server/admin.c: Remove spurious `ping' in usage message.

[tripe] / server / keymgmt.c

/* -*-c-*-
 *
 * Key loading and storing
 *
 * (c) 2001 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------*
 *
 * This file is part of Trivial IP Encryption (TrIPE).
 *
 * TrIPE is free software: you can redistribute it and/or modify it under
 * the terms of the GNU General Public License as published by the Free
 * Software Foundation; either version 3 of the License, or (at your
 * option) any later version.
 *
 * TrIPE is distributed in the hope that it will be useful, but WITHOUT
 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
 * FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 *
 * You should have received a copy of the GNU General Public License
 * along with TrIPE.  If not, see <https://www.gnu.org/licenses/>.
 */

/*----- Header files ------------------------------------------------------*/

#include "tripe.h"

/*----- Algswitch stuff ---------------------------------------------------*/

/* --- @algs_get@ --- *
 *
 * Arguments:   @algswitch *a@ = where to put the algorithms
 *              @dstr *e@ = where to write error tokens
 *              @key_file *kf@ = key file
 *              @key *k@ = key to inspect
 *
 * Returns:     Zero if OK; nonzero on error.
 *
 * Use:         Extracts an algorithm choice from a key.
 */

static int algs_get(algswitch *a, dstr *e, key_file *kf, key *k)
{
  const char *p;
  const bulkops *bops;
  dstr d = DSTR_INIT, dd = DSTR_INIT;
  int rc = -1;

  /* --- Hash function --- */

  if ((p = key_getattr(kf, k, "hash")) == 0) p = "rmd160";
  if ((a->h = ghash_byname(p)) == 0) {
    a_format(e, "unknown-hash", "%s", p, A_END);
    goto done;
  }

  /* --- Symmetric encryption for key derivation --- */

  if ((p = key_getattr(kf, k, "mgf")) == 0) {
    dstr_reset(&d);
    dstr_putf(&d, "%s-mgf", a->h->name);
    p = d.buf;
  }
  if ((a->mgf = gcipher_byname(p)) == 0) {
    a_format(e, "unknown-mgf-cipher", "%s", p, A_END);
    goto done;
  }

  /* --- Bulk crypto transform --- */

  if ((p = key_getattr(kf, k, "bulk")) == 0) p = "v0";
  for (bops = bulktab; bops->name && strcmp(p, bops->name) != 0; bops++);
  if (!bops->name) {
    a_format(e, "unknown-bulk-transform", "%s", p, A_END);
    goto done;
  }
  if ((a->bulk = bops->getalgs(a, e, kf, k)) == 0) goto done;
  a->bulk->ops = bops;

  /* --- All done --- */

  rc = 0;
done:
  dstr_destroy(&d);
  dstr_destroy(&dd);
  return (rc);
}

/* --- @algs_check@ --- *
 *
 * Arguments:   @algswitch *a@ = a choice of algorithms
 *              @dstr *e@ = where to write error tokens
 *              @const dhgrp *grp@ = the group we're working in
 *
 * Returns:     Zero if OK; nonzero on error.
 *
 * Use:         Checks an algorithm choice for sensibleness.  This also
 *              derives some useful information from the choices, and you
 *              must call this before committing the algorithm selection
 *              for use by @keyset@ functions.
 */

static int algs_check(algswitch *a, dstr *e, const dhgrp *grp)
{
  a->hashsz = a->h->hashsz;

  if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz) {
    a_format(e, "mgf", "%s", a->mgf->name,
             "restrictive-key-schedule",
             A_END);
    return (-1);
  }

  if (a->bulk->ops->checkalgs(a->bulk, a, e)) return (-1);

  return (0);
}

/* --- @km_samealgsp@ --- *
 *
 * Arguments:   @const kdata *kdx, *kdy@ = two key data objects
 *
 * Returns:     Nonzero if their two algorithm selections are the same.
 *
 * Use:         Checks sameness of algorithm selections: used to ensure that
 *              peers are using sensible algorithms.
 */

int km_samealgsp(const kdata *kdx, const kdata *kdy)
{
  const algswitch *a = &kdx->algs, *aa = &kdy->algs;

  return (kdx->grp->ops == kdy->grp->ops &&
          kdx->grp->ops->samegrpp(kdx->grp, kdy->grp) &&
          a->mgf == aa->mgf && a->h == aa->h &&
          a->bulk->ops == aa->bulk->ops &&
          a->bulk->ops->samealgsp(a->bulk, aa->bulk));
}

