode, in_key, context, data, len, 257 signature, sig_len)); 258 return (UNKNOWN_KEYALG); 259} 260 261/*% 262 * dst_verify_data 263 * An incremental verify function. Data is verified in steps. 264 * First the context must be initialized (SIG_MODE_INIT). 265 * Then data is hashed (SIG_MODE_UPDATE). Finally the signature 266 * is verified (SIG_MODE_FINAL). This function can be called 267 * once with INIT, UPDATE and FINAL modes all set, or it can be 268 * called separately with a different mode set for each step. The 269 * UPDATE step can be repeated. 270 * Parameters 271 * mode Operations to perform this time. 272 * SIG_MODE_INIT 1 Initialize digest 273 * SIG_MODE_UPDATE 2 add data to digest 274 * SIG_MODE_FINAL 4 verify signature 275 * SIG_MODE_ALL 276 * (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL) 277 * data Data to pass through the hash function. 278 * len Length of the data in bytes. 279 * in_key Key for verification. 280 * signature Location of signature. 281 * sig_len Length of the signature in bytes. 282 * Returns 283 * 0 Verify success 284 * Non-Zero Verify Failure 285 */ 286 287int 288dst_verify_data(const int mode, DST_KEY *in_key, void **context, 289 const u_char *data, const int len, 290 const u_char *signature, const int sig_len) 291{ 292 DUMP(data, mode, len, "dst_verify_data()"); 293 if (mode & SIG_MODE_FINAL && 294 (in_key->dk_KEY_struct == NULL || signature == NULL)) 295 return (MISSING_KEY_OR_SIGNATURE); 296 297 if (in_key->dk_func == NULL || in_key->dk_func->verify == NULL) 298 return (UNSUPPORTED_KEYALG); 299 return (in_key->dk_func->verify(mode, in_key, context, data, len, 300 signature, sig_len)); 301} 302 303/*% 304 * dst_read_private_key 305 * Access a private key. First the list of private keys that have 306 * already been read in is searched, then the key accessed on disk. 307 * If the private key can be found, it is returned. If the key cannot 308 * be found, a null pointer is returned. The options specify required 309 * key characteristics. If the private key requested does not have 310 * these characteristics, it will not be read. 311 * Parameters 312 * in_keyname The private key name. 313 * in_id The id of the private key. 314 * options DST_FORCE_READ Read from disk - don't use a previously 315 * read key. 316 * DST_CAN_SIGN The key must be useable for signing. 317 * DST_NO_AUTHEN The key must be useable for authentication. 318 * DST_STANDARD Return any key 319 * Returns 320 * NULL If there is no key found in the current directory or 321 * this key has not been loaded before. 322 * !NULL Success - KEY structure returned. 323 */ 324 325DST_KEY * 326dst_read_key(const char *in_keyname, const u_int16_t in_id, 327 const int in_alg, const int type) 328{ 329 char keyname[PATH_MAX]; 330 DST_KEY *dg_key = NULL, *pubkey = NULL; 331 332 if (!dst_check_algorithm(in_alg)) { /*%< make sure alg is available */ 333 EREPORT(("dst_read_private_key(): Algorithm %d not suppored\n", 334 in_alg)); 335 return (NULL); 336 } 337 if ((type & (DST_PUBLIC | DST_PRIVATE)) == 0) 338 return (NULL); 339 if (in_keyname == NULL) { 340 EREPORT(("dst_read_private_key(): Null key name passed in\n")); 341 return (NULL); 342 } else if (strlen(in_keyname) >= sizeof(keyname)) { 343 EREPORT(("dst_read_private_key(): keyname too big\n")); 344 return (NULL); 345 } else 346 strcpy(keyname, in_keyname); 347 348 /* before I read in the public key, check if it is allowed to sign */ 349 if ((pubkey = dst_s_read_public_key(keyname, in_id, in_alg)) == NULL) 350 return (NULL); 351 352 if (type == DST_PUBLIC) 353 return pubkey; 354 355 if (!