search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Add a --master-key option
[tor.git] / src / or / routerkeys.c
blob197dbf87a1d16a36062691dac99199867044ac44
1 /* Copyright (c) 2014, The Tor Project, Inc. */
2 /* See LICENSE for licensing information */
3
4 #include "or.h"
5 #include "config.h"
6 #include "router.h"
7 #include "crypto_pwbox.h"
8 #include "routerkeys.h"
9 #include "torcert.h"
10
11 #define ENC_KEY_HEADER "Boxed Ed25519 key"
12 #define ENC_KEY_TAG "master"
13
14 static ssize_t
15 do_getpass(const char *prompt, char *buf, size_t buflen,
16 int twice, const or_options_t *options)
17 {
18 if (options->keygen_force_passphrase == FORCE_PASSPHRASE_OFF) {
19 tor_assert(buflen);
20 buf[0] = 0;
21 return 0;
22 }
23
24 char *prompt2 = NULL;
25 char *buf2 = NULL;
26 int fd = -1;
27 ssize_t length = -1;
28
29 if (options->use_keygen_passphrase_fd) {
30 twice = 0;
31 fd = options->keygen_passphrase_fd;
32 length = read_all(fd, buf, buflen-1, 0);
33 if (length >= 0)
34 buf[length] = 0;
35 goto done_reading;
36 }
37
38 if (twice) {
39 const char msg[] = "One more time:";
40 size_t p2len = strlen(prompt) + 1;
41 if (p2len < sizeof(msg))
42 p2len = sizeof(msg);
43 prompt2 = tor_malloc(strlen(prompt)+1);
44 memset(prompt2, ' ', p2len);
45 memcpy(prompt2 + p2len - sizeof(msg), msg, sizeof(msg));
46
47 buf2 = tor_malloc_zero(buflen);
48 }
49
50 while (1) {
51 length = tor_getpass(prompt, buf, buflen);
52 if (length < 0)
53 goto done_reading;
54
55 if (! twice)
56 break;
57
58 ssize_t length2 = tor_getpass(prompt2, buf2, buflen);
59
60 if (length != length2 || tor_memneq(buf, buf2, length)) {
61 fprintf(stderr, "That didn't match.\n");
62 } else {
63 break;
64 }
65 }
66
67 done_reading:
68 if (twice) {
69 tor_free(prompt2);
70 memwipe(buf2, 0, buflen);
71 tor_free(buf2);
72 }
73
74 if (options->keygen_force_passphrase == FORCE_PASSPHRASE_ON && length == 0)
75 return -1;
76
77 return length;
78 }
79
80 int
81 read_encrypted_secret_key(ed25519_secret_key_t *out,
82 const char *fname)
83 {
84 int r = -1;
85 uint8_t *secret = NULL;
86 size_t secret_len = 0;
87 char pwbuf[256];
88 uint8_t encrypted_key[256];
89 char *tag = NULL;
90 int saved_errno = 0;
91
92 ssize_t encrypted_len = crypto_read_tagged_contents_from_file(fname,
93 ENC_KEY_HEADER,
94 &tag,
95 encrypted_key,
96 sizeof(encrypted_key));
97 if (encrypted_len < 0) {
98 saved_errno = errno;
99 log_info(LD_OR, "%s is missing", fname);
100 r = 0;
101 goto done;
102 }
103 if (strcmp(tag, ENC_KEY_TAG)) {
104 saved_errno = EINVAL;
105 goto done;
106 }
107
108 while (1) {
109 ssize_t pwlen =
110 do_getpass("Enter pasphrase for master key:", pwbuf, sizeof(pwbuf), 0,
111 get_options());
112 if (pwlen < 0) {
113 saved_errno = EINVAL;
114 goto done;
115 }
116 const int r = crypto_unpwbox(&secret, &secret_len,
117 encrypted_key, encrypted_len,
118 pwbuf, pwlen);
119 if (r == UNPWBOX_CORRUPTED) {
120 log_err(LD_OR, "%s is corrupted.", fname);
121 saved_errno = EINVAL;
122 goto done;
123 } else if (r == UNPWBOX_OKAY) {
124 break;
125 }
126
127 /* Otherwise, passphrase is bad, so try again till user does ctrl-c or gets
128 * it right. */
129 }
130
131 if (secret_len != ED25519_SECKEY_LEN) {
132 log_err(LD_OR, "%s is corrupted.", fname);
133 saved_errno = EINVAL;
134 goto done;
135 }
136 memcpy(out->seckey, secret, ED25519_SECKEY_LEN);
137 r = 1;
138
139 done:
140 memwipe(encrypted_key, 0, sizeof(encrypted_key));
141 memwipe(pwbuf, 0, sizeof(pwbuf));
142 tor_free(tag);
143 if (secret) {
144 memwipe(secret, 0, secret_len);
145 tor_free(secret);
146 }
147 if (saved_errno)
148 errno = saved_errno;
149 return r;
150 }
151
152 int
153 write_encrypted_secret_key(const ed25519_secret_key_t *key,
154 const char *fname)
155 {
156 int r = -1;
157 char pwbuf0[256];
