/* Copyright (c) 2014-2017, The Tor Project, Inc. */ /* See LICENSE for licensing information */ /** * \file keypin.c * * \brief Functions and structures for associating routers' RSA key * fingerprints with their ED25519 keys. */ #define KEYPIN_PRIVATE #include "orconfig.h" #include "compat.h" #include "crypto.h" #include "crypto_format.h" #include "di_ops.h" #include "ht.h" #include "keypin.h" #include "siphash.h" #include "torint.h" #include "torlog.h" #include "util.h" #include "util_format.h" #ifdef HAVE_UNISTD_H #include #endif #ifdef HAVE_FCNTL_H #include #endif #ifdef _WIN32 #include #endif /** * @file keypin.c * @brief Key-pinning for RSA and Ed25519 identity keys at directory * authorities. * * Many older clients, and many internal interfaces, still refer to relays by * their RSA1024 identity keys. We can make this more secure, however: * authorities use this module to track which RSA keys have been used along * with which Ed25519 keys, and force such associations to be permanent. * * This module implements a key-pinning mechanism to ensure that it's safe * to use RSA keys as identitifers even as we migrate to Ed25519 keys. It * remembers, for every Ed25519 key we've seen, what the associated Ed25519 * key is. This way, if we see a different Ed25519 key with that RSA key, * we'll know that there's a mismatch. * * (As of this writing, these key associations are advisory only, mostly * because some relay operators kept mishandling their Ed25519 keys during * the initial Ed25519 rollout. We should fix this problem, and then toggle * the AuthDirPinKeys option.) * * We persist these entries to disk using a simple format, where each line * has a base64-encoded RSA SHA1 hash, then a base64-endoded Ed25519 key. * Empty lines, misformed lines, and lines beginning with # are * ignored. Lines beginning with @ are reserved for future extensions. * * The dirserv.c module is the main user of these functions. */ static int keypin_journal_append_entry(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key); static int keypin_check_and_add_impl(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int do_not_add, const int replace); static int keypin_add_or_replace_entry_in_map(keypin_ent_t *ent); static HT_HEAD(rsamap, keypin_ent_st) the_rsa_map = HT_INITIALIZER(); static HT_HEAD(edmap, keypin_ent_st) the_ed_map = HT_INITIALIZER(); /** Hashtable helper: compare two keypin table entries and return true iff * they have the same RSA key IDs. */ static inline int keypin_ents_eq_rsa(const keypin_ent_t *a, const keypin_ent_t *b) { return tor_memeq(a->rsa_id, b->rsa_id, sizeof(a->rsa_id)); } /** Hashtable helper: hash a keypin table entries based on its RSA key ID */ static inline unsigned keypin_ent_hash_rsa(const keypin_ent_t *a) { return (unsigned) siphash24g(a->rsa_id, sizeof(a->rsa_id)); } /** Hashtable helper: compare two keypin table entries and return true iff * they have the same ed25519 keys */ static inline int keypin_ents_eq_ed(const keypin_ent_t *a, const keypin_ent_t *b) { return tor_memeq(a->ed25519_key, b->ed25519_key, sizeof(a->ed25519_key)); } /** Hashtable helper: hash a keypin table entries based on its ed25519 key */ static inline unsigned keypin_ent_hash_ed(const keypin_ent_t *a) { return (unsigned) siphash24g(a->ed25519_key, sizeof(a->ed25519_key)); } HT_PROTOTYPE(rsamap, keypin_ent_st, rsamap_node, keypin_ent_hash_rsa, keypin_ents_eq_rsa) HT_GENERATE2(rsamap, keypin_ent_st, rsamap_node, keypin_ent_hash_rsa, keypin_ents_eq_rsa, 0.6, tor_reallocarray, tor_free_) HT_PROTOTYPE(edmap, keypin_ent_st, edmap_node, keypin_ent_hash_ed, keypin_ents_eq_ed) HT_GENERATE2(edmap, keypin_ent_st, edmap_node, keypin_ent_hash_ed, keypin_ents_eq_ed, 0.6, tor_reallocarray, tor_free_) /** * Check whether we already have an entry in the key pinning table for a * router with RSA ID digest rsa_id_digest or for ed25519 key * ed25519_id_key. If we have an entry that matches both keys, * return KEYPIN_FOUND. If we find an entry that matches one key but * not the other, return KEYPIN_MISMATCH. If we have no entry for either * key, add such an entry to the table and return KEYPIN_ADDED. * * If replace_existing_entry is true, then any time we would have said * KEYPIN_FOUND, we instead add this entry anyway and return KEYPIN_ADDED. */ int keypin_check_and_add(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int replace_existing_entry) { return keypin_check_and_add_impl(rsa_id_digest, ed25519_id_key, 0, replace_existing_entry); } /** * As keypin_check_and_add, but do not add. Return KEYPIN_NOT_FOUND if * we would add. */ int keypin_check(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key) { return keypin_check_and_add_impl(rsa_id_digest, ed25519_id_key, 1, 0); } /** * Helper: implements keypin_check and keypin_check_and_add. */ static int keypin_check_and_add_impl(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key, const int do_not_add, const int replace) { keypin_ent_t search, *ent; memset(&search, 0, sizeof(search)); memcpy(search.rsa_id, rsa_id_digest, sizeof(search.rsa_id)); memcpy(search.ed25519_key, ed25519_id_key, sizeof(search.ed25519_key)); /* Search by RSA key digest first */ ent = HT_FIND(rsamap, &the_rsa_map, &search); if (ent) { tor_assert(fast_memeq(ent->rsa_id, rsa_id_digest, sizeof(ent->rsa_id))); if (tor_memeq(ent->ed25519_key, ed25519_id_key,sizeof(ent->ed25519_key))) { return KEYPIN_FOUND; /* Match on both keys. Great. */ } else { if (!replace) return KEYPIN_MISMATCH; /* Found RSA with different Ed key */ } } /* See if we know a different RSA key for this ed key */ if (! replace) { ent = HT_FIND(edmap, &the_ed_map, &search); if (ent) { /* If we got here, then the ed key matches and the RSA doesn't */ tor_assert(fast_memeq(ent->ed25519_key, ed25519_id_key, sizeof(ent->ed25519_key))); tor_assert(fast_memneq(ent->rsa_id, rsa_id_digest, sizeof(ent->rsa_id))); return KEYPIN_MISMATCH; } } /* Okay, this one is new to us. */ if (do_not_add) return KEYPIN_NOT_FOUND; ent = tor_memdup(&search, sizeof(search)); int r = keypin_add_or_replace_entry_in_map(ent); if (! replace) { tor_assert(r == 1); } else { tor_assert(r != 0); } keypin_journal_append_entry(rsa_id_digest, ed25519_id_key); return KEYPIN_ADDED; } /** * Helper: add ent to the hash tables. */ MOCK_IMPL(STATIC void, keypin_add_entry_to_map, (keypin_ent_t *ent)) { HT_INSERT(rsamap, &the_rsa_map, ent); HT_INSERT(edmap, &the_ed_map, ent); } /** * Helper: add 'ent' to the maps, replacing any entries that contradict it. * Take ownership of 'ent', freeing it if needed. * * Return 0 if the entry was a duplicate, -1 if there was a conflict, * and 1 if there was no conflict. */ static int keypin_add_or_replace_entry_in_map(keypin_ent_t *ent) { int r = 1; keypin_ent_t *ent2 = HT_FIND(rsamap, &the_rsa_map, ent); keypin_ent_t *ent3 = HT_FIND(edmap, &the_ed_map, ent); if (ent2 && fast_memeq(ent2->ed25519_key, ent->ed25519_key, DIGEST256_LEN)) { /* We already have this mapping stored. Ignore it. */ tor_free(ent); return 0; } else if (ent2 || ent3) { /* We have a conflict. (If we had no entry, we would have ent2 == ent3 * == NULL. If we had a non-conflicting duplicate, we would have found * it above.) * * We respond by having this entry (ent) supersede all entries that it * contradicts (ent2 and/or ent3). In other words, if we receive * , we remove all and all , for rsa'!=rsa * and ed'!= ed. */ const keypin_ent_t *t; if (ent2) { t = HT_REMOVE(rsamap, &the_rsa_map, ent2); tor_assert(ent2 == t); t = HT_REMOVE(edmap, &the_ed_map, ent2); tor_assert(ent2 == t); } if (ent3 && ent2 != ent3) { t = HT_REMOVE(rsamap, &the_rsa_map, ent3); tor_assert(ent3 == t); t = HT_REMOVE(edmap, &the_ed_map, ent3); tor_assert(ent3 == t); tor_free(ent3); } tor_free(ent2); r = -1; /* Fall through */ } keypin_add_entry_to_map(ent); return r; } /** * Check whether we already have an entry in the key pinning table for a * router with RSA ID digest rsa_id_digest. If we have no such entry, * return KEYPIN_NOT_FOUND. If we find an entry that matches the RSA key but * which has an ed25519 key, return KEYPIN_MISMATCH. */ int keypin_check_lone_rsa(const uint8_t *rsa_id_digest) { keypin_ent_t search, *ent; memset(&search, 0, sizeof(search)); memcpy(search.rsa_id, rsa_id_digest, sizeof(search.rsa_id)); /* Search by RSA key digest first */ ent = HT_FIND(rsamap, &the_rsa_map, &search); if (ent) { return KEYPIN_MISMATCH; } else { return KEYPIN_NOT_FOUND; } } /** Open fd to the keypinning journal file. */ static int keypin_journal_fd = -1; /** Open the key-pinning journal to append to fname. Return 0 on * success, -1 on failure. */ int keypin_open_journal(const char *fname) { int fd = tor_open_cloexec(fname, O_WRONLY|O_CREAT|O_BINARY|O_SYNC, 0600); if (fd < 0) goto err; if (tor_fd_seekend(fd) < 0) goto err; /* Add a newline in case the last line was only partially written */ if (write(fd, "\n", 1) < 1) goto err; /* Add something about when we opened this file. */ char buf[80]; char tbuf[ISO_TIME_LEN+1]; format_iso_time(tbuf, approx_time()); tor_snprintf(buf, sizeof(buf), "@opened-at %s\n", tbuf); if (write_all(fd, buf, strlen(buf), 0) < 0) goto err; keypin_journal_fd = fd; return 0; err: if (fd >= 0) close(fd); return -1; } /** Close the keypinning journal file. */ int keypin_close_journal(void) { if (keypin_journal_fd >= 0) close(keypin_journal_fd); keypin_journal_fd = -1; return 0; } /** Length of a keypinning journal line, including terminating newline. */ #define JOURNAL_LINE_LEN (BASE64_DIGEST_LEN + BASE64_DIGEST256_LEN + 2) /** Add an entry to the keypinning journal to map rsa_id_digest and * ed25519_id_key. */ static int keypin_journal_append_entry(const uint8_t *rsa_id_digest, const uint8_t *ed25519_id_key) { if (keypin_journal_fd == -1) return -1; char line[JOURNAL_LINE_LEN]; digest_to_base64(line, (const char*)rsa_id_digest); line[BASE64_DIGEST_LEN] = ' '; digest256_to_base64(line + BASE64_DIGEST_LEN + 1, (const char*)ed25519_id_key); line[BASE64_DIGEST_LEN+1+BASE64_DIGEST256_LEN] = '\n'; if (write_all(keypin_journal_fd, line, JOURNAL_LINE_LEN, 