(dg_key = dst_s_get_key_struct(keyname, pubkey->dk_alg, 356 pubkey->dk_flags, pubkey->dk_proto, 357 0))) 358 return (dg_key); 359 /* Fill in private key and some fields in the general key structure */ 360 if (dst_s_read_private_key_file(keyname, dg_key, pubkey->dk_id, 361 pubkey->dk_alg) == 0) 362 dg_key = dst_free_key(dg_key); 363 364 (void)dst_free_key(pubkey); 365 return (dg_key); 366} 367 368int 369dst_write_key(const DST_KEY *key, const int type) 370{ 371 int pub = 0, priv = 0; 372 373 if (key == NULL) 374 return (0); 375 if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */ 376 EREPORT(("dst_write_key(): Algorithm %d not suppored\n", 377 key->dk_alg)); 378 return (UNSUPPORTED_KEYALG); 379 } 380 if ((type & (DST_PRIVATE|DST_PUBLIC)) == 0) 381 return (0); 382 383 if (type & DST_PUBLIC) 384 if ((pub = dst_s_write_public_key(key)) < 0) 385 return (pub); 386 if (type & DST_PRIVATE) 387 if ((priv = dst_s_write_private_key(key)) < 0) 388 return (priv); 389 return (priv+pub); 390} 391 392/*% 393 * dst_write_private_key 394 * Write a private key to disk. The filename will be of the form: 395 * K<key->dk_name>+<key->dk_alg+><key-d>k_id.><private key suffix>. 396 * If there is already a file with this name, an error is returned. 397 * 398 * Parameters 399 * key A DST managed key structure that contains 400 * all information needed about a key. 401 * Return 402 * >= 0 Correct behavior. Returns length of encoded key value 403 * written to disk. 404 * < 0 error. 405 */ 406 407static int 408dst_s_write_private_key(const DST_KEY *key) 409{ 410 u_char encoded_block[RAW_KEY_SIZE]; 411 char file[PATH_MAX]; 412 int len; 413 FILE *fp; 414 415 /* First encode the key into the portable key format */ 416 if (key == NULL) 417 return (-1); 418 if (key->dk_KEY_struct == NULL) 419 return (0); /*%< null key has no private key */ 420 if (key->dk_func == NULL || key->dk_func->to_file_fmt == NULL) { 421 EREPORT(("dst_write_private_key(): Unsupported operation %d\n", 422 key->dk_alg)); 423 return (-5); 424 } else if ((len = key->dk_func->to_file_fmt(key, (char *)encoded_block, 425 sizeof(encoded_block))) <= 0) { 426 EREPORT(("dst_write_private_key(): Failed encoding private RSA bsafe key %d\n", len)); 427 return (-8); 428 } 429 /* Now I can create the file I want to use */ 430 dst_s_build_filename(file, key->dk_key_name, key->dk_id, key->dk_alg, 431 PRIVATE_KEY, PATH_MAX); 432 433 /* Do not overwrite an existing file */ 434 if ((fp = dst_s_fopen(file, "w", 0600)) != NULL) { 435 int nn; 436 if ((nn = fwrite(encoded_block, 1, len, fp)) != len) { 437 EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n", 438 file, len, nn, errno)); 439 fclose(fp); 440 return (-5); 441 } 442 fclose(fp); 443 } else { 444 EREPORT(("dst_write_private_key(): Can not create file %s\n" 445 ,file)); 446 return (-6); 447 } 448 memset(encoded_block, 0, len); 449 return (len); 450} 451 452/*% 453* 454 * dst_read_public_key 455 * Read a public key from disk and store in a DST key structure. 456 * Parameters 457 * in_name K<in_name><in_id>.<public key suffix> is the 458 * filename of the key file to be read. 459 * Returns 460 * NULL If the key does not exist or no name is supplied. 461 * NON-NULL Initialized key structure if the key exists. 