/*----- Key data and key nodes --------------------------------------------*/

typedef struct keyhalf {
  const char *kind;
  int (*load)(key_file *, key *, key_data *,
              const dhops *, kdata *, dstr *, dstr *);
  char *kr;
  key_file *kf;
  fwatch w;
  sym_table tab;
} keyhalf;

/* --- @kh_loadpub@, @kh_loadpriv@ --- *
 *
 * Arguments:   @const dhops *dh@ = Diffie--Hellman operations for key type
 *              @key_file *kf@ = key file from which the key was loaded
 *              @key *k@ = the key object we're loading
 *              @key_data *d@ = the key data to load
 *              @kdata *kd@ = our key-data object to fill in
 *              @dstr *t@ = the key tag name
 *              @dstr *e@ = a string to write error tokens to
 *
 * Returns:     Zero on success, @-1@ on error.
 *
 * Use:         These functions handle the main difference between public and
 *              private key halves.  They are responsible for setting @grp@,
 *              @k@ and @K@ appropriately in all keys, handling the mismatch
 *              between the largely half-indifferent calling code and the
 *              group-specific loading functions.
 *
 *              The function @kh_loadpriv@ is also responsible for checking
 *              the group for goodness.  We don't bother checking public
 *              keys, because each public key we actually end up using must
 *              share a group with a private key which we'll already have
 *              checked.
 */

static int kh_loadpub(key_file *kf, key *k, key_data *d,
                      const dhops *dh, kdata *kd, dstr *t, dstr *e)
{
  int rc;

  if ((rc = dh->ldpub(kf, k, d, kd, t, e)) != 0)
    goto fail_0;
  kd->grp->ops = dh;
  if (kd->grp->ops->checkge(kd->grp, kd->K)) {
    a_format(e, "bad-public-group-element", A_END);
    goto fail_1;
  }
  return (0);

fail_1:
  kd->grp->ops->freege(kd->grp, kd->K);
  kd->grp->ops->freegrp(kd->grp);
fail_0:
  return (-1);
}

static int kh_loadpriv(key_file *kf, key *k, key_data *d,
                       const dhops *dh, kdata *kd, dstr *t, dstr *e)
{
  int rc;
  const char *err;
  dhge *K;
  int ok;

  if ((rc = dh->ldpriv(kf, k, d, kd, t, e)) != 0)
    goto fail_0;
  kd->grp->ops = dh;
  if ((err = kd->grp->ops->checkgrp(kd->grp)) != 0) {
    a_format(e, "bad-group", "%s", err, A_END);
    goto fail_1;
  }
  K = kd->grp->ops->mul(kd->grp, kd->k, 0);
  ok = kd->grp->ops->eq(kd->grp, kd->K, K);
  kd->grp->ops->freege(kd->grp, K);
  if (!ok) {
    a_format(e, "incorrect-public-key", A_END);
    goto fail_1;
  }
  return (0);

fail_1:
  kd->grp->ops->freesc(kd->grp, kd->k);
  kd->grp->ops->freege(kd->grp, kd->K);
  kd->grp->ops->freegrp(kd->grp);
fail_0:
  return (-1);
}

static struct keyhalf
  priv = { "private", kh_loadpriv },
  pub = { "public", kh_loadpub };