158 uint8_t *encrypted_key = NULL;
159 size_t encrypted_len = 0;
160
161 if (do_getpass("Enter new passphrase:", pwbuf0, sizeof(pwbuf0), 1,
162 get_options()) < 0) {
163 log_warn(LD_OR, "NO/failed passphrase");
164 return -1;
165 }
166
167 if (strlen(pwbuf0) == 0) {
168 if (get_options()->keygen_force_passphrase == FORCE_PASSPHRASE_ON)
169 return -1;
170 else
171 return 0;
172 }
173
174 if (crypto_pwbox(&encrypted_key, &encrypted_len,
175 key->seckey, sizeof(key->seckey),
176 pwbuf0, strlen(pwbuf0), 0) < 0) {
177 log_warn(LD_OR, "crypto_pwbox failed!?");
178 goto done;
179 }
180 if (crypto_write_tagged_contents_to_file(fname,
181 ENC_KEY_HEADER,
182 ENC_KEY_TAG,
183 encrypted_key, encrypted_len) < 0)
184 goto done;
185 r = 1;
186 done:
187 if (encrypted_key) {
188 memwipe(encrypted_key, 0, encrypted_len);
189 tor_free(encrypted_key);
190 }
191 memwipe(pwbuf0, 0, sizeof(pwbuf0));
192 return r;
193 }
194
195 static int
196 write_secret_key(const ed25519_secret_key_t *key, int encrypted,
197 const char *fname,
198 const char *fname_tag,
199 const char *encrypted_fname)
200 {
201 if (encrypted) {
202 int r = write_encrypted_secret_key(key, encrypted_fname);
203 if (r == 1) {
204 /* Success! */
205
206 /* Try to unlink the unencrypted key, if any existed before */
207 if (strcmp(fname, encrypted_fname))
208 unlink(fname);
209 return r;
210 } else if (r != 0) {
211 /* Unrecoverable failure! */
212 return r;
213 }
214
215 fprintf(stderr, "Not encrypting the secret key.\n");
216 }
217 return ed25519_seckey_write_to_file(key, fname, fname_tag);
218 }
219
220 /**
221 * Read an ed25519 key and associated certificates from files beginning with
222 * <b>fname</b>, with certificate type <b>cert_type</b>. On failure, return
223 * NULL; on success return the keypair.
224 *
225 * If INIT_ED_KEY_CREATE is set in <b>flags</b>, then create the key (and
226 * certificate if requested) if it doesn't exist, and save it to disk.
227 *
228 * If INIT_ED_KEY_NEEDCERT is set in <b>flags</b>, load/create a certificate
229 * too and store it in *<b>cert_out</b>. Fail if the cert can't be
230 * found/created. To create a certificate, <b>signing_key</b> must be set to
231 * the key that should sign it; <b>now</b> to the current time, and
232 * <b>lifetime</b> to the lifetime of the key.
233 *
234 * If INIT_ED_KEY_REPLACE is set in <b>flags</b>, then create and save new key
235 * whether we can read the old one or not.
236 *
237 * If INIT_ED_KEY_EXTRA_STRONG is set in <b>flags</b>, set the extra_strong
238 * flag when creating the secret key.
239 *
240 * If INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT is set in <b>flags</b>, and
241 * we create a new certificate, create it with the signing key embedded.
242 *
243 * If INIT_ED_KEY_SPLIT is set in <b>flags</b>, and we create a new key,
244 * store the public key in a separate file from the secret key.
245 *
246 * If INIT_ED_KEY_MISSING_SECRET_OK is set in <b>flags</b>, and we find a
247 * public key file but no secret key file, return successfully anyway.
248 *
249 * If INIT_ED_KEY_OMIT_SECRET is set in <b>flags</b>, do not even try to
250 * load or return a secret key (but create and save one if needed).
251 *
252 * If INIT_ED_KEY_TRY_ENCRYPTED is set, we look for an encrypted secret key
253 * and consider encrypting any new secret key.
254 *
255 * If INIT_ED_KEY_NO_REPAIR is set, and there is any issue loading the keys
256 * from disk _other than their absence_ (full or partial), we do not try to
257 * replace them.
258 *
259 * If INIT_ED_KEY_SUGGEST_KEYGEN is set, have log messages about failures
260 * refer to the --keygen option.
261 *
262 * If INIT_ED_KEY_EXPLICIT_FNAME is set, use the provided file name for the
263 * secret key file, encrypted or not.
