search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Ensure signing_key is non-NULL before accessing one of its members
[tor.git] / src / or / routerkeys.c
blobe79204cf09d1c86f3a486a1d9fee4b5c3084a7b0
1 /* Copyright (c) 2014, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #include "or.h"
5 #include "config.h"
6 #include "router.h"
7 #include "routerkeys.h"
8 #include "torcert.h"
9
10 /**
11 * Read an ed25519 key and associated certificates from files beginning with
12 * <b>fname</b>, with certificate type <b>cert_type</b>. On failure, return
13 * NULL; on success return the keypair.
14 *
15 * If INIT_ED_KEY_CREATE is set in <b>flags</b>, then create the key (and
16 * certificate if requested) if it doesn't exist, and save it to disk.
17 *
18 * If INIT_ED_KEY_NEEDCERT is set in <b>flags</b>, load/create a certificate
19 * too and store it in *<b>cert_out</b>. Fail if the cert can't be
20 * found/created. To create a certificate, <b>signing_key</b> must be set to
21 * the key that should sign it; <b>now</b> to the current time, and
22 * <b>lifetime</b> to the lifetime of the key.
23 *
24 * If INIT_ED_KEY_REPLACE is set in <b>flags</b>, then create and save new key
25 * whether we can read the old one or not.
26 *
27 * If INIT_ED_KEY_EXTRA_STRONG is set in <b>flags</b>, set the extra_strong
28 * flag when creating the secret key.
29 *
30 * If INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT is set in <b>flags</b>, and
31 * we create a new certificate, create it with the signing key embedded.
32 *
33 * If INIT_ED_KEY_SPLIT is set in <b>flags</b>, and we create a new key,
34 * store the public key in a separate file from the secret key.
35 *
36 * If INIT_ED_KEY_MISSING_SECRET_OK is set in <b>flags</b>, and we find a
37 * public key file but no secret key file, return successfully anyway.
38 *
39 * If INIT_ED_KEY_OMIT_SECRET is set in <b>flags</b>, do not even try to
40 * load or return a secret key (but create and save on if needed).
41 */
42 ed25519_keypair_t *
43 ed_key_init_from_file(const char *fname, uint32_t flags,
44 int severity,
45 const ed25519_keypair_t *signing_key,
46 time_t now,
47 time_t lifetime,
48 uint8_t cert_type,
49 struct tor_cert_st **cert_out)
50 {
51 char *secret_fname = NULL;
52 char *public_fname = NULL;
53 char *cert_fname = NULL;
54 int created_pk = 0, created_sk = 0, created_cert = 0;
55 const int try_to_load = ! (flags & INIT_ED_KEY_REPLACE);
56
57 char tag[8];
58 tor_snprintf(tag, sizeof(tag), "type%d", (int)cert_type);
59
60 tor_cert_t *cert = NULL;
61 char *got_tag = NULL;
62 ed25519_keypair_t *keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
63
64 tor_asprintf(&secret_fname, "%s_secret_key", fname);
65 tor_asprintf(&public_fname, "%s_public_key", fname);
66 tor_asprintf(&cert_fname, "%s_cert", fname);
67
68 /* Try to read the secret key. */
69 const int have_secret = try_to_load &&
70 !(flags & INIT_ED_KEY_OMIT_SECRET) &&
71 ed25519_seckey_read_from_file(&keypair->seckey,
72 &got_tag, secret_fname) == 0;
73
74 if (have_secret) {
75 if (strcmp(got_tag, tag)) {
76 tor_log(severity, LD_OR, "%s has wrong tag", secret_fname);
77 goto err;
78 }
79 /* Derive the public key */
80 if (ed25519_public_key_generate(&keypair->pubkey, &keypair->seckey)<0) {
81 tor_log(severity, LD_OR, "%s can't produce a public key", secret_fname);
82 goto err;
83 }
84 }
85
86 /* If it's absent and that's okay, try to read the pubkey. */
87 int found_public = 0;
88 if (!have_secret && try_to_load) {
89 tor_free(got_tag);
90 found_public = ed25519_pubkey_read_from_file(&keypair->pubkey,
91 &got_tag, public_fname) == 0;
92 if (found_public && strcmp(got_tag, tag)) {
93 tor_log(severity, LD_OR, "%s has wrong tag", public_fname);
94 goto err;
95 }
96 }
97