/* --- @keymoan@ --- *
 *
 * Arguments:   @const char *file@ = name of the file
 *              @int line@ = line number in file
 *              @const char *msg@ = error message
 *              @void *p@ = argument pointer (indicates which keyring)
 *
 * Returns:     ---
 *
 * Use:         Reports an error message about loading a key file.
 */

static void keymoan(const char *file, int line, const char *msg, void *p)
{
  keyhalf *kh = p;

  if (!line) {
    a_warn("KEYMGMT", "%s-keyring", kh->kind, "%s", file,
           "io-error", "?ERRNO", A_END);
  } else {
    a_warn("KEYMGMT", "%s-keyring", kh->kind, "%s", file, "line", "%d", line,
           "%s", msg, A_END);
  }
}

/* --- @kh_reopen@ --- *
 *
 * Arguments:   @keyhalf *kh@ = pointer to keyhalf structure
 *
 * Returns:     Zero on success, @-1@ on error.
 *
 * Use:         Reopens the key file for the appropriate key half.  If this
 *              fails, everything is left as it was; if it succeeds, then the
 *              old file is closed (if it was non-null) and the new one put
 *              in its place.
 */

static int kh_reopen(keyhalf *kh)
{
  key_file *kf = CREATE(key_file);

  if (key_open(kf, kh->kr, KOPEN_READ, keymoan, kh)) {
    DESTROY(kf);
    return (-1);
  }
  if (kh->kf) {
    key_close(kh->kf);
    DESTROY(kh->kf);
  }
  kh->kf = kf;
  return (0);
}

/* --- @kh_init@ --- *
 *
 * Arguments:   @keyhalf *kh@ = pointer to keyhalf structure to set up
 *              @const char *kr@ = name of the keyring file
 *
 * Returns:     Zero on success, @-1@ on error.
 *
 * Use:         Initialize a keyhalf structure, maintaining the private or
 *              public keys.  Intended to be called during initialization:
 *              exits if there's some kind of problem.
 */

static int kh_init(keyhalf *kh, const char *kr)
{
  if (kh->kf) return (0);
  kh->kr = xstrdup(kr);
  if (kh_reopen(kh)) return (-1);
  fwatch_init(&kh->w, kr);
  sym_create(&kh->tab);
  return (0);
}

/* --- @kh_load@ --- *
 *
 * Arguments:   @keyhalf *kh@ = pointer to keyhalf
 *              @const char *tag@ = key tag to be loaded
 *              @int complainp@ = whether to complain about missing keys
 *
 * Returns:     Pointer to a @kdata@ structure if successful, or null on
 *              failure.
 *
 * Use:         Attempts to load a key from the current key file.  This
 *              function always reads data from the file: it's used when
 *              there's a cache miss from @kh_find@, and when refreshing the
 *              known keys in @kh_refresh@.  The returned kdata has a
 *              reference count of exactly 1, and has no home knode.
 */

static kdata *kh_load(keyhalf *kh, const char *tag, int complainp)
{
  dstr t = DSTR_INIT;
  dstr e = DSTR_INIT;
  key *k;
  key_data **d;
  kdata *kd;
  const char *ty;
  const dhops *dh;
  T( const dhgrp *g; )

  /* --- Find the key and grab its tag --- */

  if (key_qtag(kh->kf, tag, &t, &k, &d)) {
    if (complainp) {
      a_warn("KEYMGMT", "%s-keyring", kh->kind, "%s", kh->kr,
             "key-not-found", "%s", tag, A_END);
    }
    goto fail_0;
  }

  /* --- Find the key's group type and the appropriate operations --- *
   *
   * There are several places to look for the key type.  The most obvious is
   * the `kx-group' key attribute.  But there's also the key type itself, for
   * compatibility reasons.
   */

  ty = key_getattr(kh->kf, k, "kx-group");
  if (!ty && strncmp(k->type, "tripe-", 6) == 0) ty = k->type + 6;
  if (!ty) ty = "dh";

  for (dh = dhtab; dh->name; dh++)
    if (strcmp(dh->name, ty) == 0) goto founddh;
  a_warn("KEYMGMT", "%s-keyring", kh->kind,
         "%s", kh->kr, "key", "%s", t.buf,
         "unknown-group-type", "%s", ty, A_END);
  goto fail_0;

