X-Git-Url: https://git.distorted.org.uk/~mdw/tripe/blobdiff_plain/00e64b67d321bf53224d546dcba58c52834a7b79..c55f55afc693f452bcfa2ddd2af50d3216a9c951:/keymgmt.c diff --git a/keymgmt.c b/keymgmt.c index 54a31b0b..e05706ac 100644 --- a/keymgmt.c +++ b/keymgmt.c @@ -1,6 +1,6 @@ /* -*-c-*- * - * $Id: keymgmt.c,v 1.3 2001/06/22 19:40:36 mdw Exp $ + * $Id: keymgmt.c,v 1.6 2004/04/18 18:08:11 mdw Exp $ * * Key loading and storing * @@ -26,28 +26,15 @@ * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. */ -/*----- Revision history --------------------------------------------------* - * - * $Log: keymgmt.c,v $ - * Revision 1.3 2001/06/22 19:40:36 mdw - * Support expiry of other peers' public keys. - * - * Revision 1.2 2001/06/19 22:07:09 mdw - * Cosmetic fixes. - * - * Revision 1.1 2001/02/03 20:26:37 mdw - * Initial checkin. - * - */ - /*----- Header files ------------------------------------------------------*/ #include "tripe.h" /*----- Global variables --------------------------------------------------*/ -mpmont mg; -dh_priv kpriv; +group *gg; +mp *kpriv; +algswitch algs; /*----- Static variables --------------------------------------------------*/ @@ -55,6 +42,250 @@ static key_file *kf_pub; static const char *kr_priv, *kr_pub, *tag_priv; static fwatch w_priv, w_pub; +/*----- Key groups --------------------------------------------------------*/ + +typedef struct kgops { + const char *ty; + const char *(*loadpriv)(key_data *, group **, mp **, dstr *); + const char *(*loadpub)(key_data *, group **, ge **, dstr *); +} kgops; + +/* --- Diffie-Hellman --- */ + +static const char *kgdh_priv(key_data *kd, group **g, mp **x, dstr *t) +{ + key_packstruct kps[DH_PRIVFETCHSZ]; + key_packdef *kp; + dh_priv dp; + const char *e; + int rc; + + kp = key_fetchinit(dh_privfetch, kps, &dp); + if ((rc = key_unpack(kp, kd, t)) != 0) { + e = key_strerror(rc); + goto done; + } + *g = group_prime(&dp.dp); + *x = MP_COPY(dp.x); + e = 0; +done: + key_fetchdone(kp); + return (e); +} + +static const char *kgdh_pub(key_data *kd, group **g, ge **p, dstr *t) +{ + key_packstruct kps[DH_PUBFETCHSZ]; + key_packdef *kp; + dh_pub dp; + const char *e; + int rc; + + kp = key_fetchinit(dh_pubfetch, kps, &dp); + if ((rc = key_unpack(kp, kd, t)) != 0) { + e = key_strerror(rc); + goto done; + } + *g = group_prime(&dp.dp); + *p = G_CREATE(*g); + if (G_FROMINT(*g, *p, dp.y)) { + e = "bad public value"; + goto done; + } + e = 0; +done: + key_fetchdone(kp); + return (e); +} + +static const kgops kgdh_ops = { "tripe-dh", kgdh_priv, kgdh_pub }; + +/* --- Elliptic curve --- */ + +static const char *kgec_priv(key_data *kd, group **g, mp **x, dstr *t) +{ + key_packstruct kps[EC_PRIVFETCHSZ]; + key_packdef *kp; + ec_priv ep; + ec_info ei; + const char *e; + int rc; + + kp = key_fetchinit(ec_privfetch, kps, &ep); + if ((rc = key_unpack(kp, kd, t)) != 0) { + e = key_strerror(rc); + goto done; + } + if ((e = ec_getinfo(&ei, ep.cstr)) != 0) + goto done; + *g = group_ec(&ei); + *x = MP_COPY(ep.x); + e = 0; +done: + key_fetchdone(kp); + return (e); +} + +static const char *kgec_pub(key_data *kd, group **g, ge **p, dstr *t) +{ + key_packstruct kps[EC_PUBFETCHSZ]; + key_packdef *kp; + ec_pub ep; + ec_info ei; + const char *e; + int rc; + + kp = key_fetchinit(ec_pubfetch, kps, &ep); + if ((rc = key_unpack(kp, kd, t)) != 0) { + e = key_strerror(rc); + goto done; + } + if ((e = ec_getinfo(&ei, ep.cstr)) != 0) + goto done; + *g = group_ec(&ei); + *p = G_CREATE(*g); + if (G_FROMEC(*g, *p, &ep.p)) { + e = "bad public point"; + goto done; + } + e = 0; +done: + key_fetchdone(kp); + return (e); +} + +static const kgops kgec_ops = { "tripe-ec", kgec_priv, kgec_pub }; + +/* --- Table of supported key types --- */ + +static const kgops *kgtab[] = { &kgdh_ops, &kgec_ops, 0 }; + +/*----- Algswitch stuff ---------------------------------------------------*/ + +/* --- @algs_get@ --- * + * + * Arguments: @algswitch *a@ = where to put the algorithms + * @key_file *kf@ = key file (for some stupid reason) + * @key *k@ = key to inspect + * + * Returns: Null if OK, or an error message. + * + * Use: Extracts an algorithm choice from a key. + */ + +static const char *algs_get(algswitch *a, key_file *kf, key *k) +{ + const char *p; + char *q; + dstr d = DSTR_INIT; + const char *e; + +#define FAIL(msg) do { e = msg; goto done; } while (0) + + if ((p = key_getattr(kf, k, "cipher")) == 0) + p = "blowfish-cbc"; + if ((a->c = gcipher_byname(p)) == 0) + FAIL("unknown cipher"); + + if ((p = key_getattr(kf, k, "hash")) == 0) + p = "rmd160"; + if ((a->h = ghash_byname(p)) == 0) + FAIL("unknown hash function"); + + if ((p = key_getattr(kf, k, "mgf")) != 0) { + dstr_reset(&d); + dstr_putf(&d, "%s-mgf"); + p = d.buf; + } + if ((a->mgf = gcipher_byname(p)) == 0) + FAIL("unknown MGF cipher"); + + if ((p = key_getattr(kf, k, "mac")) != 0) { + dstr_reset(&d); + dstr_puts(&d, p); + if ((q = strchr(d.buf, '/')) != 0) + *q++ = 0; + if ((a->m = gmac_byname(d.buf)) == 0) + FAIL("unknown message authentication code"); + if (!q) + a->tagsz = a->m->hashsz; + else { + unsigned long n = strtoul(q, &q, 0); + if (*q) FAIL("bad tag length string"); + if (n%8 || n > ~(size_t)0) FAIL("bad tag length"); + a->tagsz = n/8; + } + } else { + dstr_reset(&d); + dstr_putf(&d, "%s-hmac", a->h->name); + if ((a->m = gmac_byname(d.buf)) == 0) + FAIL("failed to derive HMAC from hash function"); + a->tagsz = a->h->hashsz/2; + } + + e = 0; +done: + dstr_destroy(&d); + return (e); +} + +/* --- @algs_check@ --- * + * + * Arguments: @algswitch *a@ = a choice of algorithms + * @const group *g@ = the group we're working in + * + * Returns: Null if OK, or an error message. + * + * Use: Checks an algorithm choice for sensibleness. This also + * derives some useful information from the choices, and you + * must call this before committing the algorithm selection + * for use by @keyset@ functions. + */ + +static const char *algs_check(algswitch *a, const group *g) +{ + /* --- Derive the key sizes --- * + * + * Must ensure that we have non-empty keys. This isn't ideal, but it + * provides a handy sanity check. + */ + + a->hashsz = a->h->hashsz; + if ((a->cksz = keysz(a->hashsz, a->c->keysz)) == 0) + return ("no key size found for cipher"); + if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0) + return ("no key size found for MAC"); + + /* --- Ensure that the tag size is sane --- */ + + if (a->tagsz > a->m->hashsz) return ("tag length too large"); + + /* --- Ensure the MGF accepts hashes as keys --- */ + + if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz) + return ("MGF not suitable -- restrictive key schedule"); + + /* --- All ship-shape and Bristol-fashion --- */ + + return (0); +} + +/* --- @algs_samep@ --- * + * + * Arguments: @const algswitch *a, *aa@ = two algorithm selections + * + * Returns: Nonzero if the two selections are the same. + * + * Use: Checks sameness of algorithm selections: used to ensure that + * peers are using sensible algorithms. + */ + +static int algs_samep(const algswitch *a, const algswitch *aa) +{ + return (a->c == aa->c && a->mgf == aa->mgf && a->h == aa->h && + a->m == aa->m && a->tagsz == aa->tagsz); +} + /*----- Main code ---------------------------------------------------------*/ /* --- @keymoan@ --- * @@ -70,60 +301,128 @@ static fwatch w_priv, w_pub; */ static void keymoan(const char *file, int line, const char *msg, void *p) -{ - a_warn("%s:%i: error: %s", file, line, msg); -} + { a_warn("%s:%i: error: %s", file, line, msg); } /* --- @loadpriv@ --- * * * Arguments: @dstr *d@ = string to write errors in - * @dh_priv *dh@ = where to store the key * * Returns: Zero if OK, nonzero on error. * * Use: Loads the private key from its keyfile. */ -static int loadpriv(dstr *d, dh_priv *dh) +static int loadpriv(dstr *d) { key_file kf; - key_packstruct kps[DH_PRIVFETCHSZ]; - key_packdef *kp; - dh_priv mydh; - int rc = 0; - int e; + key *k; + key_data *kd; + dstr t = DSTR_INIT; + group *g = 0; + mp *x = 0; + int rc = -1; + const kgops **ko; + const char *e; + algswitch a; + + /* --- Open the private key file --- */ if (key_open(&kf, kr_priv, KOPEN_READ, keymoan, 0)) { dstr_putf(d, "error reading private keyring `%s': %s", kr_priv, strerror(errno)); - rc = -1; - } else { - T( trace(T_KEYMGMT, "keymgmt: loaded private keyring `%s'", kr_priv); ) - kp = key_fetchinit(dh_privfetch, kps, &mydh); - if ((e = key_fetchbyname(kp, &kf, tag_priv)) != 0) { - dstr_putf(d, "error loading private key `%s': %s", - tag_priv, key_strerror(e)); - rc = -1; - } else { - dh->dp.p = MP_COPY(mydh.dp.p); - dh->dp.q = MP_COPY(mydh.dp.q); - dh->dp.g = MP_COPY(mydh.dp.g); - dh->x = MP_COPY(mydh.x); - dh->y = MP_COPY(mydh.y); - IF_TRACING(T_KEYMGMT, { - trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", tag_priv); - IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "crypto: p = %s", mpstr(kpriv.dp.p)); - trace(T_CRYPTO, "crypto: q = %s", mpstr(kpriv.dp.q)); - trace(T_CRYPTO, "crypto: g = %s", mpstr(kpriv.dp.g)); - trace(T_CRYPTO, "crypto: x = %s", mpstr(kpriv.x)); - trace(T_CRYPTO, "crypto: g^x = %s", mpstr(kpriv.y)); - }) - }) + goto done_0; + } + + /* --- Find the private key --- */ + + if (key_qtag(&kf, tag_priv, &t, &k, &kd)) { + dstr_putf(d, "private key `%s' not found in keyring `%s'", + tag_priv, kr_priv); + goto done_1; + } + + /* --- Look up the key type in the table --- */ + + for (ko = kgtab; *ko; ko++) { + if (strcmp((*ko)->ty, k->type) == 0) + goto tymatch; + } + dstr_putf(d, "private key `%s' has unknown type `%s'", t.buf, k->type); + goto done_1; +tymatch:; + + /* --- Load the key --- */ + + if ((e = (*ko)->loadpriv(kd, &g, &x, &t)) != 0) { + dstr_putf(d, "error reading private key `%s': %s", t.buf, e); + goto done_1; + } + + /* --- Check that the