98 /* If the secret key is absent and it's not allowed to be, fail. */
99 if (!have_secret && found_public && !(flags & INIT_ED_KEY_MISSING_SECRET_OK))
100 goto err;
101
102 /* If it's absent, and we're not supposed to make a new keypair, fail. */
103 if (!have_secret && !found_public && !(flags & INIT_ED_KEY_CREATE))
104 goto err;
105
106 /* if it's absent, make a new keypair and save it. */
107 if (!have_secret && !found_public) {
108 const int split = !! (flags & INIT_ED_KEY_SPLIT);
109 tor_free(keypair);
110 keypair = ed_key_new(signing_key, flags, now, lifetime,
111 cert_type, &cert);
112 if (!keypair) {
113 tor_log(severity, LD_OR, "Couldn't create keypair");
114 goto err;
115 }
116
117 created_pk = created_sk = created_cert = 1;
118 if (ed25519_seckey_write_to_file(&keypair->seckey, secret_fname, tag) < 0
119 ||
120 (split &&
121 ed25519_pubkey_write_to_file(&keypair->pubkey, public_fname, tag) < 0)
122 ||
123 (cert &&
124 crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
125 tag, cert->encoded, cert->encoded_len) < 0)) {
126 tor_log(severity, LD_OR, "Couldn't write keys or cert to file.");
127 goto err;
128 }
129 goto done;
130 }
131
132 /* If we're not supposed to get a cert, we're done. */
133 if (! (flags & INIT_ED_KEY_NEEDCERT))
134 goto done;
135
136 /* Read a cert. */
137 tor_free(got_tag);
138 uint8_t certbuf[256];
139 ssize_t cert_body_len = crypto_read_tagged_contents_from_file(
140 cert_fname, "ed25519v1-cert",
141 &got_tag, certbuf, sizeof(certbuf));
142 if (cert_body_len >= 0 && !strcmp(got_tag, tag))
143 cert = tor_cert_parse(certbuf, cert_body_len);
144
145 /* If we got it, check it to the extent we can. */
146 int bad_cert = 0;
147
148 if (! cert) {
149 tor_log(severity, LD_OR, "Cert was unparseable");
150 bad_cert = 1;
151 } else if (!tor_memeq(cert->signed_key.pubkey, keypair->pubkey.pubkey,
152 ED25519_PUBKEY_LEN)) {
153 tor_log(severity, LD_OR, "Cert was for wrong key");
154 bad_cert = 1;
155 } else if (signing_key &&
156 tor_cert_checksig(cert, &signing_key->pubkey, now) < 0 &&
157 (signing_key || cert->cert_expired)) {
158 tor_log(severity, LD_OR, "Can't check certificate");
159 bad_cert = 1;
160 }
161
162 if (bad_cert) {
163 tor_cert_free(cert);
164 cert = NULL;
165 }
166
167 /* If we got a cert, we're done. */
168 if (cert)
169 goto done;
170
171 /* If we didn't get a cert, and we're not supposed to make one, fail. */
172 if (!signing_key || !(flags & INIT_ED_KEY_CREATE))
173 goto err;
174
175 /* We have keys but not a certificate, so make one. */
176 uint32_t cert_flags = 0;
177 if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
178 cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
179 cert = tor_cert_create(signing_key, cert_type,
180 &keypair->pubkey,
181 now, lifetime,
182 cert_flags);
183
184 if (! cert)
185 goto err;
186
187 /* Write it to disk. */
188 created_cert = 1;
189 if (crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
190 tag, cert->encoded, cert->encoded_len) < 0) {
191 tor_log(severity, LD_OR, "Couldn't write cert to disk.");
192 goto err;
193 }
194
195 done:
196 if (cert_out)
197 *cert_out = cert;
198 else
199 tor_cert_free(cert);
200
201 goto cleanup;
202
203 err:
204 if (keypair)
205 memwipe(keypair, 0, sizeof(*keypair));
206 tor_free(keypair);
207 tor_cert_free(cert);
208 if (cert_out)
209 *cert_out = NULL;
210 if (created_sk)
211 unlink(secret_fname);
212 if (created_pk)
213 unlink(public_fname);
214 if (created_cert)
215 unlink(cert_fname);
216
217 cleanup:
218 tor_free(secret_fname);
219 tor_free(public_fname);
220 tor_free(cert_fname);
221 tor_free(got_tag);
222
223 return keypair;
224 }
225
226 /**
227 * Create a new signing key and (optionally) certficiate; do not read or write
228 * from disk. See ed_key_init_from_file() for more information.