462 */ 463 464static DST_KEY * 465dst_s_read_public_key(const char *in_name, const u_int16_t in_id, int in_alg) 466{ 467 int flags, proto, alg, len, dlen; 468 int c; 469 char name[PATH_MAX], enckey[RAW_KEY_SIZE], *notspace; 470 u_char deckey[RAW_KEY_SIZE]; 471 FILE *fp; 472 473 if (in_name == NULL) { 474 EREPORT(("dst_read_public_key(): No key name given\n")); 475 return (NULL); 476 } 477 if (dst_s_build_filename(name, in_name, in_id, in_alg, PUBLIC_KEY, 478 PATH_MAX) == -1) { 479 EREPORT(("dst_read_public_key(): Cannot make filename from %s, %d, and %s\n", 480 in_name, in_id, PUBLIC_KEY)); 481 return (NULL); 482 } 483 /* 484 * Open the file and read it's formatted contents up to key 485 * File format: 486 * domain.name [ttl] [IN] KEY <flags> <protocol> <algorithm> <key> 487 * flags, proto, alg stored as decimal (or hex numbers FIXME). 488 * (FIXME: handle parentheses for line continuation.) 489 */ 490 if ((fp = dst_s_fopen(name, "r", 0)) == NULL) { 491 EREPORT(("dst_read_public_key(): Public Key not found %s\n", 492 name)); 493 return (NULL); 494 } 495 /* Skip domain name, which ends at first blank */ 496 while ((c = getc(fp)) != EOF) 497 if (isspace(c)) 498 break; 499 /* Skip blank to get to next field */ 500 while ((c = getc(fp)) != EOF) 501 if (!isspace(c)) 502 break; 503 504 /* Skip optional TTL -- if initial digit, skip whole word. */ 505 if (isdigit(c)) { 506 while ((c = getc(fp)) != EOF) 507 if (isspace(c)) 508 break; 509 while ((c = getc(fp)) != EOF) 510 if (!isspace(c)) 511 break; 512 } 513 /* Skip optional "IN" */ 514 if (c == 'I' || c == 'i') { 515 while ((c = getc(fp)) != EOF) 516 if (isspace(c)) 517 break; 518 while ((c = getc(fp)) != EOF) 519 if (!isspace(c)) 520 break; 521 } 522 /* Locate and skip "KEY" */ 523 if (c != 'K' && c != 'k') { 524 EREPORT(("\"KEY\" doesn't appear in file: %s", name)); 525 return NULL; 526 } 527 while ((c = getc(fp)) != EOF) 528 if (isspace(c)) 529 break; 530 while ((c = getc(fp)) != EOF) 531 if (!isspace(c)) 532 break; 533 ungetc(c, fp); /*%< return the charcter to the input field */ 534 /* Handle hex!! FIXME. */ 535 536 if (fscanf(fp, "%d %d %d", &flags, &proto, &alg) != 3) { 537 EREPORT(("dst_read_public_key(): Can not read flag/proto/alg field from %s\n" 538 ,name)); 539 return (NULL); 540 } 541 /* read in the key string */ 542 fgets(enckey, sizeof(enckey), fp); 543 544 /* If we aren't at end-of-file, something is wrong. */ 545 while ((c = getc(fp)) != EOF) 546 if (!isspace(c)) 547 break; 548 if (!feof(fp)) { 549 EREPORT(("Key too long in file: %s", name)); 550 return NULL; 551 } 552 fclose(fp); 553 554 if ((len = strlen(enckey)) <= 0) 555 return (NULL); 556 557 /* discard \n */ 558 enckey[--len] = '\0'; 559 560 /* remove leading spaces */ 561 for (notspace = (char *) enckey; isspace((*notspace)&0xff); len--) 562 notspace++; 563 564 dlen = b64_pton(notspace, deckey, sizeof(deckey)); 565 if (dlen < 0) { 566 EREPORT(("dst_read_public_key: bad return from b64_pton = %d", 567 dlen)); 568 return (NULL); 569 } 570 /* store key and info in a key structure that is returned */ 571/* return dst_store_public_key(in_name, alg, proto, 666, flags, deckey, 572 dlen);*/ 573 return dst_buffer_to_key(in_name, alg, flags, proto, deckey, dlen); 574} 575 576/*% 577 * dst_write_public_key 578 * Write a key to disk in DNS format. 579 * Parameters 580 * key Pointer to a DST key structure. 