264 */
265 ed25519_keypair_t *
266 ed_key_init_from_file(const char *fname, uint32_t flags,
267 int severity,
268 const ed25519_keypair_t *signing_key,
269 time_t now,
270 time_t lifetime,
271 uint8_t cert_type,
272 struct tor_cert_st **cert_out)
273 {
274 char *secret_fname = NULL;
275 char *encrypted_secret_fname = NULL;
276 char *public_fname = NULL;
277 char *cert_fname = NULL;
278 const char *loaded_secret_fname = NULL;
279 int created_pk = 0, created_sk = 0, created_cert = 0;
280 const int try_to_load = ! (flags & INIT_ED_KEY_REPLACE);
281 const int encrypt_key = !! (flags & INIT_ED_KEY_TRY_ENCRYPTED);
282 const int norepair = !! (flags & INIT_ED_KEY_NO_REPAIR);
283 const int split = !! (flags & INIT_ED_KEY_SPLIT);
284 const int omit_secret = !! (flags & INIT_ED_KEY_OMIT_SECRET);
285 const int explicit_fname = !! (flags & INIT_ED_KEY_EXPLICIT_FNAME);
286
287 /* we don't support setting both of these flags at once. */
288 tor_assert((flags & (INIT_ED_KEY_NO_REPAIR|INIT_ED_KEY_NEEDCERT)) !=
289 (INIT_ED_KEY_NO_REPAIR|INIT_ED_KEY_NEEDCERT));
290
291 char tag[8];
292 tor_snprintf(tag, sizeof(tag), "type%d", (int)cert_type);
293
294 tor_cert_t *cert = NULL;
295 char *got_tag = NULL;
296 ed25519_keypair_t *keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
297
298 if (explicit_fname) {
299 secret_fname = tor_strdup(fname);
300 encrypted_secret_fname = tor_strdup(fname);
301 } else {
302 tor_asprintf(&secret_fname, "%s_secret_key", fname);
303 tor_asprintf(&encrypted_secret_fname, "%s_secret_key_encrypted", fname);
304 }
305 tor_asprintf(&public_fname, "%s_public_key", fname);
306 tor_asprintf(&cert_fname, "%s_cert", fname);
307
308 /* Try to read the secret key. */
309 int have_secret = 0;
310 if (try_to_load && (!omit_secret || file_status(public_fname)==FN_NOENT )) {
311 int rv = ed25519_seckey_read_from_file(&keypair->seckey,
312 &got_tag, secret_fname);
313 if (rv == 0) {
314 have_secret = 1;
315 loaded_secret_fname = secret_fname;
316 tor_assert(got_tag);
317 } else {
318 if (errno != ENOENT && norepair) {
319 tor_log(severity, LD_OR, "Unable to read %s: %s", secret_fname,
320 strerror(errno));
321 goto err;
322 }
323 }
324 }
325
326 /* Should we try for an encrypted key? */
327 int have_encrypted_secret_file = 0;
328 if (!have_secret && try_to_load && encrypt_key) {
329 int r = read_encrypted_secret_key(&keypair->seckey,
330 encrypted_secret_fname);
331 if (r > 0) {
332 have_secret = 1;
333 have_encrypted_secret_file = 1;
334 got_tag = tor_strdup(tag);
335 loaded_secret_fname = encrypted_secret_fname;
336 } else if (errno != ENOENT && norepair) {
337 tor_log(severity, LD_OR, "Unable to read %s: %s",
338 encrypted_secret_fname, strerror(errno));
339 goto err;
340 }
341 } else {
342 if (try_to_load) {
343 /* Check if it's there anyway, so we don't replace it. */
344 if (file_status(encrypted_secret_fname) != FN_NOENT)
345 have_encrypted_secret_file = 1;
346 }
347 }
348
349 if (have_secret) {
350 if (strcmp(got_tag, tag)) {
351 tor_log(severity, LD_OR, "%s has wrong tag", loaded_secret_fname);
352 goto err;
353 }
354 /* Derive the public key */
355 if (ed25519_public_key_generate(&keypair->pubkey, &keypair->seckey)<0) {
356 tor_log(severity, LD_OR, "%s can't produce a public key",
357 loaded_secret_fname);
358 goto err;
359 }
360 }
361
362 /* If we do split keys here, try to read the pubkey. */
363 int found_public = 0;
364 if (try_to_load && (!have_secret || split)) {
365 ed25519_public_key_t pubkey_tmp;
366 tor_free(got_tag);
367 found_public = ed25519_pubkey_read_from_file(&pubkey_tmp,
368 &got_tag, public_fname) == 0;
369 if (!found_public && errno != ENOENT && norepair) {
370 tor_log(severity, LD_OR, "Unable to read %s: %s", public_fname,
371 strerror(errno));
372 goto err;
373 }
374 if (found_public && strcmp(got_tag, tag)) {
375 tor_log(severity, LD_OR, "%s has wrong tag", public_fname);
376 goto err;
377 }
378 if (found_public) {
379 if (have_secret) {
380 /* If we have a secret key and we're reloading the public key,
381 * the key must match! */
382 if (! ed25519_pubkey_eq(&keypair->pubkey, &pubkey_tmp)) {
383 tor_log(severity, LD_OR, "%s does not match %s! If you are trying "
384 "to restore from backup, make sure you didn't mix up the "
385 "key files. If you are absolutely sure that %s is the right "
386 "key for this relay, delete %s or move it out of the way.",
387 public_fname, loaded_secret_fname,
388 loaded_secret_fname, public_fname);
389 goto err;
390 }
391 } else {
392 /* We only have the public key; better use that. */
393 tor_assert(split);
394 memcpy(&keypair->pubkey, &pubkey_tmp, sizeof(pubkey_tmp));
395 }
396 } else {
397 /* We have no public key file, but we do have a secret key, make the
398 * public key file! */
399 if (have_secret) {
400 if (ed25519_pubkey_write_to_file(&keypair->pubkey, public_fname, tag)
401 < 0) {
402 tor_log(severity, LD_OR, "Couldn't repair %s", public_fname);
403 goto err;
404 } else {
405 tor_log(LOG_NOTICE, LD_OR,
406 "Found secret key but not %s. Regenerating.",
407 public_fname);
408 }
409 }
410 }
411 }
412
413 /* If the secret key is absent and it's not allowed to be, fail. */
414 if (!have_secret && found_public &&
415 !(flags & INIT_ED_KEY_MISSING_SECRET_OK)) {
416 if (have_encrypted_secret_file) {
417 tor_log(severity, LD_OR, "We needed to load a secret key from %s, "
418 "but it was encrypted. Try 'tor --keygen' instead, so you "
419 "can enter the passphrase.",
420 secret_fname);
421 } else {
422 tor_log(severity, LD_OR, "We needed to load a secret key from %s, "
423 "but couldn't find it. %s", secret_fname,
424 (flags & INIT_ED_KEY_SUGGEST_KEYGEN) ?
