#ifndef LINT
static const char rcsid[] = "$Header: /proj/cvs/prod/libbind/dst/dst_api.c,v 1.17 2007/09/24 17:18:25 each Exp $";
#endif
/*
* Portions Copyright (c) 1995-1998 by Trusted Information Systems, Inc.
*
* Permission to use, copy modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND TRUSTED INFORMATION SYSTEMS
* DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
* TRUSTED INFORMATION SYSTEMS BE LIABLE FOR ANY SPECIAL, DIRECT,
* INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
* FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
* NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
* WITH THE USE OR PERFORMANCE OF THE SOFTWARE.
*/
/*
* This file contains the interface between the DST API and the crypto API.
* This is the only file that needs to be changed if the crypto system is
* changed. Exported functions are:
* void dst_init() Initialize the toolkit
* int dst_check_algorithm() Function to determines if alg is suppored.
* int dst_compare_keys() Function to compare two keys for equality.
* int dst_sign_data() Incremental signing routine.
* int dst_verify_data() Incremental verify routine.
* int dst_generate_key() Function to generate new KEY
* void dst_write_key() Function to write out a key.
* DST_KEY *dst_dnskey_to_key() Function to convert DNS KEY RR to a DST
* KEY structure.
* int dst_key_to_dnskey() Function to return a public key in DNS
* format binary
* DST_KEY *dst_buffer_to_key() Converst a data in buffer to KEY
* int *dst_key_to_buffer() Writes out DST_KEY key matterial in buffer
* void dst_free_key() Releases all memory referenced by key structure
*/
#include "port_before.h"
#include <stdio.h>
#include <errno.h>
#include <fcntl.h>
#include <stdlib.h>
#include <unistd.h>
#include <string.h>
#include <memory.h>
#include <ctype.h>
#include <time.h>
#include <resolv.h>
#include "dst_internal.h"
#include "port_after.h"
/* static variables */
static int done_init = 0;
/* internal I/O functions */
/* internal function to set up data structure */
const int bits);
/*%
* dst_init
* This function initializes the Digital Signature Toolkit.
* Right now, it just checks the DSTKEYPATH environment variable.
* Parameters
* none
* Returns
* none
*/
void
dst_init()
{
char *s;
int len;
if (done_init != 0)
return;
done_init = 1;
s = getenv("DSTKEYPATH");
len = 0;
if (s) {
EREPORT(("%s is longer than %d characters, ignoring\n",
s, PATH_MAX));
EREPORT(("%s is not a valid directory\n", s));
} else {
char *tmp;
}
}
}
/* first one is selected */
}
/*%
* dst_check_algorithm
* This function determines if the crypto system for the specified
* algorithm is present.
* Parameters
* alg 1 KEY_RSA
* 3 KEY_DSA
* 157 KEY_HMAC_MD5
* future algorithms TBD and registered with IANA.
* Returns
* 1 - The algorithm is available.
* 0 - The algorithm is not available.
*/
int
{
}
/*%
* dst_s_get_key_struct
* This function allocates key structure and fills in some of the
* fields of the structure.
* Parameters:
* name: the name of the key
* alg: the algorithm number
* flags: the dns flags of the key
* protocol: the dns protocol of the key
* bits: the size of the key
* Returns:
* NULL if error
* valid pointer otherwise
*/
static DST_KEY *
{
return (NULL);
return (NULL);
}
return (new_key);
}
/*%
* dst_compare_keys
* Compares two keys for equality.
* Parameters
* key1, key2 Two keys to be compared.
* Returns
* 0 The keys are equal.
* non-zero The keys are not equal.
*/
int
{
return (0);
return (4);
return (1);
return (2);
return (3);
}
/*%
* dst_sign_data
* An incremental signing function. Data is signed in steps.
* First the context must be initialized (SIG_MODE_INIT).
* Then data is hashed (SIG_MODE_UPDATE). Finally the signature
* itself is created (SIG_MODE_FINAL). This function can be called
* once with INIT, UPDATE and FINAL modes all set, or it can be
* called separately with a different mode set for each step. The
* UPDATE step can be repeated.
* Parameters
* mode A bit mask used to specify operation(s) to be performed.
* SIG_MODE_INIT 1 Initialize digest
* SIG_MODE_UPDATE 2 Add data to digest
* SIG_MODE_FINAL 4 Generate signature
* from signature
* SIG_MODE_ALL (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL
* data Data to be signed.
* len The length in bytes of data to be signed.
* in_key Contains a private key to sign with.
* KEY structures should be handled (created, converted,
* compared, stored, freed) by the DST.
