chiark / gitweb /
~mdw / tripe / blame_incremental
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (non-incremental) | history | HEAD
server/tests.at: Fix TRIPECTL_INTERACT argument order.
[tripe] / server / keymgmt.c
... / ...
CommitLineData
1/* -*-c-*-
2 *
3 * Key loading and storing
4 *
5 * (c) 2001 Straylight/Edgeware
6 */
7
8/*----- Licensing notice --------------------------------------------------*
9 *
10 * This file is part of Trivial IP Encryption (TrIPE).
11 *
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
16 *
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
25 */
26
27/*----- Header files ------------------------------------------------------*/
28
29#include "tripe.h"
30
31/*----- Global variables --------------------------------------------------*/
32
33group *gg;
34mp *kpriv;
35ge *kpub;
36algswitch algs;
37size_t indexsz;
38
39/*----- Static variables --------------------------------------------------*/
40
41static key_file *kf_pub;
42static const char *kr_priv, *kr_pub, *tag_priv;
43static fwatch w_priv, w_pub;
44
45/*----- Key groups --------------------------------------------------------*/
46
47typedef struct kgops {
48 const char *ty;
49 const char *(*loadpriv)(key_data *, group **, mp **, dstr *);
50 const char *(*loadpub)(key_data *, group **, ge **, dstr *);
51} kgops;
52
53/* --- Diffie-Hellman --- */
54
55static const char *kgdh_priv(key_data *kd, group **g, mp **x, dstr *t)
56{
57 key_packstruct kps[DH_PRIVFETCHSZ];
58 key_packdef *kp;
59 dh_priv dp;
60 const char *e;
61 int rc;
62
63 kp = key_fetchinit(dh_privfetch, kps, &dp);
64 if ((rc = key_unpack(kp, kd, t)) != 0) {
65 e = key_strerror(rc);
66 goto done;
67 }
68 *g = group_prime(&dp.dp);
69 *x = MP_COPY(dp.x);
70 e = 0;
71done:
72 key_fetchdone(kp);
73 return (e);
74}
75
76static const char *kgdh_pub(key_data *kd, group **g, ge **p, dstr *t)
77{
78 key_packstruct kps[DH_PUBFETCHSZ];
79 key_packdef *kp;
80 dh_pub dp;
81 const char *e;
82 int rc;
83
84 kp = key_fetchinit(dh_pubfetch, kps, &dp);
85 if ((rc = key_unpack(kp, kd, t)) != 0) {
86 e = key_strerror(rc);
87 goto done;
88 }
89 *g = group_prime(&dp.dp);
90 *p = G_CREATE(*g);
91 if (G_FROMINT(*g, *p, dp.y)) {
92 e = "bad public value";
93 goto done;
94 }
95 e = 0;
96done:
97 key_fetchdone(kp);
98 return (e);
99}
100
101static const kgops kgdh_ops = { "dh", kgdh_priv, kgdh_pub };
102
103/* --- Elliptic curve --- */
104
105static const char *kgec_priv(key_data *kd, group **g, mp **x, dstr *t)
106{
107 key_packstruct kps[EC_PRIVFETCHSZ];
108 key_packdef *kp;
109 ec_priv ep;
110 ec_info ei;
111 const char *e;
112 int rc;
113
114 kp = key_fetchinit(ec_privfetch, kps, &ep);
115 if ((rc = key_unpack(kp, kd, t)) != 0) {
116 e = key_strerror(rc);
117 goto done;
118 }
119 if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
120 goto done;
121 *g = group_ec(&ei);
122 *x = MP_COPY(ep.x);
123 e = 0;
124done:
125 key_fetchdone(kp);
126 return (e);
127}
128
129static const char *kgec_pub(key_data *kd, group **g, ge **p, dstr *t)
130{
131 key_packstruct kps[EC_PUBFETCHSZ];
132 key_packdef *kp;
133 ec_pub ep;
134 ec_info ei;
135 const char *e;
136 int rc;
137
138 kp = key_fetchinit(ec_pubfetch, kps, &ep);
139 if ((rc = key_unpack(kp, kd, t)) != 0) {
140 e = key_strerror(rc);
141 goto done;
142 }
143 if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
144 goto done;
145 *g = group_ec(&ei);
146 *p = G_CREATE(*g);
147 if (G_FROMEC(*g, *p, &ep.p)) {
148 e = "bad public point";
149 goto done;
150 }
151 e = 0;
152done:
153 key_fetchdone(kp);
154 return (e);
155}
156
157static const kgops kgec_ops = { "ec", kgec_priv, kgec_pub };
158
159/* --- Table of supported key types --- */
160
161static const kgops *kgtab[] = { &kgdh_ops, &kgec_ops, 0 };
162
163/*----- Algswitch stuff ---------------------------------------------------*/
164
165/* --- @algs_get@ --- *
166 *
167 * Arguments: @algswitch *a@ = where to put the algorithms
168 * @key_file *kf@ = key file (for some stupid reason)
169 * @key *k@ = key to inspect
170 *
171 * Returns: Null if OK, or an error message.