425 "If you're keeping your master secret key offline, you will "
426 "need to run 'tor --keygen' to generate new signing keys." :
427 "Did you forget to copy it over when you copied the rest of the "
428 "signing key material?");
429 }
430 goto err;
431 }
432
433 /* If it's absent, and we're not supposed to make a new keypair, fail. */
434 if (!have_secret && !found_public && !(flags & INIT_ED_KEY_CREATE)) {
435 if (split) {
436 tor_log(severity, LD_OR, "No key found in %s or %s.",
437 secret_fname, public_fname);
438 } else {
439 tor_log(severity, LD_OR, "No key found in %s.", secret_fname);
440 }
441 goto err;
442 }
443
444 /* If the secret key is absent, but the encrypted key would be present,
445 * that's an error */
446 if (!have_secret && !found_public && have_encrypted_secret_file) {
447 tor_assert(!encrypt_key);
448 tor_log(severity, LD_OR, "Found an encrypted secret key, "
449 "but not public key file %s!", public_fname);
450 goto err;
451 }
452
453 /* if it's absent, make a new keypair... */
454 if (!have_secret && !found_public) {
455 tor_free(keypair);
456 keypair = ed_key_new(signing_key, flags, now, lifetime,
457 cert_type, &cert);
458 if (!keypair) {
459 tor_log(severity, LD_OR, "Couldn't create keypair");
460 goto err;
461 }
462 created_pk = created_sk = created_cert = 1;
463 }
464
465 /* Write it to disk if we're supposed to do with a new passphrase, or if
466 * we just created it. */
467 if (created_sk || (have_secret && get_options()->change_key_passphrase)) {
468 if (write_secret_key(&keypair->seckey,
469 encrypt_key,
470 secret_fname, tag, encrypted_secret_fname) < 0
471 ||
472 (split &&
473 ed25519_pubkey_write_to_file(&keypair->pubkey, public_fname, tag) < 0)
474 ||
475 (cert &&
476 crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
477 tag, cert->encoded, cert->encoded_len) < 0)) {
478 tor_log(severity, LD_OR, "Couldn't write keys or cert to file.");
479 goto err;
480 }
481 goto done;
482 }
483
484 /* If we're not supposed to get a cert, we're done. */
485 if (! (flags & INIT_ED_KEY_NEEDCERT))
486 goto done;
487
488 /* Read a cert. */
489 tor_free(got_tag);
490 uint8_t certbuf[256];
491 ssize_t cert_body_len = crypto_read_tagged_contents_from_file(
492 cert_fname, "ed25519v1-cert",
493 &got_tag, certbuf, sizeof(certbuf));
494 if (cert_body_len >= 0 && !strcmp(got_tag, tag))
495 cert = tor_cert_parse(certbuf, cert_body_len);
496
497 /* If we got it, check it to the extent we can. */
498 int bad_cert = 0;
499
500 if (! cert) {
501 tor_log(severity, LD_OR, "Cert was unparseable");
502 bad_cert = 1;
503 } else if (!tor_memeq(cert->signed_key.pubkey, keypair->pubkey.pubkey,
504 ED25519_PUBKEY_LEN)) {
505 tor_log(severity, LD_OR, "Cert was for wrong key");
506 bad_cert = 1;
507 } else if (signing_key &&
508 tor_cert_checksig(cert, &signing_key->pubkey, now) < 0) {
509 tor_log(severity, LD_OR, "Can't check certificate");
510 bad_cert = 1;
511 } else if (cert->cert_expired) {
512 tor_log(severity, LD_OR, "Certificate is expired");
513 bad_cert = 1;
514 } else if (signing_key && cert->signing_key_included &&
515 ! ed25519_pubkey_eq(&signing_key->pubkey, &cert->signing_key)) {
516 tor_log(severity, LD_OR, "Certificate signed by unexpectd key!");
517 bad_cert = 1;
518 }
519
520 if (bad_cert) {
521 tor_cert_free(cert);
522 cert = NULL;
523 }
524
525 /* If we got a cert, we're done. */
526 if (cert)
527 goto done;
528
529 /* If we didn't get a cert, and we're not supposed to make one, fail. */
530 if (!signing_key || !(flags & INIT_ED_KEY_CREATE)) {
531 tor_log(severity, LD_OR, "Without signing key, can't create certificate");
532 goto err;
533 }
534
535 /* We have keys but not a certificate, so make one. */
536 uint32_t cert_flags = 0;
537 if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
538 cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
539 cert = tor_cert_create(signing_key, cert_type,
540 &keypair->pubkey,
541 now, lifetime,
542 cert_flags);
543
544 if (! cert) {
545 tor_log(severity, LD_OR, "Couldn't create certificate");
546 goto err;
547 }
548
549 /* Write it to disk. */
550 created_cert = 1;
551 if (crypto_write_tagged_contents_to_file(cert_fname, "ed25519v1-cert",
552 tag, cert->encoded, cert->encoded_len) < 0) {
553 tor_log(severity, LD_OR, "Couldn't write cert to disk.");
554 goto err;
555 }
556
557 done:
558 if (cert_out)
559 *cert_out = cert;
560 else
561 tor_cert_free(cert);
562
563 goto cleanup;
564
565 err:
566 if (keypair)
567 memwipe(keypair, 0, sizeof(*keypair));
568 tor_free(keypair);
569 tor_cert_free(cert);
570 if (cert_out)
571 *cert_out = NULL;
572 if (created_sk)
573 unlink(secret_fname);
574 if (created_pk)
575 unlink(public_fname);
576 if (created_cert)
577 unlink(cert_fname);
578
579 cleanup:
580 tor_free(encrypted_secret_fname);
581 tor_free(secret_fname);
582 tor_free(public_fname);
583 tor_free(cert_fname);
584 tor_free(got_tag);
585
586 return keypair;
587 }
588
589 /**
590 * Create a new signing key and (optionally) certficiate; do not read or write
591 * from disk. See ed_key_init_from_file() for more information.