* signature
* The location to which the signature will be written.
* sig_len Length of the signature field in bytes.
* Return
* 0 Successfull INIT or Update operation
* >0 success FINAL (sign) operation
* <0 failure
*/
int
{
if (mode & SIG_MODE_FINAL &&
return (MISSING_KEY_OR_SIGNATURE);
return (UNKNOWN_KEYALG);
}
/*%
* dst_verify_data
* An incremental verify function. Data is verified in steps.
* First the context must be initialized (SIG_MODE_INIT).
* Then data is hashed (SIG_MODE_UPDATE). Finally the signature
* is verified (SIG_MODE_FINAL). This function can be called
* once with INIT, UPDATE and FINAL modes all set, or it can be
* called separately with a different mode set for each step. The
* UPDATE step can be repeated.
* Parameters
* mode Operations to perform this time.
* SIG_MODE_INIT 1 Initialize digest
* SIG_MODE_UPDATE 2 add data to digest
* SIG_MODE_FINAL 4 verify signature
* SIG_MODE_ALL
* (SIG_MODE_INIT,SIG_MODE_UPDATE,SIG_MODE_FINAL)
* data Data to pass through the hash function.
* len Length of the data in bytes.
* in_key Key for verification.
* signature Location of signature.
* sig_len Length of the signature in bytes.
* Returns
* 0 Verify success
* Non-Zero Verify Failure
*/
int
{
if (mode & SIG_MODE_FINAL &&
return (MISSING_KEY_OR_SIGNATURE);
return (UNSUPPORTED_KEYALG);
}
/*%
* dst_read_private_key
* Access a private key. First the list of private keys that have
* already been read in is searched, then the key accessed on disk.
* If the private key can be found, it is returned. If the key cannot
* be found, a null pointer is returned. The options specify required
* key characteristics. If the private key requested does not have
* these characteristics, it will not be read.
* Parameters
* in_keyname The private key name.
* in_id The id of the private key.
* options DST_FORCE_READ Read from disk - don't use a previously
* read key.
* DST_CAN_SIGN The key must be useable for signing.
* DST_NO_AUTHEN The key must be useable for authentication.
* DST_STANDARD Return any key
* Returns
* NULL If there is no key found in the current directory or
* this key has not been loaded before.
* !NULL Success - KEY structure returned.
*/
DST_KEY *
{
EREPORT(("dst_read_private_key(): Algorithm %d not suppored\n",
in_alg));
return (NULL);
}
return (NULL);
if (in_keyname == NULL) {
EREPORT(("dst_read_private_key(): Null key name passed in\n"));
return (NULL);
EREPORT(("dst_read_private_key(): keyname too big\n"));
return (NULL);
} else
/* before I read in the public key, check if it is allowed to sign */
return (NULL);
if (type == DST_PUBLIC)
return pubkey;
0)))
return (dg_key);
/* Fill in private key and some fields in the general key structure */
(void)dst_free_key(pubkey);
return (dg_key);
}
int
{
return (0);
EREPORT(("dst_write_key(): Algorithm %d not suppored\n",
return (UNSUPPORTED_KEYALG);
}
return (0);
if (type & DST_PUBLIC)
return (pub);
if (type & DST_PRIVATE)
return (priv);
}
/*%
* dst_write_private_key
* Write a private key to disk. The filename will be of the form:
* K<key->dk_name>+<key->dk_alg+><key-d>k_id.><private key suffix>.
* If there is already a file with this name, an error is returned.
*
* Parameters
* key A DST managed key structure that contains
* all information needed about a key.
* Return
* >= 0 Correct behavior. Returns length of encoded key value
* written to disk.
* < 0 error.
*/
static int
{
int len;
/* First encode the key into the portable key format */
return (-1);
return (0); /*%< null key has no private key */
EREPORT(("dst_write_private_key(): Unsupported operation %d\n",
return (-5);
sizeof(encoded_block))) <= 0) {
return (-8);
}
/* Now I can create the file I want to use */
/* Do not overwrite an existing file */
int nn;
EREPORT(("dst_write_private_key(): Write failure on %s %d != %d errno=%d\n",
return (-5);
}
} else {
EREPORT(("dst_write_private_key(): Can not create file %s\n"
,file));
return (-6);
}
return (len);
}
/*%
*
* dst_read_public_key
* Read a public key from disk and store in a DST key structure.
* Parameters
* in_name K<in_name><in_id>.<public key suffix> is the
* filename of the key file to be read.
* Returns
* NULL If the key does not exist or no name is supplied.
* NON-NULL Initialized key structure if the key exists.