581 * Returns 582 * 0 Failure 583 * 1 Success 584 */ 585 586static int 587dst_s_write_public_key(const DST_KEY *key) 588{ 589 FILE *fp; 590 char filename[PATH_MAX]; 591 u_char out_key[RAW_KEY_SIZE]; 592 char enc_key[RAW_KEY_SIZE]; 593 int len = 0; 594 int mode; 595 596 memset(out_key, 0, sizeof(out_key)); 597 if (key == NULL) { 598 EREPORT(("dst_write_public_key(): No key specified \n")); 599 return (0); 600 } else if ((len = dst_key_to_dnskey(key, out_key, sizeof(out_key)))< 0) 601 return (0); 602 603 /* Make the filename */ 604 if (dst_s_build_filename(filename, key->dk_key_name, key->dk_id, 605 key->dk_alg, PUBLIC_KEY, PATH_MAX) == -1) { 606 EREPORT(("dst_write_public_key(): Cannot make filename from %s, %d, and %s\n", 607 key->dk_key_name, key->dk_id, PUBLIC_KEY)); 608 return (0); 609 } 610 /* XXX in general this should be a check for symmetric keys */ 611 mode = (key->dk_alg == KEY_HMAC_MD5) ? 0600 : 0644; 612 /* create public key file */ 613 if ((fp = dst_s_fopen(filename, "w+", mode)) == NULL) { 614 EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n", 615 filename, errno)); 616 return (0); 617 } 618 /*write out key first base64 the key data */ 619 if (key->dk_flags & DST_EXTEND_FLAG) 620 b64_ntop(&out_key[6], len - 6, enc_key, sizeof(enc_key)); 621 else 622 b64_ntop(&out_key[4], len - 4, enc_key, sizeof(enc_key)); 623 fprintf(fp, "%s IN KEY %d %d %d %s\n", 624 key->dk_key_name, 625 key->dk_flags, key->dk_proto, key->dk_alg, enc_key); 626 fclose(fp); 627 return (1); 628} 629 630/*% 631 * dst_dnskey_to_public_key 632 * This function converts the contents of a DNS KEY RR into a DST 633 * key structure. 634 * Paramters 635 * len Length of the RDATA of the KEY RR RDATA 636 * rdata A pointer to the the KEY RR RDATA. 637 * in_name Key name to be stored in key structure. 638 * Returns 639 * NULL Failure 640 * NON-NULL Success. Pointer to key structure. 641 * Caller's responsibility to free() it. 642 */ 643 644DST_KEY * 645dst_dnskey_to_key(const char *in_name, const u_char *rdata, const int len) 646{ 647 DST_KEY *key_st; 648 int alg ; 649 int start = DST_KEY_START; 650 651 if (rdata == NULL || len <= DST_KEY_ALG) /*%< no data */ 652 return (NULL); 653 alg = (u_int8_t) rdata[DST_KEY_ALG]; 654 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */ 655 EREPORT(("dst_dnskey_to_key(): Algorithm %d not suppored\n", 656 alg)); 657 return (NULL); 658 } 659 660 if (in_name == NULL) 661 return (NULL); 662 663 if ((key_st = dst_s_get_key_struct(in_name, alg, 0, 0, 0)) == NULL) 664 return (NULL); 665 666 key_st->dk_id = dst_s_dns_key_id(rdata, len); 667 key_st->dk_flags = dst_s_get_int16(rdata); 668 key_st->dk_proto = (u_int16_t) rdata[DST_KEY_PROT]; 669 if (key_st->dk_flags & DST_EXTEND_FLAG) { 670 u_int32_t ext_flags; 671 ext_flags = (u_int32_t) dst_s_get_int16(&rdata[DST_EXT_FLAG]); 672 key_st->dk_flags = key_st->dk_flags | (ext_flags << 16); 673 start += 2; 674 } 675 /* 676 * now point to the begining of the data representing the encoding 677 * of the key 678 */ 679 if (key_st->dk_func && key_st->dk_func->from_dns_key) { 680 if (key_st->dk_func->from_dns_key(key_st, &rdata[start], 681 len - start) > 0) 682 return (key_st); 683 } else 684 EREPORT(("dst_dnskey_to_public_key(): unsuppored alg %d\n", 685 alg)); 686 687 SAFE_FREE(key_st); 688 return (key_st); 689} 690 691/*% 692 * dst_public_key_to_dnskey 693 * Function to encode a public key into DNS KEY wire format 694 * Parameters 695 * key Key structure to encode. 696 * out_storage Location to write the encoded key to. 697 * out_len Size of the output array. 