229 */
230 ed25519_keypair_t *
231 ed_key_new(const ed25519_keypair_t *signing_key,
232 uint32_t flags,
233 time_t now,
234 time_t lifetime,
235 uint8_t cert_type,
236 struct tor_cert_st **cert_out)
237 {
238 if (cert_out)
239 *cert_out = NULL;
240
241 const int extra_strong = !! (flags & INIT_ED_KEY_EXTRA_STRONG);
242 ed25519_keypair_t *keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
243 if (ed25519_keypair_generate(keypair, extra_strong) < 0)
244 goto err;
245
246 if (! (flags & INIT_ED_KEY_NEEDCERT))
247 return keypair;
248
249 tor_assert(signing_key);
250 tor_assert(cert_out);
251 uint32_t cert_flags = 0;
252 if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
253 cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
254 tor_cert_t *cert = tor_cert_create(signing_key, cert_type,
255 &keypair->pubkey,
256 now, lifetime,
257 cert_flags);
258 if (! cert)
259 goto err;
260
261 *cert_out = cert;
262 return keypair;
263
264 err:
265 tor_free(keypair);
266 return NULL;
267 }
268
269 static ed25519_keypair_t *master_identity_key = NULL;
270 static ed25519_keypair_t *master_signing_key = NULL;
271 static ed25519_keypair_t *current_auth_key = NULL;
272 static tor_cert_t *signing_key_cert = NULL;
273 static tor_cert_t *link_cert_cert = NULL;
274 static tor_cert_t *auth_key_cert = NULL;
275
276 static uint8_t *rsa_ed_crosscert = NULL;
277 static size_t rsa_ed_crosscert_len = 0;
278
279 /**
280 * Running as a server: load, reload, or refresh our ed25519 keys and
281 * certificates, creating and saving new ones as needed.