key is sensible --- */ + + if ((e = G_CHECK(g, &rand_global)) != 0) { + dstr_putf(d, "bad group in private key `%s': %s", t.buf, e); + goto done_1; + } + + /* --- Collect the algorithms --- */ + + if ((e = algs_get(&a, &kf, k)) != 0 || + (e = algs_check(&a, g)) != 0) { + dstr_putf(d, "bad symmetric algorithm selection in private key `%s': %s", + t.buf, e); + goto done_1; + } + + /* --- Good, we're happy --- * + * + * Dodginess! We change the group over here, but don't free any old group + * elements. This assumes that the new group is basically the same as the + * old one, and will happily adopt the existing elements. If it isn't, + * then we lose badly. Check this, then. + */ + + if (gg) { + if (!group_samep(g, gg)) { + dstr_putf(d, "private key `%s' has different group", t.buf); + goto done_1; } - key_fetchdone(kp); - key_close(&kf); + G_DESTROYGROUP(gg); } + if (kpriv) + mp_drop(kpriv); + + /* --- Dump out the group --- */ + + IF_TRACING(T_KEYMGMT, { + trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", t.buf); + IF_TRACING(T_CRYPTO, { + trace(T_CRYPTO, "crypto: r = %s", mpstr(g->r)); + trace(T_CRYPTO, "crypto: h = %s", mpstr(g->h)); + trace(T_CRYPTO, "crypto: x = %s", mpstr(x)); + trace(T_CRYPTO, "crypto: cipher = %s", a.c->name); + trace(T_CRYPTO, "crypto: mgf = %s", a.mgf->name); + trace(T_CRYPTO, "crypto: hash = %s", a.h->name); + trace(T_CRYPTO, "crypto: mac = %s/%lu", + a.m->name, (unsigned long)a.tagsz * 8); + }) + }) + + /* --- Success! --- */ + + gg = g; g = 0; + algs = a; + kpriv = x; x = 0; + rc = 0; + + /* --- Tidy up --- */ + +done_1: + key_close(&kf); +done_0: + dstr_destroy(&t); + if (x) mp_drop(x); + if (g) G_DESTROYGROUP(g); return (rc); } @@ -163,7 +462,6 @@ static int loadpub(dstr *d) int km_interval(void) { dstr d = DSTR_INIT; - dh_priv dh; key_file *kf; int reload = 0; @@ -172,15 +470,10 @@ int km_interval(void) if (fwatch_update(&w_priv, kr_priv)) { T( trace(T_KEYMGMT, "keymgmt: private keyring updated: reloading..."); ) DRESET(&d); - if (loadpriv(&d, &dh)) + if (loadpriv(&d)) a_warn("%s -- ignoring changes", d.buf); - else { + else reload = 1; - mpmont_destroy(&mg); - dh_privfree(&kpriv); - kpriv = dh; - mpmont_create(&mg, kpriv.dp.p); - } } /* --- Now check the public keys --- */ @@ -217,6 +510,7 @@ int km_interval(void) void km_init(const char *priv, const char *pub, const char *tag) { dstr d = DSTR_INIT; + const gchash *const *hh; kr_priv = priv; kr_pub = pub; @@ -224,10 +518,16 @@ void km_init(const char *priv, const char *pub, const char *tag) fwatch_init(&w_priv, kr_priv); fwatch_init(&w_pub, kr_pub); + for (hh = ghashtab; *hh; hh++) { + if ((*hh)->hashsz > MAXHASHSZ) { + die(EXIT_FAILURE, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d", + (*hh)->name, (unsigned long)(*hh)->hashsz, MAXHASHSZ); + } + } + DRESET(&d); - if (loadpriv(&d, &kpriv)) + if (loadpriv(&d)) die(EXIT_FAILURE, "%s", d.buf); - mpmont_create(&mg, kpriv.dp.p); if (loadpub(&d)) die(EXIT_FAILURE, "%s", d.buf); } @@ -235,7 +535,7 @@ void km_init(const char *priv, const char *pub, const char *tag) /* --- @km_getpubkey@ --- * * * Arguments: @const char *tag@ = public key tag to load - * @dh_pub *kpub@ = where to put the public key + * @ge *kpub@ = where to put the public key * @time_t *t_exp@ = where to put the expiry time * * Returns: Zero if OK, nonzero if it failed. @@ -243,45 +543,91 @@ void km_init(const char *priv, const char *pub, const char *tag) * Use: Fetches a public key from the keyring. */ -int km_getpubkey(const char *tag, dh_pub *kpub, time_t *t_exp) +int km_getpubkey(const char *tag, ge *kpub, time_t *t_exp) { - key_packstruct kps[DH_PUBFETCHSZ]; - key_packdef *kp; key *k; - dh_pub dp; - int e; + key_data *kd; + dstr t = DSTR_INIT; + const kgops **ko; + const char *e; + group *g = 0; + ge *p = 0; + algswitch a; + int rc = -1; + + /* --- Find the key --- */ + + if (key_qtag(kf_pub, tag, &t, &k, &kd)) { + a_warn("public key `%s' not found in keyring `%s'", tag, kr_pub); + goto done; + } - kp = key_fetchinit(dh_pubfetch, kps, &dp); - if ((k = key_bytag(kf_pub, tag)) == 0) - e = KERR_NOTFOUND; - else - e = key_fetch(kp, k); - key_fetchdone(kp); - if (e) { - a_warn("error loading public key `%s': %s", tag, key_strerror(e)); - return (-1); + /* --- Look up the key type in the table --- */ + + for (ko = kgtab; *ko; ko++) { + if (strcmp((*ko)->ty, k->type) == 0) + goto tymatch; + } + a_warn("public key `%s' has unknown type `%s'", t.buf, k->type); + goto done; +tymatch:; + + /* --- Load the key --- */ + + if ((e = (*ko)->loadpub(kd, &g, &p, &t)) != 0) { + a_warn("error reading public key `%s': %s", t.buf, e); + goto done; + } + + /* --- Ensure that the group is correct --- * + * + * Dodginess! We assume that if this works, our global group is willing to + * adopt this public element. Probably reasonable. + */ + + if (!group_samep(gg, g)) { + a_warn("public key `%s' has incorrect group", t.buf); + goto done; + } + + /* --- Check the public group element --- */ + + if (group_check(gg, p)) { + a_warn("public key `%s' has bad public group element", t.buf); + goto done; + } + + /* --- Check the algorithms --- */ + + if ((e = algs_get(&a, kf_pub, k)) != 0) { + a_warn("public key `%s' has bad algorithm selection: %s", t.buf, e); + goto done; + } + if (!algs_samep(&a, &algs)) { + a_warn("public key `%s' specifies different algorithms", t.buf); + goto done; } + + /* --- Dump the public key --- */ + IF_TRACING(T_KEYMGMT, { - trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", tag); - IF_TRACING(T_CRYPTO, { - trace(T_CRYPTO, "crypto: p = %s", mpstr(dp.dp.p)); - trace(T_CRYPTO, "crypto: q = %s", mpstr(dp.dp.q)); - trace(T_CRYPTO, "crypto: g = %s", mpstr(dp.dp.g)); - trace(T_CRYPTO, "crypto: g^x = %s", mpstr(dp.y)); - }) + trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", t.buf); + trace(T_CRYPTO, "crypto: p = %s", gestr(gg, p)); }) - if (!mp_eq(dp.dp.p, kpriv.dp.p) || - !mp_eq(dp.dp.q, kpriv.dp.q) || - !mp_eq(dp.dp.g, kpriv.dp.g)) { - a_warn("public key `%s' has different group from private key", tag); - return (-1); - } - kpub->dp.p = MP_COPY(dp.dp.p); - kpub->dp.q = MP_COPY(dp.dp.q); - kpub->dp.g = MP_COPY(dp.dp.g); - kpub->y = MP_COPY(dp.y); + + /* --- OK, accept the public key --- */ + *t_exp = k->exp; - return (0); + G_COPY(gg, kpub, p); + rc = 0; + + /* --- Tidy up --- */ + +done: + if (p) G_DESTROY(g, p); + if (g) G_DESTROYGROUP(g); + dstr_destroy(&t); + return (rc); } /*----- That's all, folks -------------------------------------------------*/