698 * Returns 699 * <0 Failure 700 * >=0 Number of bytes written to out_storage 701 */ 702 703int 704dst_key_to_dnskey(const DST_KEY *key, u_char *out_storage, 705 const int out_len) 706{ 707 u_int16_t val; 708 int loc = 0; 709 int enc_len = 0; 710 if (key == NULL) 711 return (-1); 712 713 if (!dst_check_algorithm(key->dk_alg)) { /*%< make sure alg is available */ 714 EREPORT(("dst_key_to_dnskey(): Algorithm %d not suppored\n", 715 key->dk_alg)); 716 return (UNSUPPORTED_KEYALG); 717 } 718 memset(out_storage, 0, out_len); 719 val = (u_int16_t)(key->dk_flags & 0xffff); 720 dst_s_put_int16(out_storage, val); 721 loc += 2; 722 723 out_storage[loc++] = (u_char) key->dk_proto; 724 out_storage[loc++] = (u_char) key->dk_alg; 725 726 if (key->dk_flags > 0xffff) { /*%< Extended flags */ 727 val = (u_int16_t)((key->dk_flags >> 16) & 0xffff); 728 dst_s_put_int16(&out_storage[loc], val); 729 loc += 2; 730 } 731 if (key->dk_KEY_struct == NULL) 732 return (loc); 733 if (key->dk_func && key->dk_func->to_dns_key) { 734 enc_len = key->dk_func->to_dns_key(key, 735 (u_char *) &out_storage[loc], 736 out_len - loc); 737 if (enc_len > 0) 738 return (enc_len + loc); 739 else 740 return (-1); 741 } else 742 EREPORT(("dst_key_to_dnskey(): Unsupported ALG %d\n", 743 key->dk_alg)); 744 return (-1); 745} 746 747/*% 748 * dst_buffer_to_key 749 * Function to encode a string of raw data into a DST key 750 * Parameters 751 * alg The algorithm (HMAC only) 752 * key A pointer to the data 753 * keylen The length of the data 754 * Returns 755 * NULL an error occurred 756 * NON-NULL the DST key 757 */ 758DST_KEY * 759dst_buffer_to_key(const char *key_name, /*!< name of the key */ 760 const int alg, /*!< algorithm */ 761 const int flags, /*!< dns flags */ 762 const int protocol, /*!< dns protocol */ 763 const u_char *key_buf, /*!< key in dns wire fmt */ 764 const int key_len) /*!< size of key */ 765{ 766 767 DST_KEY *dkey = NULL; 768 int dnslen; 769 u_char dns[2048]; 770 771 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */ 772 EREPORT(("dst_buffer_to_key(): Algorithm %d not suppored\n", alg)); 773 return (NULL); 774 } 775 776 dkey = dst_s_get_key_struct(key_name, alg, flags, protocol, -1); 777 778 if (dkey == NULL || dkey->dk_func == NULL || 779 dkey->dk_func->from_dns_key == NULL) 780 return (dst_free_key(dkey)); 781 782 if (dkey->dk_func->from_dns_key(dkey, key_buf, key_len) < 0) { 783 EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n")); 784 return (dst_free_key(dkey)); 785 } 786 787 dnslen = dst_key_to_dnskey(dkey, dns, sizeof(dns)); 788 dkey->dk_id = dst_s_dns_key_id(dns, dnslen); 789 return (dkey); 790} 791 792int 793dst_key_to_buffer(DST_KEY *key, u_char *out_buff, int buf_len) 794{ 795 int len; 796 /* this function will extrac the secret of HMAC into a buffer */ 797 if (key == NULL) 798 return (0); 799 if (key->dk_func != NULL && key->dk_func->to_dns_key != NULL) { 800 len = key->dk_func->to_dns_key(key, out_buff, buf_len); 801 if (len < 0) 802 return (0); 803 return (len); 804 } 805 return (0); 806} 807 808/*% 809 * dst_s_read_private_key_file 810 * Function reads in private key from a file. 811 * Fills out the KEY structure. 