282 */
283 int
284 load_ed_keys(const or_options_t *options, time_t now)
285 {
286 ed25519_keypair_t *id = NULL;
287 ed25519_keypair_t *sign = NULL;
288 ed25519_keypair_t *auth = NULL;
289 const ed25519_keypair_t *sign_signing_key_with_id = NULL;
290 const ed25519_keypair_t *use_signing = NULL;
291 const tor_cert_t *check_signing_cert = NULL;
292 tor_cert_t *sign_cert = NULL;
293 tor_cert_t *auth_cert = NULL;
294
295 #define FAIL(msg) do { \
296 log_warn(LD_OR, (msg)); \
297 goto err; \
298 } while (0)
299 #define SET_KEY(key, newval) do { \
300 ed25519_keypair_free(key); \
301 key = (newval); \
302 } while (0)
303 #define SET_CERT(cert, newval) do { \
304 tor_cert_free(cert); \
305 cert = (newval); \
306 } while (0)
307 #define EXPIRES_SOON(cert, interval) \
308 (!(cert) || (cert)->valid_until < now + (interval))
309
310 /* XXXX support encrypted identity keys fully */
311
312 /* First try to get the signing key to see how it is. */
313 if (master_signing_key) {
314 check_signing_cert = signing_key_cert;
315 use_signing = master_signing_key;
316 } else {
317 char *fname =
318 options_get_datadir_fname2(options, "keys", "ed25519_signing");
319 sign = ed_key_init_from_file(
320 fname,
321 INIT_ED_KEY_NEEDCERT|
322 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT,
323 LOG_INFO,
324 NULL, 0, 0, CERT_TYPE_ID_SIGNING, &sign_cert);
325 tor_free(fname);
326 check_signing_cert = sign_cert;
327 use_signing = sign;
328 }
329
330 const int need_new_signing_key =
331 NULL == use_signing ||
332 EXPIRES_SOON(check_signing_cert, 0);
333 const int want_new_signing_key =
334 need_new_signing_key ||
335 EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
336
337 {
338 uint32_t flags =
339 (INIT_ED_KEY_CREATE|INIT_ED_KEY_SPLIT|
340 INIT_ED_KEY_EXTRA_STRONG);
341 if (! need_new_signing_key)
342 flags |= INIT_ED_KEY_MISSING_SECRET_OK;
343 if (! want_new_signing_key)
344 flags |= INIT_ED_KEY_OMIT_SECRET;
345
346 char *fname =
347 options_get_datadir_fname2(options, "keys", "ed25519_master_id");
348 id = ed_key_init_from_file(
349 fname,
350 flags,
351 LOG_WARN, NULL, 0, 0, 0, NULL);
352 tor_free(fname);
353 if (!id)
354 FAIL("Missing identity key");
355 if (tor_mem_is_zero((char*)id->seckey.seckey, sizeof(id->seckey)))
356 sign_signing_key_with_id = NULL;
357 else
358 sign_signing_key_with_id = id;
359 }
360
361 if (need_new_signing_key && NULL == sign_signing_key_with_id)
362 FAIL("Can't load master key make a new signing key.");
363
364 if (want_new_signing_key && sign_signing_key_with_id) {
365 uint32_t flags = (INIT_ED_KEY_CREATE|
366 INIT_ED_KEY_REPLACE|
367 INIT_ED_KEY_EXTRA_STRONG|
368 INIT_ED_KEY_NEEDCERT|
369 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT);
370 char *fname =
371 options_get_datadir_fname2(options, "keys", "ed25519_signing");
372 sign = ed_key_init_from_file(fname,
373 flags, LOG_WARN,
374 sign_signing_key_with_id, now,
375 options->SigningKeyLifetime,
376 CERT_TYPE_ID_SIGNING, &sign_cert);
377 tor_free(fname);
378 if (!sign)
379 FAIL("Missing signing key");
380 use_signing = sign;
381 } else if (want_new_signing_key) {
382 static ratelim_t missing_master = RATELIM_INIT(3600);
383 log_fn_ratelim(&missing_master, LOG_WARN, LD_OR,
384 "Signing key will expire soon, but I can't load the "
385 "master key to sign a new one!");
386 }
387
388 tor_assert(use_signing);
389
390 /* At this point we no longer need our secret identity key. So wipe
391 * it, if we loaded it in the first place. */
392 memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
