| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498 | /* Copyright (c) 2014-2017, The Tor Project, Inc. *//* See LICENSE for licensing information *//** * \file keypin.c * * \brief Functions and structures for associating routers' RSA key * fingerprints with their ED25519 keys. */#define KEYPIN_PRIVATE#include "orconfig.h"#include "compat.h"#include "crypto.h"#include "crypto_format.h"#include "di_ops.h"#include "ht.h"#include "keypin.h"#include "siphash.h"#include "torint.h"#include "torlog.h"#include "util.h"#include "util_format.h"#ifdef HAVE_UNISTD_H#include <unistd.h>#endif#ifdef HAVE_FCNTL_H#include <fcntl.h>#endif#ifdef _WIN32#include <io.h>#endif/** * @file keypin.c * @brief Key-pinning for RSA and Ed25519 identity keys at directory *  authorities. * * Many older clients, and many internal interfaces, still refer to relays by * their RSA1024 identity keys.  We can make this more secure, however: * authorities use this module to track which RSA keys have been used along * with which Ed25519 keys, and force such associations to be permanent. * * This module implements a key-pinning mechanism to ensure that it's safe * to use RSA keys as identitifers even as we migrate to Ed25519 keys.  It * remembers, for every Ed25519 key we've seen, what the associated Ed25519 * key is.  This way, if we see a different Ed25519 key with that RSA key, * we'll know that there's a mismatch. * * (As of this writing, these key associations are advisory only, mostly * because some relay operators kept mishandling their Ed25519 keys during * the initial Ed25519 rollout.  We should fix this problem, and then toggle * the AuthDirPinKeys option.) * * We persist these entries to disk using a simple format, where each line * has a base64-encoded RSA SHA1 hash, then a base64-endoded Ed25519 key. * Empty lines, misformed lines, and lines beginning with # are * ignored. Lines beginning with @ are reserved for future extensions. * * The dirserv.c module is the main user of these functions. */static int keypin_journal_append_entry(const uint8_t *rsa_id_digest,                                       const uint8_t *ed25519_id_key);static int keypin_check_and_add_impl(const uint8_t *rsa_id_digest,                                     const uint8_t *ed25519_id_key,                                     const int do_not_add,                                     const int replace);static int keypin_add_or_replace_entry_in_map(keypin_ent_t *ent);static HT_HEAD(rsamap, keypin_ent_st) the_rsa_map = HT_INITIALIZER();static HT_HEAD(edmap, keypin_ent_st) the_ed_map = HT_INITIALIZER();/** Hashtable helper: compare two keypin table entries and return true iff * they have the same RSA key IDs. */static inline intkeypin_ents_eq_rsa(const keypin_ent_t *a, const keypin_ent_t *b){  return tor_memeq(a->rsa_id, b->rsa_id, sizeof(a->rsa_id));}/** Hashtable helper: hash a keypin table entries based on its RSA key ID */static inline unsignedkeypin_ent_hash_rsa(const keypin_ent_t *a){return (unsigned) siphash24g(a->rsa_id, sizeof(a->rsa_id));}/** Hashtable helper: compare two keypin table entries and return true iff * they have the same ed25519 keys */static inline intkeypin_ents_eq_ed(const keypin_ent_t *a, const keypin_ent_t *b){  return tor_memeq(a->ed25519_key, b->ed25519_key, sizeof(a->ed25519_key));}/** Hashtable helper: hash a keypin table entries based on its ed25519 key */static inline unsignedkeypin_ent_hash_ed(const keypin_ent_t *a){return (unsigned) siphash24g(a->ed25519_key, sizeof(a->ed25519_key));}HT_PROTOTYPE(rsamap, keypin_ent_st, rsamap_node, keypin_ent_hash_rsa,               keypin_ents_eq_rsa)HT_GENERATE2(rsamap, keypin_ent_st, rsamap_node, keypin_ent_hash_rsa,               keypin_ents_eq_rsa, 0.6, tor_reallocarray, tor_free_)HT_PROTOTYPE(edmap, keypin_ent_st, edmap_node, keypin_ent_hash_ed,               keypin_ents_eq_ed)HT_GENERATE2(edmap, keypin_ent_st, edmap_node, keypin_ent_hash_ed,               keypin_ents_eq_ed, 0.6, tor_reallocarray, tor_free_)/** * Check whether we already have an entry in the key pinning table for a * router with RSA ID digest <b>rsa_id_digest</b> or for ed25519 key * <b>ed25519_id_key</b>.  