172 *
173 * Use: Extracts an algorithm choice from a key.
174 */
175
176static const char *algs_get(algswitch *a, key_file *kf, key *k)
177{
178 const char *p;
179 char *q;
180 dstr d = DSTR_INIT;
181 const char *e;
182
183#define FAIL(msg) do { e = msg; goto done; } while (0)
184
185 if ((p = key_getattr(kf, k, "cipher")) == 0)
186 p = "blowfish-cbc";
187 if ((a->c = gcipher_byname(p)) == 0)
188 FAIL("unknown-cipher");
189
190 if ((p = key_getattr(kf, k, "hash")) == 0)
191 p = "rmd160";
192 if ((a->h = ghash_byname(p)) == 0)
193 FAIL("unknown-hash");
194
195 if ((p = key_getattr(kf, k, "mgf")) == 0) {
196 dstr_reset(&d);
197 dstr_putf(&d, "%s-mgf", a->h->name);
198 p = d.buf;
199 }
200 if ((a->mgf = gcipher_byname(p)) == 0)
201 FAIL("unknown-mgf-cipher");
202
203 if ((p = key_getattr(kf, k, "mac")) != 0) {
204 dstr_reset(&d);
205 dstr_puts(&d, p);
206 if ((q = strchr(d.buf, '/')) != 0)
207 *q++ = 0;
208 if ((a->m = gmac_byname(d.buf)) == 0)
209 FAIL("unknown-mac");
210 if (!q)
211 a->tagsz = a->m->hashsz;
212 else {
213 unsigned long n = strtoul(q, &q, 0);
214 if (*q) FAIL("bad-tag-length-string");
215 if (n%8 || n > ~(size_t)0) FAIL("bad-tag-length");
216 a->tagsz = n/8;
217 }
218 } else {
219 dstr_reset(&d);
220 dstr_putf(&d, "%s-hmac", a->h->name);
221 if ((a->m = gmac_byname(d.buf)) == 0)
222 FAIL("no-hmac-for-hash");
223 a->tagsz = a->h->hashsz/2;
224 }
225
226 e = 0;
227done:
228 dstr_destroy(&d);
229 return (e);
230}
231
232/* --- @algs_check@ --- *
233 *
234 * Arguments: @algswitch *a@ = a choice of algorithms
235 * @const group *g@ = the group we're working in
236 *
237 * Returns: Null if OK, or an error message.
238 *
239 * Use: Checks an algorithm choice for sensibleness. This also
240 * derives some useful information from the choices, and you
241 * must call this before committing the algorithm selection
242 * for use by @keyset@ functions.
243 */
244
245static const char *algs_check(algswitch *a, const group *g)
246{
247 /* --- Derive the key sizes --- *
248 *
249 * Must ensure that we have non-empty keys. This isn't ideal, but it
250 * provides a handy sanity check. Also must be based on a 64- or 128-bit
251 * block cipher or we can't do the data expiry properly.
252 */
253
254 a->hashsz = a->h->hashsz;
255 if ((a->cksz = keysz(a->hashsz, a->c->keysz)) == 0)
256 return ("no key size found for cipher");
257 if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
258 return ("no key size found for MAC");
259
260 /* --- Derive the data limit --- */
261
262 if (a->c->blksz < 16) a->expsz = MEG(64);
263 else a->expsz = MEG(2048);
264
265 /* --- Ensure that the tag size is sane --- */
266
267 if (a->tagsz > a->m->hashsz) return ("tag length too large");
268
269 /* --- Ensure the MGF accepts hashes as keys --- */
270
271 if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz)
272 return ("MGF not suitable -- restrictive key schedule");
273
274 /* --- All ship-shape and Bristol-fashion --- */
275
276 return (0);
277}
278
279/* --- @algs_samep@ --- *
280 *
281 * Arguments: @const algswitch *a, *aa@ = two algorithm selections
282 *
283 * Returns: Nonzero if the two selections are the same.