393
394 if (!rsa_ed_crosscert && server_mode(options)) {
395 uint8_t *crosscert;
396 ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey,
397 get_server_identity_key(),
398 now+10*365*86400,/*XXXX*/
399 &crosscert);
400 rsa_ed_crosscert_len = crosscert_len;
401 rsa_ed_crosscert = crosscert;
402 }
403
404 if (!current_auth_key ||
405 EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
406 auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
407 now,
408 options->TestingAuthKeyLifetime,
409 CERT_TYPE_SIGNING_AUTH, &auth_cert);
410
411 if (!auth)
412 FAIL("Can't create auth key");
413 }
414
415 /* We've generated or loaded everything. Put them in memory. */
416
417 if (! master_identity_key) {
418 SET_KEY(master_identity_key, id);
419 } else {
420 tor_free(id);
421 }
422 if (sign) {
423 SET_KEY(master_signing_key, sign);
424 SET_CERT(signing_key_cert, sign_cert);
425 }
426 if (auth) {
427 SET_KEY(current_auth_key, auth);
428 SET_CERT(auth_key_cert, auth_cert);
429 }
430
431 return 0;
432 err:
433 ed25519_keypair_free(id);
434 ed25519_keypair_free(sign);
435 ed25519_keypair_free(auth);
436 tor_cert_free(sign_cert);
437 tor_cert_free(auth_cert);
438 return -1;
439 }
440
441 /**DOCDOC*/
442 int
443 generate_ed_link_cert(const or_options_t *options, time_t now)
444 {
445 const tor_x509_cert_t *link = NULL, *id = NULL;
446 tor_cert_t *link_cert = NULL;
447
448 if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) {
449 log_warn(LD_OR, "Can't get my x509 link cert.");
450 return -1;
451 }
452
453 const digests_t *digests = tor_x509_cert_get_cert_digests(link);
454
455 if (link_cert_cert &&
456 ! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) &&
457 fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey,
458 DIGEST256_LEN)) {
459 return 0;
460 }
461
462 ed25519_public_key_t dummy_key;
463 memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN);
464
465 link_cert = tor_cert_create(get_master_signing_keypair(),
466 CERT_TYPE_SIGNING_LINK,
467 &dummy_key,
468 now,
469 options->TestingLinkCertLifetime, 0);
470
471 if (link_cert) {
472 SET_CERT(link_cert_cert, link_cert);
473 }
474 return 0;
475 }
476
477 #undef FAIL
478 #undef SET_KEY
479 #undef SET_CERT
480
481 int
482 should_make_new_ed_keys(const or_options_t *options, const time_t now)
483 {
484 if (!master_identity_key ||
485 !master_signing_key ||
486 !current_auth_key ||
487 !link_cert_cert ||
488 EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) ||
489 EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop) ||
490 EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop))
491 return 1;
492
493 const tor_x509_cert_t *link = NULL, *id = NULL;
494
495 if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL)
496 return 1;
497
498 const digests_t *digests = tor_x509_cert_get_cert_digests(link);
499
500 if (!fast_memeq(digests->d[DIGEST_SHA256],
501 link_cert_cert->signed_key.pubkey,
502 DIGEST256_LEN)) {
503 return 1;
504 }
505
506 return 0;
507 }
508
509 #undef EXPIRES_SOON
510
511 const ed25519_public_key_t *
512 get_master_identity_key(void)
513 {
514 if (!master_identity_key)
515 return NULL;
516 return &master_identity_key->pubkey;
517 }
518
519 const ed25519_keypair_t *
520 get_master_signing_keypair(void)
521 {
522 return master_signing_key;
523 }
524
525 const struct tor_cert_st *
526 get_master_signing_key_cert(void)
527 {
528 return signing_key_cert;
529 }
530
531 const ed25519_keypair_t *
532 get_current_auth_keypair(void)
533 {
