1 /*	$NetBSD: dst_internal.h,v 1.8 2022/09/23 12:15:29 christos Exp $	*/
2 
3 /*
4  * Copyright (C) Internet Systems Consortium, Inc. ("ISC")
5  *
6  * SPDX-License-Identifier: MPL-2.0 AND ISC
7  *
8  * This Source Code Form is subject to the terms of the Mozilla Public
9  * License, v. 2.0. If a copy of the MPL was not distributed with this
10  * file, you can obtain one at https://mozilla.org/MPL/2.0/.
11  *
12  * See the COPYRIGHT file distributed with this work for additional
13  * information regarding copyright ownership.
14  */
15 
16 /*
17  * Portions Copyright (C) Network Associates, Inc.
18  *
19  * Permission to use, copy, modify, and/or distribute this software for any
20  * purpose with or without fee is hereby granted, provided that the above
21  * copyright notice and this permission notice appear in all copies.
22  *
23  * THE SOFTWARE IS PROVIDED "AS IS" AND ISC AND NETWORK ASSOCIATES DISCLAIMS
24  * ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED
25  * WARRANTIES OF MERCHANTABILITY AND FITNESS.  IN NO EVENT SHALL ISC BE LIABLE
26  * FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
27  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
28  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR
29  * IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
30  */
31 
32 #pragma once
33 
34 #include <inttypes.h>
35 #include <stdbool.h>
36 
37 #include <isc/buffer.h>
38 #include <isc/hmac.h>
39 #include <isc/lang.h>
40 #include <isc/magic.h>
41 #include <isc/md.h>
42 #include <isc/refcount.h>
43 #include <isc/region.h>
44 #include <isc/stdtime.h>
45 #include <isc/types.h>
46 
47 #if USE_PKCS11
48 #include <pk11/pk11.h>
49 #include <pk11/site.h>
50 #endif /* USE_PKCS11 */
51 
52 #include <openssl/dh.h>
53 #include <openssl/err.h>
54 #include <openssl/evp.h>
55 #include <openssl/objects.h>
56 #include <openssl/rsa.h>
57 
58 #include <dns/time.h>
59 
60 #include <dst/dst.h>
61 
62 #ifdef GSSAPI
63 #ifdef WIN32
64 /*
65  * MSVC does not like macros in #include lines.
66  */
67 #include <gssapi/gssapi.h>
68 #include <gssapi/gssapi_krb5.h>
69 #else /* ifdef WIN32 */
70 #include ISC_PLATFORM_GSSAPIHEADER
71 #ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER
72 #include ISC_PLATFORM_GSSAPI_KRB5_HEADER
73 #endif /* ifdef ISC_PLATFORM_GSSAPI_KRB5_HEADER */
74 #endif /* ifdef WIN32 */
75 #endif /* ifdef GSSAPI */
76 
77 ISC_LANG_BEGINDECLS
78 
79 #define KEY_MAGIC ISC_MAGIC('D', 'S', 'T', 'K')
80 #define CTX_MAGIC ISC_MAGIC('D', 'S', 'T', 'C')
81 
82 #define VALID_KEY(x) ISC_MAGIC_VALID(x, KEY_MAGIC)
83 #define VALID_CTX(x) ISC_MAGIC_VALID(x, CTX_MAGIC)
84 
85 /***
86  *** Types
87  ***/
88 
89 typedef struct dst_func dst_func_t;
90 
91 typedef struct dst_hmac_key dst_hmac_key_t;
92 
93 /*%
94  * Indicate whether a DST context will be used for signing
95  * or for verification
96  */
97 typedef enum { DO_SIGN, DO_VERIFY } dst_use_t;
98 
99 /*% DST Key Structure */
100 struct dst_key {
101 	unsigned int magic;
102 	isc_refcount_t refs;
103 	isc_mutex_t mdlock;	    /*%< lock for read/write metadata */
104 	dns_name_t *key_name;	    /*%< name of the key */
105 	unsigned int key_size;	    /*%< size of the key in bits */
106 	unsigned int key_proto;	    /*%< protocols this key is used for
107 				     * */
108 	unsigned int key_alg;	    /*%< algorithm of the key */
109 	uint32_t key_flags;	    /*%< flags of the public key */
110 	uint16_t key_id;	    /*%< identifier of the key */
111 	uint16_t key_rid;	    /*%< identifier of the key when