*/
static DST_KEY *
{
int c;
EREPORT(("dst_read_public_key(): No key name given\n"));
return (NULL);
}
PATH_MAX) == -1) {
EREPORT(("dst_read_public_key(): Cannot make filename from %s, %d, and %s\n",
return (NULL);
}
/*
* Open the file and read it's formatted contents up to key
* File format:
* domain.name [ttl] [IN] KEY <flags> <protocol> <algorithm> <key>
* flags, proto, alg stored as decimal (or hex numbers FIXME).
* (FIXME: handle parentheses for line continuation.)
*/
EREPORT(("dst_read_public_key(): Public Key not found %s\n",
name));
return (NULL);
}
/* Skip domain name, which ends at first blank */
if (isspace(c))
break;
/* Skip blank to get to next field */
if (!isspace(c))
break;
/* Skip optional TTL -- if initial digit, skip whole word. */
if (isdigit(c)) {
if (isspace(c))
break;
if (!isspace(c))
break;
}
/* Skip optional "IN" */
if (c == 'I' || c == 'i') {
if (isspace(c))
break;
if (!isspace(c))
break;
}
/* Locate and skip "KEY" */
if (c != 'K' && c != 'k') {
return NULL;
}
if (isspace(c))
break;
if (!isspace(c))
break;
/* Handle hex!! FIXME. */
,name));
return (NULL);
}
/* read in the key string */
/* If we aren't at end-of-file, something is wrong. */
if (!isspace(c))
break;
return NULL;
}
return (NULL);
/* discard \n */
/* remove leading spaces */
notspace++;
if (dlen < 0) {
EREPORT(("dst_read_public_key: bad return from b64_pton = %d",
dlen));
return (NULL);
}
/* store key and info in a key structure that is returned */
/* return dst_store_public_key(in_name, alg, proto, 666, flags, deckey,
dlen);*/
}
/*%
* dst_write_public_key
* Write a key to disk in DNS format.
* Parameters
* key Pointer to a DST key structure.
* Returns
* 0 Failure
* 1 Success
*/
static int
{
int len = 0;
int mode;
EREPORT(("dst_write_public_key(): No key specified \n"));
return (0);
return (0);
/* Make the filename */
EREPORT(("dst_write_public_key(): Cannot make filename from %s, %d, and %s\n",
return (0);
}
/* XXX in general this should be a check for symmetric keys */
/* create public key file */
EREPORT(("DST_write_public_key: open of file:%s failed (errno=%d)\n",
return (0);
}
/*write out key first base64 the key data */
else
return (1);
}
/*%
* dst_dnskey_to_public_key
* This function converts the contents of a DNS KEY RR into a DST
* key structure.
* Paramters
* len Length of the RDATA of the KEY RR RDATA
* rdata A pointer to the the KEY RR RDATA.
* in_name Key name to be stored in key structure.
* Returns
* NULL Failure
* NON-NULL Success. Pointer to key structure.
* Caller's responsibility to free() it.
*/
DST_KEY *
{
int alg ;
return (NULL);
EREPORT(("dst_dnskey_to_key(): Algorithm %d not suppored\n",
alg));
return (NULL);
}
return (NULL);
return (NULL);
start += 2;
}
/*
* now point to the begining of the data representing the encoding
* of the key
*/
return (key_st);
} else
EREPORT(("dst_dnskey_to_public_key(): unsuppored alg %d\n",
alg));
return (key_st);
}
/*%
* dst_public_key_to_dnskey
* Function to encode a public key into DNS KEY wire format
* Parameters
* key Key structure to encode.
* out_storage Location to write the encoded key to.
* out_len Size of the output array.
* Returns
* <0 Failure
* >=0 Number of bytes written to out_storage
*/
int
const int out_len)
{
int loc = 0;
int enc_len = 0;
return (-1);
EREPORT(("dst_key_to_dnskey(): Algorithm %d not suppored\n",
return (UNSUPPORTED_KEYALG);
}
loc += 2;
loc += 2;
}
return (loc);
if (enc_len > 0)
else
return (-1);
} else
EREPORT(("dst_key_to_dnskey(): Unsupported ALG %d\n",
return (-1);
}
/*%
* dst_buffer_to_key
* Function to encode a string of raw data into a DST key
* Parameters
* alg The algorithm (HMAC only)
* key A pointer to the data
* keylen The length of the data
* Returns
* NULL an error occurred
* NON-NULL the DST key
*/
DST_KEY *
const int alg, /*!< algorithm */
const int flags, /*!< dns flags */
const int protocol, /*!< dns protocol */
const int key_len) /*!< size of key */
{
int dnslen;
return (NULL);
}
return (dst_free_key(dkey));
EREPORT(("dst_buffer_to_key(): dst_buffer_to_hmac failed\n"));
return (dst_free_key(dkey));
}
return (dkey);
}
int
{
int len;
/* this function will extrac the secret of HMAC into a buffer */
return (0);
if (len < 0)
return (0);
return (len);
}
return (0);
}
/*%
* dst_s_read_private_key_file
* Function reads in private key from a file.
