1/* $NetBSD: dst_internal.h,v 1.9 2024/02/21 22:52:06 christos Exp $ */ 2 3/* 4 * Copyright (C) Internet Systems Consortium, Inc. ("ISC") 5 * 6 * SPDX-License-Identifier: MPL-2.0 AND ISC 7 * 8 * This Source Code Form is subject to the terms of the Mozilla Public 9 * License, v. 2.0. If a copy of the MPL was not distributed with this 10 * file, you can obtain one at https://mozilla.org/MPL/2.0/. 11 * 12 * See the COPYRIGHT file distributed with this work for additional 13 * information regarding copyright ownership. 14 */ 15 16/* 17 * Portions Copyright (C) Network Associates, Inc. 18 * 19 * Permission to use, copy, modify, and/or distribute this software for any 20 * purpose with or without fee is hereby granted, provided that the above 21 * copyright notice and this permission notice appear in all copies. 22 * 23 * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS 24 * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED 25 * WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE 26 * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 27 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 28 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR 29 * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 30 */ 31 32#pragma once 33 34#include <inttypes.h> 35#include <stdbool.h> 36 37#include <openssl/dh.h> 38#include <openssl/err.h> 39#include <openssl/evp.h> 40#include <openssl/objects.h> 41#include <openssl/rsa.h> 42 43#include <isc/buffer.h> 44#include <isc/hmac.h> 45#include <isc/lang.h> 46#include <isc/magic.h> 47#include <isc/md.h> 48#include <isc/refcount.h> 49#include <isc/region.h> 50#include <isc/stdtime.h> 51#include <isc/types.h> 52 53#include <dns/time.h> 54 55#include <dst/dst.h> 56 57ISC_LANG_BEGINDECLS 58 59#define KEY_MAGIC ISC_MAGIC('D', 'S', 'T', 'K') 60#define CTX_MAGIC ISC_MAGIC('D', 'S', 'T', 'C') 61 62#define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC) 63#define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC) 64 65/*** 66 *** Types 67 ***/ 68 69typedef struct dst_func dst_func_t; 70 71typedef struct dst_hmac_key dst_hmac_key_t; 72 73/*% 74 * Indicate whether a DST context will be used for signing 75 * or for verification 76 */ 77typedef enum { DO_SIGN, DO_VERIFY } dst_use_t; 78 79/*% DST Key Structure */ 80struct dst_key { 81 unsigned int magic; 82 isc_refcount_t refs; 83 isc_mutex_t mdlock; /*%< lock for read/write metadata */ 84 dns_name_t *key_name; /*%< name of the key */ 85 unsigned int key_size; /*%< size of the key in bits */ 86 unsigned int key_proto; /*%< protocols this key is used for 87 * */ 88 unsigned int key_alg; /*%< algorithm of the key */ 89 uint32_t key_flags; /*%< flags of the public key */ 90 uint16_t key_id; /*%< identifier of the key */ 91 uint16_t key_rid; /*%< identifier of the key when 92 * revoked */ 93 uint16_t key_bits; /*%< hmac digest bits */ 94 dns_rdataclass_t key_class; /*%< class of the key record */ 95 dns_ttl_t key_ttl; /*%< default/initial dnskey ttl */ 96 isc_mem_t *mctx; /*%< memory context */ 97 char *engine; /*%< engine name (HSM) */ 98 char *label; /*%< engine label (HSM) */ 99 union { 100 void *generic; 101 dns_gss_ctx_id_t gssctx; 102 DH *dh; 103 EVP_PKEY *pkey; 104 dst_hmac_key_t *hmac_key; 105 } keydata; /*%< pointer to key in crypto pkg fmt */ 106 107 isc_stdtime_t times[DST_MAX_TIMES + 1]; /*%< timing metadata */ 108 bool timeset[DST_MAX_TIMES + 1]; /*%< data set? */ 109 110 uint32_t nums[DST_MAX_NUMERIC + 1]; /*%< numeric metadata 111 * */ 112 bool numset[DST_MAX_NUMERIC + 1]; /*%< data set? */ 113 114 bool bools[DST_MAX_BOOLEAN + 1]; /*%< boolean metadata 115 * */ 116 bool boolset[DST_MAX_BOOLEAN + 1]; /*%< data set? */ 117 118 dst_key_state_t keystates[DST_MAX_KEYSTATES + 1]; /*%< key states 119 * */ 120 bool keystateset[DST_MAX_KEYSTATES + 1]; /*%< data 121 * set? */ 122 123 bool kasp; /*%< key has kasp state */ 124 bool inactive; /*%< private