284 *
285 * Use: Checks sameness of algorithm selections: used to ensure that
286 * peers are using sensible algorithms.
287 */
288
289static int algs_samep(const algswitch *a, const algswitch *aa)
290{
291 return (a->c == aa->c && a->mgf == aa->mgf && a->h == aa->h &&
292 a->m == aa->m && a->tagsz == aa->tagsz);
293}
294
295/*----- Main code ---------------------------------------------------------*/
296
297/* --- @keymoan@ --- *
298 *
299 * Arguments: @const char *file@ = name of the file
300 * @int line@ = line number in file
301 * @const char *msg@ = error message
302 * @void *p@ = argument pointer
303 *
304 * Returns: ---
305 *
306 * Use: Reports an error message about loading a key file.
307 */
308
309static void keymoan(const char *file, int line, const char *msg, void *p)
310{
311 a_warn("KEYMGMT",
312 "key-file-error",
313 "%s:%i", file, line,
314 "%s", msg,
315 A_END);
316}
317
318/* --- @keykg@ --- *
319 *
320 * Arguments: @key_file *kf@ = pointer to key file
321 * @key *k@ = pointer to key
322 * @const char **tyr@ = where to put the type string
323 *
324 * Returns: Pointer to indicated key-group options, or null.
325 *
326 * Use: Looks up a key's group indicator and tries to find a matching
327 * table entry.
328 */
329
330static const kgops *keykg(key_file *kf, key *k, const char **tyr)
331{
332 const char *ty;
333 const kgops **ko;
334
335 /* --- Look up the key type in the table --- *
336 *
337 * There are several places to look for this. The most obvious is the
338 * `kx-group' key attribute. But there's also the key type itself.
339 */
340
341 ty = key_getattr(kf, k, "kx-group");
342 if (!ty && strncmp(k->type, "tripe-", 6) == 0) ty = k->type + 6;
343 if (!ty) ty = "dh";
344 if (tyr) *tyr = ty;
345
346 for (ko = kgtab; *ko; ko++) {
347 if (strcmp((*ko)->ty, ty) == 0)
348 return (*ko);
349 }
350 return (0);
351}
352
353/* --- @loadpriv@ --- *
354 *
355 * Arguments: @dstr *d@ = string to write errors in
356 *
357 * Returns: Zero if OK, nonzero on error.
358 *
359 * Use: Loads the private key from its keyfile.
360 */
361
362static int loadpriv(dstr *d)
363{
364 key_file kf;
365 key *k;
366 key_data **kd;
367 dstr t = DSTR_INIT;
368 group *g = 0;
369 mp *x = 0;
370 int rc = -1;
371 const kgops *ko;
372 const char *e, *tag, *ty;
373 algswitch a;
374
375 /* --- Open the private key file --- */
376
377 if (key_open(&kf, kr_priv, KOPEN_READ, keymoan, 0)) {
378 dstr_putf(d, "error reading private keyring `%s': %s",
379 kr_priv, strerror(errno));
380 goto done_0;
381 }
382
383 /* --- Find the private key --- */
384
385 if (tag_priv ?
386 key_qtag(&kf, tag = tag_priv, &t, &k, &kd) :
387 key_qtag(&kf, tag = "tripe", &t, &k, &kd) &&
388 key_qtag(&kf, tag = "tripe-dh", &t, &k, &kd)) {
389 dstr_putf(d, "private key `%s' not found in keyring `%s'", tag, kr_priv);
390 goto done_1;
391 }
392
393 /* --- Look up the key type in the table --- */
394
395 if ((ko = keykg(&kf, k, &ty)) == 0) {
396 dstr_putf(d, "private key `%s' has unknown type `%s'", t.buf, ty);
397 goto done_1;
398 }
399
400 /* --- Load the key --- */
401
402 if ((e = ko->loadpriv(*kd, &g, &x, &t)) != 0) {
403 dstr_putf(d, "error reading private key `%s': %s", t.buf, e);
404 goto done_1;
405 }
406
407 /* --- Check that the key is sensible --- */
408
409 if ((e = G_CHECK(g, &rand_global)) != 0) {
410 dstr_putf(d, "bad group in private key `%s': %s", t.buf, e);
411 goto done_1;
412 }
413
414 /* --- Collect the algorithms --- */
415
416 if ((e = algs_get(&a, &kf, k)) != 0 ||
417 (e = algs_check(&a, g)) != 0) {
418 dstr_putf(d, "bad symmetric algorithm selection in private key `%s': %s",
419 t.buf, e);
420 goto done_1;
421 }
422
423 /* --- Good, we're happy --- *
424 *
425 * Dodginess! We change the group over here, but don't free any old group
426 * elements. This assumes that the new group is basically the same as the
427 * old one, and will happily adopt the existing elements. If it isn't,
428 * then we lose badly. Check this, then.