If we have an entry that matches both keys, * return KEYPIN_FOUND. If we find an entry that matches one key but * not the other, return KEYPIN_MISMATCH.  If we have no entry for either * key, add such an entry to the table and return KEYPIN_ADDED. * * If <b>replace_existing_entry</b> is true, then any time we would have said * KEYPIN_FOUND, we instead add this entry anyway and return KEYPIN_ADDED. */intkeypin_check_and_add(const uint8_t *rsa_id_digest,                     const uint8_t *ed25519_id_key,                     const int replace_existing_entry){  return keypin_check_and_add_impl(rsa_id_digest, ed25519_id_key, 0,                                   replace_existing_entry);}/** * As keypin_check_and_add, but do not add.  Return KEYPIN_NOT_FOUND if * we would add. */intkeypin_check(const uint8_t *rsa_id_digest,             const uint8_t *ed25519_id_key){  return keypin_check_and_add_impl(rsa_id_digest, ed25519_id_key, 1, 0);}/** * Helper: implements keypin_check and keypin_check_and_add. */static intkeypin_check_and_add_impl(const uint8_t *rsa_id_digest,                          const uint8_t *ed25519_id_key,                          const int do_not_add,                          const int replace){  keypin_ent_t search, *ent;  memset(&search, 0, sizeof(search));  memcpy(search.rsa_id, rsa_id_digest, sizeof(search.rsa_id));  memcpy(search.ed25519_key, ed25519_id_key, sizeof(search.ed25519_key));  /* Search by RSA key digest first */  ent = HT_FIND(rsamap, &the_rsa_map, &search);  if (ent) {    tor_assert(fast_memeq(ent->rsa_id, rsa_id_digest, sizeof(ent->rsa_id)));    if (tor_memeq(ent->ed25519_key, ed25519_id_key,sizeof(ent->ed25519_key))) {      return KEYPIN_FOUND; /* Match on both keys. Great. */    } else {      if (!replace)        return KEYPIN_MISMATCH; /* Found RSA with different Ed key */    }  }  /* See if we know a different RSA key for this ed key */  if (! replace) {    ent = HT_FIND(edmap, &the_ed_map, &search);    if (ent) {      /* If we got here, then the ed key matches and the RSA doesn't */      tor_assert(fast_memeq(ent->ed25519_key, ed25519_id_key,                            sizeof(ent->ed25519_key)));      tor_assert(fast_memneq(ent->rsa_id, rsa_id_digest, sizeof(ent->rsa_id)));      return KEYPIN_MISMATCH;    }  }  /* Okay, this one is new to us. */  if (do_not_add)    return KEYPIN_NOT_FOUND;  ent = tor_memdup(&search, sizeof(search));  int r = keypin_add_or_replace_entry_in_map(ent);  if (! replace) {    tor_assert(r == 1);  } else {    tor_assert(r != 0);  }  keypin_journal_append_entry(rsa_id_digest, ed25519_id_key);  return KEYPIN_ADDED;}/** * Helper: add <b>ent</b> to the hash tables. */MOCK_IMPL(STATIC void,keypin_add_entry_to_map, (keypin_ent_t *ent)){  HT_INSERT(rsamap, &the_rsa_map, ent);  HT_INSERT(edmap, &the_ed_map, ent);}/** * Helper: add 'ent' to the maps, replacing any entries that contradict it. * Take ownership of 'ent', freeing it if needed. * * Return 0 if the entry was a duplicate, -1 if there was a conflict, * and 1 if there was no conflict. */static intkeypin_add_or_replace_entry_in_map(keypin_ent_t *ent){  int r = 1;  keypin_ent_t *ent2 = HT_FIND(rsamap, &the_rsa_map, ent);  keypin_ent_t *ent3 = HT_FIND(edmap, &the_ed_map, ent);  if (ent2 &&      fast_memeq(ent2->ed25519_key, ent->ed25519_key, DIGEST256_LEN)) {    /* We already have this mapping stored. Ignore it. */    tor_free(ent);    return 0;  } else if (ent2 || ent3) {    /* We have a conflict. (If we had no entry, we would have ent2 == ent3     * == NULL. If we had a non-conflicting duplicate, we would have found     * it above.)     *     * We respond by having this entry (ent) supersede all entries that it     * contradicts (ent2 and/or ent3). In other words, if we receive     * <rsa,ed>, we remove all <rsa,ed'> and all <rsa',ed>, for rsa'!=rsa     * and ed'!= ed.     */    const keypin_ent_t *t;    if (ent2) {      t = HT_REMOVE(rsamap, &the_rsa_map, ent2);      tor_assert(ent2 == t);      t = HT_REMOVE(edmap, &the_ed_map, ent2);      tor_assert(ent2 == t);    }    if (ent3 && ent2 != ent3) {      t = HT_REMOVE(rsamap, &the_rsa_map, ent3);      tor_assert(ent3 == t);      t = HT_REMOVE(edmap, &the_ed_map, ent3);      tor_assert(ent3 == t);      tor_free(ent3);    }    tor_free(ent2);    r = -1;    /* Fall through */  }  keypin_add_entry_to_map(ent);  return r;}/** * Check whether we already have an entry in the key pinning table for a * router with RSA ID digest <b>rsa_id_digest</b>.  If we have no such entry, * return KEYPIN_NOT_FOUND.  If we find an entry that matches the RSA key but * which has an ed25519 key, return KEYPIN_MISMATCH. */intkeypin_check_lone_rsa(const uint8_t *rsa_id_digest){  keypin_ent_t search, *ent;  memset(&search, 0, sizeof(search));  memcpy(search.rsa_id, rsa_id_digest, sizeof(search.rsa_id));  /* Search by RSA key digest first */  ent = HT_FIND(rsamap, &the_rsa_map, &search);  if (ent) {    return KEYPIN_MISMATCH;  } else {    return KEYPIN_NOT_FOUND;  }}/** Open fd to the keypinning journal file. */static int keypin_journal_fd = -1;/** Open the key-pinning journal to append to <b>fname</b>.  Return 0 on * success, -1 on failure. */intkeypin_open_journal(const char *fname){  /* O_SYNC ??*/  int fd = tor_open_cloexec(fname, O_WRONLY|O_CREAT|O_BINARY, 0600);  if (fd < 0)    goto err;  if (tor_fd_seekend(fd) < 0)    goto err;  /* Add a newline in case the last line was only partially written */  if (write(fd, "\n", 1) < 1)    goto err;  /* Add something about when we opened this file. */  char buf[80];  char tbuf[ISO_TIME_LEN+1];  format_iso_time(tbuf, approx_time());  tor_snprintf(buf, sizeof(buf), "@opened-at %s\n", tbuf);  if (write_all(fd, buf, strlen(buf), 0) < 0)    goto err;  keypin_journal_fd = fd;  return 0; err:  if (fd >= 0)    close(fd);  return -1;}/** Close the keypinning journal file. */intkeypin_close_journal(void){  if (keypin_journal_fd >= 0)    close(keypin_journal_fd);  keypin_journal_fd = -1;  return 0;}/** Length of a keypinning journal line, including terminating newline. */#define JOURNAL_LINE_LEN (BASE64_DIGEST_LEN + BASE64_DIGEST256_LEN + 2)/** Add an entry to the keypinning journal to map <b>rsa_id_digest</b> and * <b>ed25519_id_key</b>. */static intkeypin_journal_append_entry(const uint8_t *rsa_id_digest,                            const uint8_t *ed25519_id_key){  if (keypin_journal_fd == -1)    return -1;  char line[JOURNAL_LINE_LEN];  digest_to_base64(line, (const char*)rsa_id_digest);  line[BASE64_DIGEST_LEN] = ' ';  digest256_to_base64(line + BASE64_DIGEST_LEN + 1,                      (const char*)ed25519_id_key);  line[BASE64_DIGEST_LEN+1+BASE64_DIGEST256_LEN] = '\n';  if (write_all(keypin_journal_fd, line, JOURNAL_LINE_LEN, 0)<0) {    log_warn(LD_DIRSERV, "Error while adding a line to the key-pinning "             "journal: %s", strerror(errno));    keypin_close_journal();    return -1;  }  return 0;}/** Load a journal from the <b>size</b>-byte region at <b>data</b>.  