founddh:
  kd = CREATE(kdata);
  if (kh->load(kh->kf, k, *d, dh, kd, &t, &e)) {
    a_warn("KEYMGMT", "%s-keyring", kh->kind,
           "%s", kh->kr, "key", "%s", t.buf,
           "*%s", e.buf, A_END);
    goto fail_1;
  }

  if (algs_get(&kd->algs, &e, kh->kf, k) ||
      algs_check(&kd->algs, &e, kd->grp)) {
    a_warn("KEYMGMT", "%s-keyring", kh->kind,
           "%s", kh->kr, "key", "%s", t.buf,
           "*%s", e.buf, A_END);
    goto fail_2;
  }

  kd->tag = xstrdup(t.buf);
  kd->ref = 1;
  kd->kn = 0;
  kd->id = k->id;
  kd->t_exp = k->exp;

  IF_TRACING(T_KEYMGMT, {
    trace(T_KEYMGMT, "keymgmt: loaded %s key `%s'", kh->kind, t.buf);
    IF_TRACING(T_CRYPTO, {
      g = kd->grp;
      g->ops->tracegrp(g);
      if (kd->k)
        trace(T_CRYPTO, "crypto: k = %s", g->ops->scstr(g, kd->k));
      trace(T_CRYPTO, "crypto: K = %s", g->ops->gestr(g, kd->K));
      trace(T_CRYPTO, "crypto: bulk transform = %s",
            kd->algs.bulk->ops->name);
      kd->algs.bulk->ops->tracealgs(kd->algs.bulk);
    })
  })

  goto done;

fail_2:
  if (kd->k) kd->grp->ops->freesc(kd->grp, kd->k);
  kd->grp->ops->freege(kd->grp, kd->K);
  kd->grp->ops->freegrp(kd->grp);
fail_1:
  DESTROY(kd);
fail_0:
  kd = 0;
done:
  dstr_destroy(&t);
  dstr_destroy(&e);
  return (kd);
}

/* --- @kh_find@ --- *
 *
 * Arguments:   @keyhalf *kh@ = pointer to the keyhalf
 *              @const char *tag@ = key to be obtained
 *              @int complainp@ = whether to complain about missing keys
 *
 * Returns:     A pointer to the kdata, or null on error.
 *
 * Use:         Obtains kdata, maybe from the cache.  This won't update a
 *              stale cache entry, though @kh_refresh@ ought to have done
 *              that already.  The returned kdata object may be shared with
 *              other users.  (One of this function's responsibilities, over
 *              @kh_load@, is to set the home knode of a freshly loaded
 *              kdata.)
 */

static kdata *kh_find(keyhalf *kh, const char *tag, int complainp)
{
  knode *kn;
  kdata *kd;
  unsigned f;

  kn = sym_find(&kh->tab, tag, -1, sizeof(knode), &f);

  if (f) {
    if (kn->f & KNF_BROKEN) {
      T( if (complainp)
           trace(T_KEYMGMT, "keymgmt: key `%s' marked as broken", tag); )
      return (0);
    }

    kd = kn->kd;
    if (kd) kd->ref++;
    T( trace(T_KEYMGMT, "keymgmt: %scache hit for key `%s'",
             kd ? "" : "negative ", tag); )
    return (kd);
  } else {
    kd = kh_load(kh, tag, complainp);
    kn->kd = kd;
    kn->kh = kh;
    kn->f = 0;
    if (!kd)
      kn->f |= KNF_BROKEN;
    else {
      kd->kn = kn;
      kd->ref++;
    }
    return (kd);
  }
}

/* --- @kh_refresh@ --- *
 *
 * Arguments:   @keyhalf *kh@ = pointer to the keyhalf
 *
 * Returns:     Zero if nothing needs to be done; nonzero if peers should
 *              refresh their keys.
 *
 * Use:         Refreshes cached keys from files.
 *
 *              Each active knode is examined to see if a new key is
 *              available: the return value is nonzero if any new keys are.
 *              A key is considered new if its algorithms, public key, or
 *              expiry time are/is different.
 *
 *              Stub knodes (with no kdata attached) are removed, so that a
 *              later retry can succeed if the file has been fixed.  (This
 *              doesn't count as a change, since no peers should be relying
 *              on a nonexistent key.)
 */

static int kh_refresh(keyhalf *kh)
{
  knode *kn;
  kdata *kd;
  sym_iter i;
  int changep = 0;

  if (!fwatch_update(&kh->w, kh->kr) || kh_reopen(kh))
    return (0);