429 */
430
431 if (gg) {
432 if (!group_samep(g, gg)) {
433 dstr_putf(d, "private key `%s' has different group", t.buf);
434 goto done_1;
435 }
436 G_DESTROYGROUP(gg);
437 }
438 if (kpriv)
439 mp_drop(kpriv);
440
441 if (kpub)
442 G_DESTROY(g, kpub);
443 kpub = G_CREATE(g);
444 G_EXP(g, kpub, g->g, x);
445 indexsz = mp_octets(g->r);
446
447 /* --- Dump out the group --- */
448
449 IF_TRACING(T_KEYMGMT, {
450 trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", t.buf);
451 IF_TRACING(T_CRYPTO, {
452 trace(T_CRYPTO, "crypto: r = %s", mpstr(g->r));
453 trace(T_CRYPTO, "crypto: h = %s", mpstr(g->h));
454 trace(T_CRYPTO, "crypto: x = %s", mpstr(x));
455 trace(T_CRYPTO, "crypto: cipher = %s", a.c->name);
456 trace(T_CRYPTO, "crypto: mgf = %s", a.mgf->name);
457 trace(T_CRYPTO, "crypto: hash = %s", a.h->name);
458 trace(T_CRYPTO, "crypto: mac = %s/%lu",
459 a.m->name, (unsigned long)a.tagsz * 8);
460 })
461 })
462
463 /* --- Success! --- */
464
465 gg = g; g = 0;
466 algs = a;
467 kpriv = x; x = 0;
468 rc = 0;
469
470 /* --- Tidy up --- */
471
472done_1:
473 key_close(&kf);
474done_0:
475 dstr_destroy(&t);
476 if (x) mp_drop(x);
477 if (g) G_DESTROYGROUP(g);
478 return (rc);
479}
480
481/* --- @loadpub@ --- *
482 *
483 * Arguments: @dstr *d@ = string to write errors to
484 *
485 * Returns: Zero if OK, nonzero on error.
486 *
487 * Use: Reloads the public keyring.
488 */
489
490static int loadpub(dstr *d)
491{
492 key_file *kf = CREATE(key_file);
493
494 if (key_open(kf, kr_pub, KOPEN_READ, keymoan, 0)) {
495 dstr_putf(d, "error reading public keyring `%s': %s",
496 kr_pub, strerror(errno));
497 DESTROY(kf);
498 return (-1);
499 }
500 kf_pub = kf;
501 T( trace(T_KEYMGMT, "keymgmt: loaded public keyring `%s'", kr_pub); )
502 return (0);
503}
504
505/* --- @km_reload@ --- *
506 *
507 * Arguments: ---
508 *
509 * Returns: Zero if OK, nonzero to force reloading of keys.
510 *
511 * Use: Checks the keyrings to see if they need reloading.
512 */
513
514int km_reload(void)
515{
516 dstr d = DSTR_INIT;
517 key_file *kf;
518 int reload = 0;
519
520 /* --- Check the private key first --- */
521
522 if (fwatch_update(&w_priv, kr_priv)) {
523 T( trace(T_KEYMGMT, "keymgmt: private keyring updated: reloading..."); )
524 DRESET(&d);
525 if (loadpriv(&d))
526 a_warn("KEYMGMT", "bad-private-key", "%s", d.buf, A_END);
527 else
528 reload = 1;
529 }
530
531 /* --- Now check the public keys --- */
532
533 if (fwatch_update(&w_pub, kr_pub)) {
534 T( trace(T_KEYMGMT, "keymgmt: public keyring updated: reloading..."); )
535 kf = kf_pub;
536 DRESET(&d);
537 if (loadpub(&d))
538 a_warn("KEYMGMT", "bad-public-keyring", "%s", d.buf, A_END);
539 else {
540 reload = 1;
541 key_close(kf);
542 DESTROY(kf);
543 }
544 }
545
546 /* --- Done --- */
547
548 return (reload);
549}
550
551/* --- @km_init@ --- *
552 *
553 * Arguments: @const char *priv@ = private keyring file
554 * @const char *pub@ = public keyring file
555 * @const char *tag@ = tag to load
556 *
557 * Returns: ---
558 *
559 * Use: Initializes, and loads the private key.