812 * Parameters 813 * name Name of the key to be read. 814 * pk_key Structure that the key is returned in. 815 * in_id Key identifier (tag) 816 * Return 817 * 1 if everthing works 818 * 0 if there is any problem 819 */ 820 821static int 822dst_s_read_private_key_file(char *name, DST_KEY *pk_key, u_int16_t in_id, 823 int in_alg) 824{ 825 int cnt, alg, len, major, minor, file_major, file_minor; 826 int ret, id; 827 char filename[PATH_MAX]; 828 u_char in_buff[RAW_KEY_SIZE], *p; 829 FILE *fp; 830 int dnslen; 831 u_char dns[2048]; 832 833 if (name == NULL || pk_key == NULL) { 834 EREPORT(("dst_read_private_key_file(): No key name given\n")); 835 return (0); 836 } 837 /* Make the filename */ 838 if (dst_s_build_filename(filename, name, in_id, in_alg, PRIVATE_KEY, 839 PATH_MAX) == -1) { 840 EREPORT(("dst_read_private_key(): Cannot make filename from %s, %d, and %s\n", 841 name, in_id, PRIVATE_KEY)); 842 return (0); 843 } 844 /* first check if we can find the key file */ 845 if ((fp = dst_s_fopen(filename, "r", 0)) == NULL) { 846 EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n", 847 filename, dst_path[0] ? dst_path : 848 (char *) getcwd(NULL, PATH_MAX - 1))); 849 return (0); 850 } 851 /* now read the header info from the file */ 852 if ((cnt = fread(in_buff, 1, sizeof(in_buff), fp)) < 5) { 853 fclose(fp); 854 EREPORT(("dst_s_read_private_key_file: error reading file %s (empty file)\n", 855 filename)); 856 return (0); 857 } 858 /* decrypt key */ 859 fclose(fp); 860 if (memcmp(in_buff, "Private-key-format: v", 20) != 0) 861 goto fail; 862 len = cnt; 863 p = in_buff; 864 865 if (!dst_s_verify_str((const char **) (void *)&p, 866 "Private-key-format: v")) { 867 EREPORT(("dst_s_read_private_key_file(): Not a Key file/Decrypt failed %s\n", name)); 868 goto fail; 869 } 870 /* read in file format */ 871 sscanf((char *)p, "%d.%d", &file_major, &file_minor); 872 sscanf(KEY_FILE_FORMAT, "%d.%d", &major, &minor); 873 if (file_major < 1) { 874 EREPORT(("dst_s_read_private_key_file(): Unknown keyfile %d.%d version for %s\n", 875 file_major, file_minor, name)); 876 goto fail; 877 } else if (file_major > major || file_minor > minor) 878 EREPORT(( 879 "dst_s_read_private_key_file(): Keyfile %s version higher than mine %d.%d MAY FAIL\n", 880 name, file_major, file_minor)); 881 882 while (*p++ != '\n') ; /*%< skip to end of line */ 883 884 if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: ")) 885 goto fail; 886 887 if (sscanf((char *)p, "%d", &alg) != 1) 888 goto fail; 889 while (*p++ != '\n') ; /*%< skip to end of line */ 890 891 if (pk_key->dk_key_name && !strcmp(pk_key->dk_key_name, name)) 892 SAFE_FREE2(pk_key->dk_key_name, strlen(pk_key->dk_key_name)); 893 pk_key->dk_key_name = (char *) strdup(name); 894 895 /* allocate and fill in key structure */ 896 if (pk_key->dk_func == NULL || pk_key->dk_func->from_file_fmt == NULL) 897 goto fail; 898 899 ret = pk_key->dk_func->from_file_fmt(pk_key, (char *)p, &in_buff[len] - p); 900 if (ret < 0) 901 goto fail; 902 903 dnslen = dst_key_to_dnskey(pk_key, dns, sizeof(dns)); 904 id = dst_s_dns_key_id(dns, dnslen); 905 906 /* Make sure the actual key tag matches the input tag used in the filename 907 */ 908 if (id != in_id) { 909 EREPORT(("dst_s_read_private_key_file(): actual tag of key read %d != input tag used to build filename %d.\n", id, in_id)); 910 goto fail; 911 } 912 pk_key->dk_id = (u_int16_t) id; 913 pk_key->dk_alg = alg; 914 memset(in_buff, 0, cnt); 915 return (1); 916 917 fail: 918 memset(in_buff, 0, cnt); 919 return (0); 920} 921 922/*% 923 * Generate and store a public/private keypair. 924 * Keys will be stored in formatted files. 