  T( trace(T_KEYMGMT, "keymgmt: rescan %s keyring `%s'", kh->kind, kh->kr); )
  for (sym_mkiter(&i, &kh->tab); (kn = sym_next(&i)) != 0; ) {
    if (!kn->kd) {
      T( trace(T_KEYMGMT, "keymgmt: discard stub entry for key `%s'",
               SYM_NAME(kn)); )
      sym_remove(&kh->tab, kn);
      continue;
    }
    if ((kd = kh_load(kh, SYM_NAME(kn), 1)) == 0) {
      if (!(kn->f & KNF_BROKEN)) {
        T( trace(T_KEYMGMT, "keymgmt: failed to load new key `%s': "
                 "marking it as broken",
                 SYM_NAME(kn)); )
        kn->f |= KNF_BROKEN;
      }
      continue;
    }
    kn->f &= ~KNF_BROKEN;
    if (kd->t_exp == kn->kd->t_exp &&
        km_samealgsp(kd, kn->kd) &&
        kd->grp->ops->eq(kd->grp, kd->K, kn->kd->K)) {
      T( trace(T_KEYMGMT, "keymgmt: key `%s' unchanged", SYM_NAME(kn)); )
      continue;
    }
    T( trace(T_KEYMGMT, "keymgmt: loaded new version of key `%s'",
             SYM_NAME(kn)); )
    km_unref(kn->kd);
    kd->kn = kn;
    kn->kd = kd;
    changep = 1;
  }

  return (changep);
}

/* --- @kh_clear@ --- *
 *
 * Arguments:   @keyhalf *kh@ = pointer to keyhalf structure
 *
 * Returns:     ---
 *
 * Use:         Clears out the keyhalf's keyring and flushes the cache.
 */

static void kh_clear(keyhalf *kh)
{
  sym_iter i;
  knode *kn;

  if (!kh->kf) return;
  for (sym_mkiter(&i, &kh->tab); (kn = sym_next(&i)) != 0; )
    if (kn->kd) km_unref(kn->kd);
  sym_destroy(&kh->tab);
  key_close(kh->kf);
  xfree(kh->kr);
  kh->kf = 0;
}

/*----- Main code ---------------------------------------------------------*/

char *tag_priv = 0;
kdata *master = 0;

/* --- @km_init@ --- *
 *
 * Arguments:   @const char *privkr@ = private keyring file
 *              @const char *pubkr@ = public keyring file
 *              @const char *ptag@ = default private-key tag
 *
 * Returns:     Zero on success, @-1@ on failure.
 *
 * Use:         Initializes the key-management machinery, loading the
 *              keyrings and so on.
 */

int km_init(const char *privkr, const char *pubkr, const char *ptag)
{
  const gchash *const *hh;
  kdata *kd;

  for (hh = ghashtab; *hh; hh++) {
    if ((*hh)->hashsz > MAXHASHSZ) {
      a_warn("ABORT", "hash-size-too-large", "hash",
             "%s", (*hh)->name, "size", "%lu", (*hh)->hashsz,
             "limit", "%d", MAXHASHSZ, A_END);
      abort();
    }
  }

  if (kh_init(&priv, privkr) || kh_init(&pub, pubkr))
    return (-1);

  tag_priv = ptag ? xstrdup(ptag) : 0;
  kh_refresh(&priv);

  if ((kd = km_findpriv(tag_priv)) == 0) return (-1);
  if (master) km_unref(master);
  master = kd;

  return (0);
}

/* --- @km_reload@ --- *
 *
 * Arguments:   ---
 *
 * Returns:     Zero if OK, nonzero to force reloading of keys.
 *
 * Use:         Checks the keyrings to see if they need reloading.
 */

int km_reload(void)
{
  int changep = 0;
  kdata *kd;

  if (kh_refresh(&priv)) {
    changep = 1;
    kd = master->kn->kd;
    if (kd != master) {
      km_unref(master);
      km_ref(kd);
      master = kd;
    }
  }
  if (kh_refresh(&pub))
    changep = 1;
  return (changep);
}