592 */
593 ed25519_keypair_t *
594 ed_key_new(const ed25519_keypair_t *signing_key,
595 uint32_t flags,
596 time_t now,
597 time_t lifetime,
598 uint8_t cert_type,
599 struct tor_cert_st **cert_out)
600 {
601 if (cert_out)
602 *cert_out = NULL;
603
604 const int extra_strong = !! (flags & INIT_ED_KEY_EXTRA_STRONG);
605 ed25519_keypair_t *keypair = tor_malloc_zero(sizeof(ed25519_keypair_t));
606 if (ed25519_keypair_generate(keypair, extra_strong) < 0)
607 goto err;
608
609 if (! (flags & INIT_ED_KEY_NEEDCERT))
610 return keypair;
611
612 tor_assert(signing_key);
613 tor_assert(cert_out);
614 uint32_t cert_flags = 0;
615 if (flags & INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT)
616 cert_flags |= CERT_FLAG_INCLUDE_SIGNING_KEY;
617 tor_cert_t *cert = tor_cert_create(signing_key, cert_type,
618 &keypair->pubkey,
619 now, lifetime,
620 cert_flags);
621 if (! cert)
622 goto err;
623
624 *cert_out = cert;
625 return keypair;
626
627 err:
628 tor_free(keypair);
629 return NULL;
630 }
631
632 static ed25519_keypair_t *master_identity_key = NULL;
633 static ed25519_keypair_t *master_signing_key = NULL;
634 static ed25519_keypair_t *current_auth_key = NULL;
635 static tor_cert_t *signing_key_cert = NULL;
636 static tor_cert_t *link_cert_cert = NULL;
637 static tor_cert_t *auth_key_cert = NULL;
638
639 static uint8_t *rsa_ed_crosscert = NULL;
640 static size_t rsa_ed_crosscert_len = 0;
641
642 /**
643 * Running as a server: load, reload, or refresh our ed25519 keys and
644 * certificates, creating and saving new ones as needed.
645 */
646 int
647 load_ed_keys(const or_options_t *options, time_t now)
648 {
649 ed25519_keypair_t *id = NULL;
650 ed25519_keypair_t *sign = NULL;
651 ed25519_keypair_t *auth = NULL;
652 const ed25519_keypair_t *sign_signing_key_with_id = NULL;
653 const ed25519_keypair_t *use_signing = NULL;
654 const tor_cert_t *check_signing_cert = NULL;
655 tor_cert_t *sign_cert = NULL;
656 tor_cert_t *auth_cert = NULL;
657
658 #define FAIL(msg) do { \
659 log_warn(LD_OR, (msg)); \
660 goto err; \
661 } while (0)
662 #define SET_KEY(key, newval) do { \
663 ed25519_keypair_free(key); \
664 key = (newval); \
665 } while (0)
666 #define SET_CERT(cert, newval) do { \
667 tor_cert_free(cert); \
668 cert = (newval); \
669 } while (0)
670 #define EXPIRES_SOON(cert, interval) \
671 (!(cert) || (cert)->valid_until < now + (interval))
672
673 /* XXXX support encrypted identity keys fully */
674
675 /* First try to get the signing key to see how it is. */
676 if (master_signing_key) {
677 check_signing_cert = signing_key_cert;
678 use_signing = master_signing_key;
679 } else {
680 char *fname =
681 options_get_datadir_fname2(options, "keys", "ed25519_signing");
682 sign = ed_key_init_from_file(
683 fname,
684 INIT_ED_KEY_NEEDCERT|
685 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT,
686 LOG_INFO,
687 NULL, 0, 0, CERT_TYPE_ID_SIGNING, &sign_cert);
688 tor_free(fname);
689 check_signing_cert = sign_cert;
690 use_signing = sign;
691 }
692
693 const int need_new_signing_key =
694 NULL == use_signing ||
695 EXPIRES_SOON(check_signing_cert, 0) ||
696 (options->command == CMD_KEYGEN && ! options->change_key_passphrase);
697 const int want_new_signing_key =
698 need_new_signing_key ||
699 EXPIRES_SOON(check_signing_cert, options->TestingSigningKeySlop);
700
701 if (need_new_signing_key) {
702 log_notice(LD_OR, "It looks like I need to generate and sign a new "
703 "medium-term signing key, because %s. To do that, I need to "
704 "load (or create) the permanent master identity key.",
705 (NULL == use_signing) ? "I don't have one" :
706 EXPIRES_SOON(check_signing_cert, 0) ? "the one I have is expired" :
707 "you asked me to make one with --keygen");
708 } else if (want_new_signing_key) {
709 log_notice(LD_OR, "It looks like I should try to generate and sign a "