0)<0) { log_warn(LD_DIRSERV, "Error while adding a line to the key-pinning " "journal: %s", strerror(errno)); keypin_close_journal(); return -1; } return 0; } /** Load a journal from the size-byte region at data. Return 0 * on success, -1 on failure. */ STATIC int keypin_load_journal_impl(const char *data, size_t size) { const char *start = data, *end = data + size, *next; int n_corrupt_lines = 0; int n_entries = 0; int n_duplicates = 0; int n_conflicts = 0; for (const char *cp = start; cp < end; cp = next) { const char *eol = memchr(cp, '\n', end-cp); const char *eos = eol ? eol : end; const size_t len = eos - cp; next = eol ? eol + 1 : end; if (len == 0) { continue; } if (*cp == '@') { /* Lines that start with @ are reserved. Ignore for now. */ continue; } if (*cp == '#') { /* Lines that start with # are comments. */ continue; } /* Is it the right length? (The -1 here is for the newline.) */ if (len != JOURNAL_LINE_LEN - 1) { /* Lines with a bad length are corrupt unless they are empty. * Ignore them either way */ for (const char *s = cp; s < eos; ++s) { if (! TOR_ISSPACE(*s)) { ++n_corrupt_lines; break; } } continue; } keypin_ent_t *ent = keypin_parse_journal_line(cp); if (ent == NULL) { ++n_corrupt_lines; continue; } const int r = keypin_add_or_replace_entry_in_map(ent); if (r == 0) { ++n_duplicates; } else if (r == -1) { ++n_conflicts; } ++n_entries; } int severity = (n_corrupt_lines || n_duplicates) ? LOG_NOTICE : LOG_INFO; tor_log(severity, LD_DIRSERV, "Loaded %d entries from keypin journal. " "Found %d corrupt lines (ignored), %d duplicates (harmless), " "and %d conflicts (resolved in favor or more recent entry).", n_entries, n_corrupt_lines, n_duplicates, n_conflicts); return 0; } /** * Load a journal from the file called fname. Return 0 on success, * -1 on failure. */ int keypin_load_journal(const char *fname) { tor_mmap_t *map = tor_mmap_file(fname); if (!map) { if (errno == ENOENT) return 0; else return -1; } int r = keypin_load_journal_impl(map->data, map->size); tor_munmap_file(map); return r; } /** Parse a single keypinning journal line entry from cp. The input * does not need to be NUL-terminated, but it does need to have * KEYPIN_JOURNAL_LINE_LEN -1 bytes available to read. Return a new entry * on success, and NULL on failure. */ STATIC keypin_ent_t * keypin_parse_journal_line(const char *cp) { /* XXXX assumes !USE_OPENSSL_BASE64 */ keypin_ent_t *ent = tor_malloc_zero(sizeof(keypin_ent_t)); if (base64_decode((char*)ent->rsa_id, sizeof(ent->rsa_id), cp, BASE64_DIGEST_LEN) != DIGEST_LEN || cp[BASE64_DIGEST_LEN] != ' ' || base64_decode((char*)ent->ed25519_key, sizeof(ent->ed25519_key), cp+BASE64_DIGEST_LEN+1, BASE64_DIGEST256_LEN) != DIGEST256_LEN) { tor_free(ent); return NULL; } else { return ent; } } /** Remove all entries from the keypinning table.*/ void keypin_clear(void) { int bad_entries = 0; { keypin_ent_t **ent, **next, *this; for (ent = HT_START(rsamap, &the_rsa_map); ent != NULL; ent = next) { this = *ent; next = HT_NEXT_RMV(rsamap, &the_rsa_map, ent); keypin_ent_t *other_ent = HT_REMOVE(edmap, &the_ed_map, this); bad_entries += (other_ent != this); tor_free(this); } } bad_entries += HT_SIZE(&the_ed_map); HT_CLEAR(edmap,&the_ed_map); HT_CLEAR(rsamap,&the_rsa_map); if (bad_entries) { log_warn(LD_BUG, "Found %d discrepencies in the keypin database.", bad_entries); } }