key not present as it is 125 * inactive */ 126 bool external; /*%< external key */ 127 bool modified; /*%< set to true if key file metadata has changed */ 128 129 int fmt_major; /*%< private key format, major version 130 * */ 131 int fmt_minor; /*%< private key format, minor version 132 * */ 133 134 dst_func_t *func; /*%< crypto package specific functions */ 135 isc_buffer_t *key_tkeytoken; /*%< TKEY token data */ 136}; 137 138struct dst_context { 139 unsigned int magic; 140 dst_use_t use; 141 dst_key_t *key; 142 isc_mem_t *mctx; 143 isc_logcategory_t *category; 144 union { 145 void *generic; 146 dst_gssapi_signverifyctx_t *gssctx; 147 isc_hmac_t *hmac_ctx; 148 EVP_MD_CTX *evp_md_ctx; 149 } ctxdata; 150}; 151 152struct dst_func { 153 /* 154 * Context functions 155 */ 156 isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx); 157 isc_result_t (*createctx2)(dst_key_t *key, int maxbits, 158 dst_context_t *dctx); 159 void (*destroyctx)(dst_context_t *dctx); 160 isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data); 161 162 /* 163 * Key operations 164 */ 165 isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig); 166 isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig); 167 isc_result_t (*verify2)(dst_context_t *dctx, int maxbits, 168 const isc_region_t *sig); 169 isc_result_t (*computesecret)(const dst_key_t *pub, 170 const dst_key_t *priv, 171 isc_buffer_t *secret); 172 bool (*compare)(const dst_key_t *key1, const dst_key_t *key2); 173 bool (*paramcompare)(const dst_key_t *key1, const dst_key_t *key2); 174 isc_result_t (*generate)(dst_key_t *key, int parms, 175 void (*callback)(int)); 176 bool (*isprivate)(const dst_key_t *key); 177 void (*destroy)(dst_key_t *key); 178 179 /* conversion functions */ 180 isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data); 181 isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data); 182 isc_result_t (*tofile)(const dst_key_t *key, const char *directory); 183 isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub); 184 185 /* cleanup */ 186 void (*cleanup)(void); 187 188 isc_result_t (*fromlabel)(dst_key_t *key, const char *engine, 189 const char *label, const char *pin); 190 isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer, 191 int *length); 192 isc_result_t (*restore)(dst_key_t *key, const char *keystr); 193}; 194 195/*% 196 * Initializers 197 */ 198isc_result_t 199dst__openssl_init(const char *engine); 200 201isc_result_t 202dst__hmacmd5_init(struct dst_func **funcp); 203isc_result_t 204dst__hmacsha1_init(struct dst_func **funcp); 205isc_result_t 206dst__hmacsha224_init(struct dst_func **funcp); 207isc_result_t 208dst__hmacsha256_init(struct dst_func **funcp); 209isc_result_t 210dst__hmacsha384_init(struct dst_func **funcp); 211isc_result_t 212dst__hmacsha512_init(struct dst_func **funcp); 213isc_result_t 214dst__openssldh_init(struct dst_func **funcp); 215isc_result_t 216dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm); 217isc_result_t 218dst__opensslecdsa_init(struct dst_func **funcp); 219#if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 220isc_result_t 221dst__openssleddsa_init(struct dst_func **funcp); 222#endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */ 223#if HAVE_GSSAPI 224isc_result_t 225dst__gssapi_init(struct dst_func **funcp); 226#endif /* HAVE_GSSAPI*/ 227 228/*% 229 * Destructors 230 */ 231void 232dst__openssl_destroy(void); 233 234/*% 235 * Memory allocators using the DST memory pool. 236 */ 237void * 238dst__mem_alloc(size_t size); 239void 240dst__mem_free(void *ptr); 241void * 242dst__mem_realloc(void *ptr, size_t size); 243 244/*% 245 * Secure private file handling 246 */ 247FILE * 248dst_key_open(char *tmpname, mode_t mode); 249isc_result_t 250dst_key_close(char *tmpname, FILE *fp, char *filename); 251isc_result_t 252dst_key_cleanup(char *tmpname, FILE *fp); 253 254ISC_LANG_ENDDECLS 255 256/*! \file */ 257