710 "new medium-term signing key, because the one I have is "
711 "going to expire soon. To do that, I'm going to have to try to "
712 "load the permanent master identity key.");
713 }
714
715 {
716 uint32_t flags =
717 (INIT_ED_KEY_SPLIT|
718 INIT_ED_KEY_EXTRA_STRONG|INIT_ED_KEY_NO_REPAIR);
719 if (! use_signing)
720 flags |= INIT_ED_KEY_CREATE;
721 if (! need_new_signing_key)
722 flags |= INIT_ED_KEY_MISSING_SECRET_OK;
723 if (! want_new_signing_key)
724 flags |= INIT_ED_KEY_OMIT_SECRET;
725 if (options->command == CMD_KEYGEN)
726 flags |= INIT_ED_KEY_TRY_ENCRYPTED;
727
728 /* Check the key directory */
729 if (check_private_dir(options->DataDirectory, CPD_CREATE, options->User)) {
730 log_err(LD_OR, "Can't create/check datadirectory %s",
731 options->DataDirectory);
732 goto err;
733 }
734 char *fname = get_datadir_fname("keys");
735 if (check_private_dir(fname, CPD_CREATE, options->User) < 0) {
736 log_err(LD_OR, "Problem creating/checking key directory %s", fname);
737 tor_free(fname);
738 goto err;
739 }
740 tor_free(fname);
741 if (options->master_key_fname) {
742 fname = tor_strdup(options->master_key_fname);
743 flags |= INIT_ED_KEY_EXPLICIT_FNAME;
744 } else {
745 fname = options_get_datadir_fname2(options, "keys", "ed25519_master_id");
746 }
747 id = ed_key_init_from_file(
748 fname,
749 flags,
750 LOG_WARN, NULL, 0, 0, 0, NULL);
751 tor_free(fname);
752 if (!id) {
753 if (need_new_signing_key) {
754 FAIL("Missing identity key");
755 } else {
756 log_warn(LD_OR, "Master public key was absent; inferring from "
757 "public key in signing certificate and saving to disk.");
758 tor_assert(check_signing_cert);
759 id = tor_malloc_zero(sizeof(*id));
760 memcpy(&id->pubkey, &check_signing_cert->signing_key,
761 sizeof(ed25519_public_key_t));
762 fname = options_get_datadir_fname2(options, "keys",
763 "ed25519_master_id_public_key");
764 if (ed25519_pubkey_write_to_file(&id->pubkey, fname, "type0") < 0) {
765 log_warn(LD_OR, "Error while attempting to write master public key "
766 "to disk");
767 tor_free(fname);
768 goto err;
769 }
770 tor_free(fname);
771 }
772 }
773 if (tor_mem_is_zero((char*)id->seckey.seckey, sizeof(id->seckey)))
774 sign_signing_key_with_id = NULL;
775 else
776 sign_signing_key_with_id = id;
777 }
778
779 if (master_identity_key &&
780 !ed25519_pubkey_eq(&id->pubkey, &master_identity_key->pubkey)) {
781 FAIL("Identity key on disk does not match key we loaded earlier!");
782 }
783
784 if (need_new_signing_key && NULL == sign_signing_key_with_id)
785 FAIL("Can't load master key make a new signing key.");
786
787 if (sign_cert) {
788 if (! sign_cert->signing_key_included)
789 FAIL("Loaded a signing cert with no key included!");
790 if (! ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey))
791 FAIL("The signing cert we have was not signed with the master key "
792 "we loaded!");
793 if (tor_cert_checksig(sign_cert, &id->pubkey, 0) < 0)
794 FAIL("The signing cert we loaded was not signed correctly!");
795 }
796
797 if (want_new_signing_key && sign_signing_key_with_id) {
798 uint32_t flags = (INIT_ED_KEY_CREATE|
799 INIT_ED_KEY_REPLACE|
800 INIT_ED_KEY_EXTRA_STRONG|
801 INIT_ED_KEY_NEEDCERT|
802 INIT_ED_KEY_INCLUDE_SIGNING_KEY_IN_CERT);
803 char *fname =
804 options_get_datadir_fname2(options, "keys", "ed25519_signing");
805 sign = ed_key_init_from_file(fname,
806 flags, LOG_WARN,
807 sign_signing_key_with_id, now,
808 options->SigningKeyLifetime,
809 CERT_TYPE_ID_SIGNING, &sign_cert);
810 tor_free(fname);
811 if (!sign)
812 FAIL("Missing signing key");
813 use_signing = sign;
814
815 tor_assert(sign_cert->signing_key_included);
816 tor_assert(ed25519_pubkey_eq(&sign_cert->signing_key, &id->pubkey));
817 tor_assert(ed25519_pubkey_eq(&sign_cert->signed_key, &sign->pubkey));
818 } else if (want_new_signing_key) {