925 * 926 * Parameters 927 & 928 *\par name Name of the new key. Used to create key files 929 *\li K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private. 930 *\par bits Size of the new key in bits. 931 *\par exp What exponent to use: 932 *\li 0 use exponent 3 933 *\li non-zero use Fermant4 934 *\par flags The default value of the DNS Key flags. 935 *\li The DNS Key RR Flag field is defined in RFC2065, 936 * section 3.3. The field has 16 bits. 937 *\par protocol 938 *\li Default value of the DNS Key protocol field. 939 *\li The DNS Key protocol field is defined in RFC2065, 940 * section 3.4. The field has 8 bits. 941 *\par alg What algorithm to use. Currently defined: 942 *\li KEY_RSA 1 943 *\li KEY_DSA 3 944 *\li KEY_HMAC 157 945 *\par out_id The key tag is returned. 946 * 947 * Return 948 *\li NULL Failure 949 *\li non-NULL the generated key pair 950 * Caller frees the result, and its dk_name pointer. 951 */ 952DST_KEY * 953dst_generate_key(const char *name, const int bits, const int exp, 954 const int flags, const int protocol, const int alg) 955{ 956 DST_KEY *new_key = NULL; 957 int dnslen; 958 u_char dns[2048]; 959 960 if (name == NULL) 961 return (NULL); 962 963 if (!dst_check_algorithm(alg)) { /*%< make sure alg is available */ 964 EREPORT(("dst_generate_key(): Algorithm %d not suppored\n", alg)); 965 return (NULL); 966 } 967 968 new_key = dst_s_get_key_struct(name, alg, flags, protocol, bits); 969 if (new_key == NULL) 970 return (NULL); 971 if (bits == 0) /*%< null key we are done */ 972 return (new_key); 973 if (new_key->dk_func == NULL || new_key->dk_func->generate == NULL) { 974 EREPORT(("dst_generate_key_pair():Unsupported algorithm %d\n", 975 alg)); 976 return (dst_free_key(new_key)); 977 } 978 if (new_key->dk_func->generate(new_key, exp) <= 0) { 979 EREPORT(("dst_generate_key_pair(): Key generation failure %s %d %d %d\n", 980 new_key->dk_key_name, new_key->dk_alg, 981 new_key->dk_key_size, exp)); 982 return (dst_free_key(new_key)); 983 } 984 985 dnslen = dst_key_to_dnskey(new_key, dns, sizeof(dns)); 986 if (dnslen != UNSUPPORTED_KEYALG) 987 new_key->dk_id = dst_s_dns_key_id(dns, dnslen); 988 else 989 new_key->dk_id = 0; 990 991 return (new_key); 992} 993 994/*% 995 * Release all data structures pointed to by a key structure. 996 * 997 * Parameters 998 *\li f_key Key structure to be freed. 999 */ 1000 1001DST_KEY * 1002dst_free_key(DST_KEY *f_key) 1003{ 1004 1005 if (f_key == NULL) 1006 return (f_key); 1007 if (f_key->dk_func && f_key->dk_func->destroy) 1008 f_key->dk_KEY_struct = 1009 f_key->dk_func->destroy(f_key->dk_KEY_struct); 1010 else { 1011 EREPORT(("dst_free_key(): Unknown key alg %d\n", 1012 f_key->dk_alg)); 1013 } 1014 if (f_key->dk_KEY_struct) { 1015 free(f_key->dk_KEY_struct); 1016 f_key->dk_KEY_struct = NULL; 1017 } 1018 if (f_key->dk_key_name) 1019 SAFE_FREE(f_key->dk_key_name); 1020 SAFE_FREE(f_key); 1021 return (NULL); 1022} 1023 1024/*% 1025 * Return the maximim size of signature from the key specified in bytes 1026 * 1027 * Parameters 1028 *\li key 1029 * 1030 * Returns 1031 * \li bytes 1032 */ 1033int 1034dst_sig_size(DST_KEY *key) { 1035 switch (key->dk_alg) { 1036 case KEY_HMAC_MD5: 1037 return (16); 1038 case KEY_HMAC_SHA1: 1039 return (20); 1040 case KEY_RSA: 1041 return (key->dk_key_size + 7) / 8; 1042 case KEY_DSA: 1043 return (40); 1044 default: 1045 EREPORT(("dst_sig_size(): Unknown key alg %d\n", key->dk_alg)); 1046 return -1; 1047 } 1048} 1049 1050/*! \file */ 1051