/* --- @km_clear@ --- *
 *
 * Arguments:   ---
 *
 * Returns:     ---
 *
 * Use:         Forget the currently loaded keyrings.  The @master@ key will
 *              be cleared, but other keys already loaded will continue to
 *              exist until their reference count drops to zero.  Call
 *              @km_init@ to make everything work again.
 */

void km_clear(void)
{
  kh_clear(&priv);
  kh_clear(&pub);
  if (master) { km_unref(master); master = 0; }
  if (tag_priv) { xfree(tag_priv); tag_priv = 0; }
}

/* --- @km_findpub@, @km_findpriv@ --- *
 *
 * Arguments:   @const char *tag@ = key tag to load
 *
 * Returns:     Pointer to the kdata object if successful, or null on error.
 *
 * Use:         Fetches a public or private key from the keyring.
 */

kdata *km_findpub(const char *tag) { return (kh_find(&pub, tag, 1)); }

kdata *km_findpriv(const char *tag)
{
  kdata *kd;

  /* Unpleasantness for the sake of compatibility. */
  if (!tag && (kd = kh_find(&priv, "tripe", 0)) != 0) return (kd);
  else return (kh_find(&priv, tag ? tag : "tripe-dh", 1));
}

/* --- @km_findpubbyid@, @km_findprivbyid@ --- *
 *
 * Arguments:   @uint32 id@ = key id to load
 *
 * Returns:     Pointer to the kdata object if successful, or null on error.
 *
 * Use:         Fetches a public or private key from the keyring given its
 *              numeric id.
 */

static kdata *findbyid(keyhalf *kh, uint32 id)
{
  key *k;
  kdata *kd;

  k = key_byid(kh->kf, id); if (!k) goto notfound;
  kd = kh_find(kh, k->tag, 1); if (!kd) goto notfound;
  if (kd->id != id) { km_unref(kd); goto notfound; }
  return (kd);

notfound:
  a_warn("KX", "%s-keyring", kh->kind, "%s", kh->kr,
         "unknown-key-id", "0x%08lx", (unsigned long)id,
         A_END);
  return (0);
}

kdata *km_findpubbyid(uint32 id) { return (findbyid(&pub, id)); }

kdata *km_findprivbyid(uint32 id)
{
  if (id == master->id) { km_ref(master); return (master); }
  else return findbyid(&priv, id);
}

/* --- @km_tag@ --- *
 *
 * Arguments:   @kdata *kd@ - pointer to the kdata object
 *
 * Returns:     A pointer to the short tag by which the kdata was loaded.
 */

const char *km_tag(kdata *kd) { return (SYM_NAME(kd->kn)); }

/* --- @km_ref@ --- *
 *
 * Arguments:   @kdata *kd@ = pointer to the kdata object
 *
 * Returns:     ---
 *
 * Use:         Claim a new reference to a kdata object.
 */

void km_ref(kdata *kd) { kd->ref++; }

/* --- @km_unref@ --- *
 *
 * Arguments:   @kdata *kd@ = pointer to the kdata object
 *
 * Returns:     ---
 *
 * Use:         Releases a reference to a kdata object.
 */

void km_unref(kdata *kd)
{
  if (--kd->ref) return;
  if (kd->k) kd->grp->ops->freesc(kd->grp, kd->k);
  kd->grp->ops->freege(kd->grp, kd->K);
  kd->grp->ops->freegrp(kd->grp);
  xfree(kd->tag);
  DESTROY(kd);
}

/*----- That's all, folks -------------------------------------------------*/