Return 0 * on success, -1 on failure. */STATIC intkeypin_load_journal_impl(const char *data, size_t size){  const char *start = data, *end = data + size, *next;  int n_corrupt_lines = 0;  int n_entries = 0;  int n_duplicates = 0;  int n_conflicts = 0;  for (const char *cp = start; cp < end; cp = next) {    const char *eol = memchr(cp, '\n', end-cp);    const char *eos = eol ? eol : end;    const size_t len = eos - cp;    next = eol ? eol + 1 : end;    if (len == 0) {      continue;    }    if (*cp == '@') {      /* Lines that start with @ are reserved. Ignore for now. */      continue;    }    if (*cp == '#') {      /* Lines that start with # are comments. */      continue;    }    /* Is it the right length?  (The -1 here is for the newline.) */    if (len != JOURNAL_LINE_LEN - 1) {      /* Lines with a bad length are corrupt unless they are empty.       * Ignore them either way */      for (const char *s = cp; s < eos; ++s) {        if (! TOR_ISSPACE(*s)) {          ++n_corrupt_lines;          break;        }      }      continue;    }    keypin_ent_t *ent = keypin_parse_journal_line(cp);    if (ent == NULL) {      ++n_corrupt_lines;      continue;    }    const int r = keypin_add_or_replace_entry_in_map(ent);    if (r == 0) {      ++n_duplicates;    } else if (r == -1) {      ++n_conflicts;    }    ++n_entries;  }  int severity = (n_corrupt_lines || n_duplicates) ? LOG_WARN : LOG_INFO;  tor_log(severity, LD_DIRSERV,          "Loaded %d entries from keypin journal. "          "Found %d corrupt lines, %d duplicates, and %d conflicts.",          n_entries, n_corrupt_lines, n_duplicates, n_conflicts);  return 0;}/** * Load a journal from the file called <b>fname</b>. Return 0 on success, * -1 on failure. */intkeypin_load_journal(const char *fname){  tor_mmap_t *map = tor_mmap_file(fname);  if (!map) {    if (errno == ENOENT)      return 0;    else      return -1;  }  int r = keypin_load_journal_impl(map->data, map->size);  tor_munmap_file(map);  return r;}/** Parse a single keypinning journal line entry from <b>cp</b>.  The input * does not need to be NUL-terminated, but it <em>does</em> need to have * KEYPIN_JOURNAL_LINE_LEN -1 bytes available to read.  Return a new entry * on success, and NULL on failure. */STATIC keypin_ent_t *keypin_parse_journal_line(const char *cp){  /* XXXX assumes !USE_OPENSSL_BASE64 */  keypin_ent_t *ent = tor_malloc_zero(sizeof(keypin_ent_t));  if (base64_decode((char*)ent->rsa_id, sizeof(ent->rsa_id),             cp, BASE64_DIGEST_LEN) != DIGEST_LEN ||      cp[BASE64_DIGEST_LEN] != ' ' ||      base64_decode((char*)ent->ed25519_key, sizeof(ent->ed25519_key),             cp+BASE64_DIGEST_LEN+1, BASE64_DIGEST256_LEN) != DIGEST256_LEN) {    tor_free(ent);    return NULL;  } else {    return ent;  }}/** Remove all entries from the keypinning table.*/voidkeypin_clear(void){  int bad_entries = 0;  {    keypin_ent_t **ent, **next, *this;    for (ent = HT_START(rsamap, &the_rsa_map); ent != NULL; ent = next) {      this = *ent;      next = HT_NEXT_RMV(rsamap, &the_rsa_map, ent);      keypin_ent_t *other_ent = HT_REMOVE(edmap, &the_ed_map, this);      bad_entries += (other_ent != this);      tor_free(this);    }  }  bad_entries += HT_SIZE(&the_ed_map);  HT_CLEAR(edmap,&the_ed_map);  HT_CLEAR(rsamap,&the_rsa_map);  if (bad_entries) {    log_warn(LD_BUG, "Found %d discrepencies in the keypin database.",             bad_entries);  }}
 |