* Fills out the KEY structure.
* Parameters
* name Name of the key to be read.
* pk_key Structure that the key is returned in.
* in_id Key identifier (tag)
* Return
* 1 if everthing works
* 0 if there is any problem
*/
static int
int in_alg)
{
int dnslen;
EREPORT(("dst_read_private_key_file(): No key name given\n"));
return (0);
}
/* Make the filename */
PATH_MAX) == -1) {
EREPORT(("dst_read_private_key(): Cannot make filename from %s, %d, and %s\n",
return (0);
}
/* first check if we can find the key file */
EREPORT(("dst_s_read_private_key_file: Could not open file %s in directory %s\n",
return (0);
}
/* now read the header info from the file */
EREPORT(("dst_s_read_private_key_file: error reading file %s (empty file)\n",
filename));
return (0);
}
/* decrypt key */
goto fail;
p = in_buff;
if (!dst_s_verify_str((const char **) (void *)&p,
"Private-key-format: v")) {
goto fail;
}
/* read in file format */
if (file_major < 1) {
EREPORT(("dst_s_read_private_key_file(): Unknown keyfile %d.%d version for %s\n",
goto fail;
EREPORT((
"dst_s_read_private_key_file(): Keyfile %s version higher than mine %d.%d MAY FAIL\n",
while (*p++ != '\n') ; /*%< skip to end of line */
if (!dst_s_verify_str((const char **) (void *)&p, "Algorithm: "))
goto fail;
goto fail;
while (*p++ != '\n') ; /*%< skip to end of line */
/* allocate and fill in key structure */
goto fail;
if (ret < 0)
goto fail;
/* Make sure the actual key tag matches the input tag used in the filename
*/
EREPORT(("dst_s_read_private_key_file(): actual tag of key read %d != input tag used to build filename %d.\n", id, in_id));
goto fail;
}
return (1);
fail:
return (0);
}
/*%
* Keys will be stored in formatted files.
*
* Parameters
&
*\par name Name of the new key. Used to create key files
*\li K<name>+<alg>+<id>.public and K<name>+<alg>+<id>.private.
*\par bits Size of the new key in bits.
*\par exp What exponent to use:
*\li 0 use exponent 3
*\li non-zero use Fermant4
*\par flags The default value of the DNS Key flags.
*\li The DNS Key RR Flag field is defined in RFC2065,
* section 3.3. The field has 16 bits.
*\par protocol
*\li Default value of the DNS Key protocol field.
*\li The DNS Key protocol field is defined in RFC2065,
* section 3.4. The field has 8 bits.
*\par alg What algorithm to use. Currently defined:
*\li KEY_RSA 1
*\li KEY_DSA 3
*\li KEY_HMAC 157
*\par out_id The key tag is returned.
*
* Return
*\li NULL Failure
*\li non-NULL the generated key pair
* Caller frees the result, and its dk_name pointer.
*/
DST_KEY *
{
int dnslen;
return (NULL);
return (NULL);
}
return (NULL);
if (bits == 0) /*%< null key we are done */
return (new_key);
EREPORT(("dst_generate_key_pair():Unsupported algorithm %d\n",
alg));
return (dst_free_key(new_key));
}
EREPORT(("dst_generate_key_pair(): Key generation failure %s %d %d %d\n",
return (dst_free_key(new_key));
}
if (dnslen != UNSUPPORTED_KEYALG)
else
return (new_key);
}
/*%
* Release all data structures pointed to by a key structure.
*
* Parameters
*\li f_key Key structure to be freed.
*/
DST_KEY *
{
return (f_key);
else {
EREPORT(("dst_free_key(): Unknown key alg %d\n",
}
if (f_key->dk_KEY_struct) {
}
if (f_key->dk_key_name)
return (NULL);
}
/*%
* Return the maximim size of signature from the key specified in bytes
*
* Parameters
*\li key
*
* Returns
* \li bytes
*/
int
case KEY_HMAC_MD5:
return (16);
case KEY_HMAC_SHA1:
return (20);
case KEY_RSA:
case KEY_DSA:
return (40);
default:
return -1;
}
}
/*! \file */