819 static ratelim_t missing_master = RATELIM_INIT(3600);
820 log_fn_ratelim(&missing_master, LOG_WARN, LD_OR,
821 "Signing key will expire soon, but I can't load the "
822 "master key to sign a new one!");
823 }
824
825 tor_assert(use_signing);
826
827 /* At this point we no longer need our secret identity key. So wipe
828 * it, if we loaded it in the first place. */
829 memwipe(id->seckey.seckey, 0, sizeof(id->seckey));
830
831 if (options->command == CMD_KEYGEN)
832 goto end;
833
834 if (!rsa_ed_crosscert && server_mode(options)) {
835 uint8_t *crosscert;
836 ssize_t crosscert_len = tor_make_rsa_ed25519_crosscert(&id->pubkey,
837 get_server_identity_key(),
838 now+10*365*86400,/*XXXX*/
839 &crosscert);
840 rsa_ed_crosscert_len = crosscert_len;
841 rsa_ed_crosscert = crosscert;
842 }
843
844 if (!current_auth_key ||
845 EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop)) {
846 auth = ed_key_new(use_signing, INIT_ED_KEY_NEEDCERT,
847 now,
848 options->TestingAuthKeyLifetime,
849 CERT_TYPE_SIGNING_AUTH, &auth_cert);
850
851 if (!auth)
852 FAIL("Can't create auth key");
853 }
854
855 /* We've generated or loaded everything. Put them in memory. */
856
857 end:
858 if (! master_identity_key) {
859 SET_KEY(master_identity_key, id);
860 } else {
861 tor_free(id);
862 }
863 if (sign) {
864 SET_KEY(master_signing_key, sign);
865 SET_CERT(signing_key_cert, sign_cert);
866 }
867 if (auth) {
868 SET_KEY(current_auth_key, auth);
869 SET_CERT(auth_key_cert, auth_cert);
870 }
871
872 return 0;
873 err:
874 ed25519_keypair_free(id);
875 ed25519_keypair_free(sign);
876 ed25519_keypair_free(auth);
877 tor_cert_free(sign_cert);
878 tor_cert_free(auth_cert);
879 return -1;
880 }
881
882 /**DOCDOC*/
883 int
884 generate_ed_link_cert(const or_options_t *options, time_t now)
885 {
886 const tor_x509_cert_t *link = NULL, *id = NULL;
887 tor_cert_t *link_cert = NULL;
888
889 if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL) {
890 log_warn(LD_OR, "Can't get my x509 link cert.");
891 return -1;
892 }
893
894 const digests_t *digests = tor_x509_cert_get_cert_digests(link);
895
896 if (link_cert_cert &&
897 ! EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop) &&
898 fast_memeq(digests->d[DIGEST_SHA256], link_cert_cert->signed_key.pubkey,
899 DIGEST256_LEN)) {
900 return 0;
901 }
902
903 ed25519_public_key_t dummy_key;
904 memcpy(dummy_key.pubkey, digests->d[DIGEST_SHA256], DIGEST256_LEN);
905
906 link_cert = tor_cert_create(get_master_signing_keypair(),
907 CERT_TYPE_SIGNING_LINK,
908 &dummy_key,
909 now,
910 options->TestingLinkCertLifetime, 0);
911
912 if (link_cert) {
913 SET_CERT(link_cert_cert, link_cert);
914 }
915 return 0;
916 }
917
918 #undef FAIL
919 #undef SET_KEY
920 #undef SET_CERT
921
922 int
923 should_make_new_ed_keys(const or_options_t *options, const time_t now)
924 {
925 if (!master_identity_key ||
926 !master_signing_key ||
927 !current_auth_key ||
928 !link_cert_cert ||
929 EXPIRES_SOON(signing_key_cert, options->TestingSigningKeySlop) ||
930 EXPIRES_SOON(auth_key_cert, options->TestingAuthKeySlop) ||
931 EXPIRES_SOON(link_cert_cert, options->TestingLinkKeySlop))
932 return 1;
933
934 const tor_x509_cert_t *link = NULL, *id = NULL;
935
936 if (tor_tls_get_my_certs(1, &link, &id) < 0 || link == NULL)
937 return 1;
938
939 const digests_t *digests = tor_x509_cert_get_cert_digests(link);
940
941 if (!fast_memeq(digests->d[DIGEST_SHA256],
942 link_cert_cert->signed_key.pubkey,
943 DIGEST256_LEN)) {
944 return 1;
945 }
946
947 return 0;
948 }
949
950 #undef EXPIRES_SOON
951
952 const ed25519_public_key_t *
953 get_master_identity_key(void)
954 {
955 if (!master_identity_key)
956 return NULL;
957 return &master_identity_key->pubkey;
958 }
959
960 const ed25519_keypair_t *
961 get_master_signing_keypair(void)
962 {
963 return master_signing_key;