534 return current_auth_key;
535 }
536
537 const tor_cert_t *
538 get_current_link_cert_cert(void)
539 {
540 return link_cert_cert;
541 }
542
543 const tor_cert_t *
544 get_current_auth_key_cert(void)
545 {
546 return auth_key_cert;
547 }
548
549 void
550 get_master_rsa_crosscert(const uint8_t **cert_out,
551 size_t *size_out)
552 {
553 *cert_out = rsa_ed_crosscert;
554 *size_out = rsa_ed_crosscert_len;
555 }
556
557 /** Construct cross-certification for the master identity key with
558 * the ntor onion key. Store the sign of the corresponding ed25519 public key
559 * in *<b>sign_out</b>. */
560 tor_cert_t *
561 make_ntor_onion_key_crosscert(const curve25519_keypair_t *onion_key,
562 const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime,
563 int *sign_out)
564 {
565 tor_cert_t *cert = NULL;
566 ed25519_keypair_t ed_onion_key;
567
568 if (ed25519_keypair_from_curve25519_keypair(&ed_onion_key, sign_out,
569 onion_key) < 0)
570 goto end;
571
572 cert = tor_cert_create(&ed_onion_key, CERT_TYPE_ONION_ID, master_id_key,
573 now, lifetime, 0);
574
575 end:
576 memwipe(&ed_onion_key, 0, sizeof(ed_onion_key));
577 return cert;
578 }
579
580 /** Construct and return an RSA signature for the TAP onion key to
581 * cross-certify the RSA and Ed25519 identity keys. Set <b>len_out</b> to its
582 * length. */
583 uint8_t *
584 make_tap_onion_key_crosscert(const crypto_pk_t *onion_key,
585 const ed25519_public_key_t *master_id_key,
586 const crypto_pk_t *rsa_id_key,
587 int *len_out)
588 {
589 uint8_t signature[PK_BYTES];
590 uint8_t signed_data[DIGEST_LEN + ED25519_PUBKEY_LEN];
591
592 *len_out = 0;
593 crypto_pk_get_digest(rsa_id_key, (char*)signed_data);
594 memcpy(signed_data + DIGEST_LEN, master_id_key->pubkey, ED25519_PUBKEY_LEN);
595
596 int r = crypto_pk_private_sign(onion_key,
597 (char*)signature, sizeof(signature),
598 (const char*)signed_data, sizeof(signed_data));
599 if (r < 0)
600 return NULL;
601
602 *len_out = r;
603
604 return tor_memdup(signature, r);
605 }
606
607 /** Check whether an RSA-TAP cross-certification is correct. Return 0 if it
608 * is, -1 if it isn't. */
609 int
610 check_tap_onion_key_crosscert(const uint8_t *crosscert,
611 int crosscert_len,
612 const crypto_pk_t *onion_pkey,
613 const ed25519_public_key_t *master_id_pkey,
614 const uint8_t *rsa_id_digest)
615 {
616 uint8_t *cc = tor_malloc(crypto_pk_keysize(onion_pkey));
617 int cc_len =
618 crypto_pk_public_checksig(onion_pkey,
619 (char*)cc,
620 crypto_pk_keysize(onion_pkey),
621 (const char*)crosscert,
622 crosscert_len);
623 if (cc_len < 0) {
624 goto err;
625 }
626 if (cc_len < DIGEST_LEN + ED25519_PUBKEY_LEN) {
627 log_warn(LD_DIR, "Short signature on cross-certification with TAP key");
628 goto err;
629 }
630 if (tor_memneq(cc, rsa_id_digest, DIGEST_LEN) ||
631 tor_memneq(cc + DIGEST_LEN, master_id_pkey->pubkey,
632 ED25519_PUBKEY_LEN)) {
633 log_warn(LD_DIR, "Incorrect cross-certification with TAP key");
634 goto err;
635 }
636
637 tor_free(cc);
638 return 0;
639 err:
640 tor_free(cc);
641 return -1;
642 }
643
644 void
645 routerkeys_free_all(void)
646 {
647 ed25519_keypair_free(master_identity_key);
648 ed25519_keypair_free(master_signing_key);
649 ed25519_keypair_free(current_auth_key);
650 tor_cert_free(signing_key_cert);
651 tor_cert_free(link_cert_cert);
652 tor_cert_free(auth_key_cert);
653
654 master_identity_key = master_signing_key = NULL;
655 current_auth_key = NULL;
656 signing_key_cert = link_cert_cert = auth_key_cert = NULL;
657 }
658
The Onion Router