560 */
561
562void km_init(const char *priv, const char *pub, const char *tag)
563{
564 dstr d = DSTR_INIT;
565 const gchash *const *hh;
566
567 kr_priv = priv;
568 kr_pub = pub;
569 tag_priv = tag;
570 fwatch_init(&w_priv, kr_priv);
571 fwatch_init(&w_pub, kr_pub);
572
573 for (hh = ghashtab; *hh; hh++) {
574 if ((*hh)->hashsz > MAXHASHSZ) {
575 die(EXIT_FAILURE, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d",
576 (*hh)->name, (unsigned long)(*hh)->hashsz, MAXHASHSZ);
577 }
578 }
579
580 DRESET(&d);
581 if (loadpriv(&d))
582 die(EXIT_FAILURE, "%s", d.buf);
583 if (loadpub(&d))
584 die(EXIT_FAILURE, "%s", d.buf);
585}
586
587/* --- @km_getpubkey@ --- *
588 *
589 * Arguments: @const char *tag@ = public key tag to load
590 * @ge *kpub@ = where to put the public key
591 * @time_t *t_exp@ = where to put the expiry time
592 *
593 * Returns: Zero if OK, nonzero if it failed.
594 *
595 * Use: Fetches a public key from the keyring.
596 */
597
598int km_getpubkey(const char *tag, ge *kpub, time_t *t_exp)
599{
600 key *k;
601 key_data **kd;
602 dstr t = DSTR_INIT;
603 const kgops *ko;
604 const char *e, *ty;
605 group *g = 0;
606 ge *p = 0;
607 algswitch a;
608 int rc = -1;
609
610 /* --- Find the key --- */
611
612 if (key_qtag(kf_pub, tag, &t, &k, &kd)) {
613 a_warn("KEYMGMT", "public-key", "%s", tag, "not-found", A_END);
614 goto done;
615 }
616
617 /* --- Look up the key type in the table --- */
618
619 if ((ko = keykg(kf_pub, k, &ty)) == 0) {
620 a_warn("KEYMGMT",
621 "public-key", "%s", t.buf,
622 "unknown-type", "%s", ty,
623 A_END);
624 goto done;
625 }
626
627 /* --- Load the key --- */
628
629 if ((e = ko->loadpub(*kd, &g, &p, &t)) != 0) {
630 a_warn("KEYMGMT", "public-key", "%s", t.buf, "bad", "%s", e, A_END);
631 goto done;
632 }
633
634 /* --- Ensure that the group is correct --- *
635 *
636 * Dodginess! We assume that if this works, our global group is willing to
637 * adopt this public element. Probably reasonable.
638 */
639
640 if (!group_samep(gg, g)) {
641 a_warn("KEYMGMT", "public-key", "%s", t.buf, "incorrect-group", A_END);
642 goto done;
643 }
644
645 /* --- Check the public group element --- */
646
647 if (group_check(gg, p)) {
648 a_warn("KEYMGMT",
649 "public-key", "%s", t.buf,
650 "bad-public-group-element",
651 A_END);
652 goto done;
653 }
654
655 /* --- Check the algorithms --- */
656
657 if ((e = algs_get(&a, kf_pub, k)) != 0) {
658 a_warn("KEYMGMT",
659 "public-key", "%s", t.buf,
660 "bad-algorithm-selection", e,
661 A_END);
662 goto done;
663 }
664 if (!algs_samep(&a, &algs)) {
665 a_warn("KEYMGMT",
666 "public-key", "%s", t.buf,
667 "algorithm-mismatch",
668 A_END);
669 goto done;
670 }
671
672 /* --- Dump the public key --- */
673
674 IF_TRACING(T_KEYMGMT, {
675 trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", t.buf);
676 trace(T_CRYPTO, "crypto: p = %s", gestr(gg, p));
677 })
678
679 /* --- OK, accept the public key --- */
680
681 *t_exp = k->exp;
682 G_COPY(gg, kpub, p);
683 rc = 0;
684
685 /* --- Tidy up --- */
686
687done:
688 if (p) G_DESTROY(g, p);
689 if (g) G_DESTROYGROUP(g);
690 dstr_destroy(&t);
691 return (rc);
692}
693
694/*----- That's all, folks -------------------------------------------------*/
Trivial IP Encryption: a simple VPN