964 }
965
966 const struct tor_cert_st *
967 get_master_signing_key_cert(void)
968 {
969 return signing_key_cert;
970 }
971
972 const ed25519_keypair_t *
973 get_current_auth_keypair(void)
974 {
975 return current_auth_key;
976 }
977
978 const tor_cert_t *
979 get_current_link_cert_cert(void)
980 {
981 return link_cert_cert;
982 }
983
984 const tor_cert_t *
985 get_current_auth_key_cert(void)
986 {
987 return auth_key_cert;
988 }
989
990 void
991 get_master_rsa_crosscert(const uint8_t **cert_out,
992 size_t *size_out)
993 {
994 *cert_out = rsa_ed_crosscert;
995 *size_out = rsa_ed_crosscert_len;
996 }
997
998 /** Construct cross-certification for the master identity key with
999 * the ntor onion key. Store the sign of the corresponding ed25519 public key
1000 * in *<b>sign_out</b>. */
1001 tor_cert_t *
1002 make_ntor_onion_key_crosscert(const curve25519_keypair_t *onion_key,
1003 const ed25519_public_key_t *master_id_key, time_t now, time_t lifetime,
1004 int *sign_out)
1005 {
1006 tor_cert_t *cert = NULL;
1007 ed25519_keypair_t ed_onion_key;
1008
1009 if (ed25519_keypair_from_curve25519_keypair(&ed_onion_key, sign_out,
1010 onion_key) < 0)
1011 goto end;
1012
1013 cert = tor_cert_create(&ed_onion_key, CERT_TYPE_ONION_ID, master_id_key,
1014 now, lifetime, 0);
1015
1016 end:
1017 memwipe(&ed_onion_key, 0, sizeof(ed_onion_key));
1018 return cert;
1019 }
1020
1021 /** Construct and return an RSA signature for the TAP onion key to
1022 * cross-certify the RSA and Ed25519 identity keys. Set <b>len_out</b> to its
1023 * length. */
1024 uint8_t *
1025 make_tap_onion_key_crosscert(const crypto_pk_t *onion_key,
1026 const ed25519_public_key_t *master_id_key,
1027 const crypto_pk_t *rsa_id_key,
1028 int *len_out)
1029 {
1030 uint8_t signature[PK_BYTES];
1031 uint8_t signed_data[DIGEST_LEN + ED25519_PUBKEY_LEN];
1032
1033 *len_out = 0;
1034 crypto_pk_get_digest(rsa_id_key, (char*)signed_data);
1035 memcpy(signed_data + DIGEST_LEN, master_id_key->pubkey, ED25519_PUBKEY_LEN);
1036
1037 int r = crypto_pk_private_sign(onion_key,
1038 (char*)signature, sizeof(signature),
1039 (const char*)signed_data, sizeof(signed_data));
1040 if (r < 0)
1041 return NULL;
1042
1043 *len_out = r;
1044
1045 return tor_memdup(signature, r);
1046 }
1047
1048 /** Check whether an RSA-TAP cross-certification is correct. Return 0 if it
1049 * is, -1 if it isn't. */
1050 int
1051 check_tap_onion_key_crosscert(const uint8_t *crosscert,
1052 int crosscert_len,
1053 const crypto_pk_t *onion_pkey,
1054 const ed25519_public_key_t *master_id_pkey,
1055 const uint8_t *rsa_id_digest)
1056 {
1057 uint8_t *cc = tor_malloc(crypto_pk_keysize(onion_pkey));
1058 int cc_len =
1059 crypto_pk_public_checksig(onion_pkey,
1060 (char*)cc,
1061 crypto_pk_keysize(onion_pkey),
1062 (const char*)crosscert,
1063 crosscert_len);
1064 if (cc_len < 0) {
1065 goto err;
1066 }
1067 if (cc_len < DIGEST_LEN + ED25519_PUBKEY_LEN) {
1068 log_warn(LD_DIR, "Short signature on cross-certification with TAP key");
1069 goto err;
1070 }
1071 if (tor_memneq(cc, rsa_id_digest, DIGEST_LEN) ||
1072 tor_memneq(cc + DIGEST_LEN, master_id_pkey->pubkey,
1073 ED25519_PUBKEY_LEN)) {
1074 log_warn(LD_DIR, "Incorrect cross-certification with TAP key");
1075 goto err;
1076 }
1077
1078 tor_free(cc);
1079 return 0;
1080 err:
1081 tor_free(cc);
1082 return -1;
1083 }
1084
1085 void
1086 routerkeys_free_all(void)
1087 {
1088 ed25519_keypair_free(master_identity_key);
1089 ed25519_keypair_free(master_signing_key);
1090 ed25519_keypair_free(current_auth_key);
1091 tor_cert_free(signing_key_cert);
1092 tor_cert_free(link_cert_cert);
1093 tor_cert_free(auth_key_cert);
1094
1095 master_identity_key = master_signing_key = NULL;
1096 current_auth_key = NULL;
1097 signing_key_cert = link_cert_cert = auth_key_cert = NULL;
1098 }
1099
The Onion Router