112 				     *   revoked */
113 	uint16_t key_bits;	    /*%< hmac digest bits */
114 	dns_rdataclass_t key_class; /*%< class of the key record */
115 	dns_ttl_t key_ttl;	    /*%< default/initial dnskey ttl */
116 	isc_mem_t *mctx;	    /*%< memory context */
117 	char *engine;		    /*%< engine name (HSM) */
118 	char *label;		    /*%< engine label (HSM) */
119 	union {
120 		void *generic;
121 		dns_gss_ctx_id_t gssctx;
122 		DH *dh;
123 #if USE_OPENSSL
124 		EVP_PKEY *pkey;
125 #endif /* if USE_OPENSSL */
126 #if USE_PKCS11
127 		pk11_object_t *pkey;
128 #endif /* if USE_PKCS11 */
129 		dst_hmac_key_t *hmac_key;
130 	} keydata; /*%< pointer to key in crypto pkg fmt */
131 
132 	isc_stdtime_t times[DST_MAX_TIMES + 1]; /*%< timing metadata */
133 	bool timeset[DST_MAX_TIMES + 1];	/*%< data set? */
134 
135 	uint32_t nums[DST_MAX_NUMERIC + 1]; /*%< numeric metadata
136 					     * */
137 	bool numset[DST_MAX_NUMERIC + 1];   /*%< data set? */
138 
139 	bool bools[DST_MAX_BOOLEAN + 1];   /*%< boolean metadata
140 					    * */
141 	bool boolset[DST_MAX_BOOLEAN + 1]; /*%< data set? */
142 
143 	dst_key_state_t keystates[DST_MAX_KEYSTATES + 1]; /*%< key states
144 							   * */
145 	bool keystateset[DST_MAX_KEYSTATES + 1];	  /*%< data
146 							   * set? */
147 
148 	bool kasp;     /*%< key has kasp state */
149 	bool inactive; /*%< private key not present as it is
150 			* inactive */
151 	bool external; /*%< external key */
152 	bool modified; /*%< set to true if key file metadata has changed */
153 
154 	int fmt_major; /*%< private key format, major version
155 			* */
156 	int fmt_minor; /*%< private key format, minor version
157 			* */
158 
159 	dst_func_t *func;	     /*%< crypto package specific functions */
160 	isc_buffer_t *key_tkeytoken; /*%< TKEY token data */
161 };
162 
163 struct dst_context {
164 	unsigned int magic;
165 	dst_use_t use;
166 	dst_key_t *key;
167 	isc_mem_t *mctx;
168 	isc_logcategory_t *category;
169 	union {
170 		void *generic;
171 		dst_gssapi_signverifyctx_t *gssctx;
172 		isc_hmac_t *hmac_ctx;
173 		EVP_MD_CTX *evp_md_ctx;
174 #if USE_PKCS11
175 		pk11_context_t *pk11_ctx;
176 #endif /* if USE_PKCS11 */
177 	} ctxdata;
178 };
179 
180 struct dst_func {
181 	/*
182 	 * Context functions
183 	 */
184 	isc_result_t (*createctx)(dst_key_t *key, dst_context_t *dctx);
185 	isc_result_t (*createctx2)(dst_key_t *key, int maxbits,
186 				   dst_context_t *dctx);
187 	void (*destroyctx)(dst_context_t *dctx);
188 	isc_result_t (*adddata)(dst_context_t *dctx, const isc_region_t *data);
189 
190 	/*
191 	 * Key operations
192 	 */
193 	isc_result_t (*sign)(dst_context_t *dctx, isc_buffer_t *sig);
194 	isc_result_t (*verify)(dst_context_t *dctx, const isc_region_t *sig);
195 	isc_result_t (*verify2)(dst_context_t *dctx, int maxbits,
196 				const isc_region_t *sig);
197 	isc_result_t (*computesecret)(const dst_key_t *pub,
198 				      const dst_key_t *priv,
199 				      isc_buffer_t *secret);
200 	bool (*compare)(const dst_key_t *key1, const dst_key_t *key2);
201 	bool (*paramcompare)(const dst_key_t *key1, const dst_key_t *key2);
202 	isc_result_t (*generate)(dst_key_t *key, int parms,
203 				 void (*callback)(int));
204 	bool (*isprivate)(const dst_key_t *key);
205 	void (*destroy)(dst_key_t *key);
206 
207 	/* conversion functions */
208 	isc_result_t (*todns)(const dst_key_t *key, isc_buffer_t *data);
209 	isc_result_t (*fromdns)(dst_key_t *key, isc_buffer_t *data);
210 	isc_result_t (*tofile)(const dst_key_t *key, const char *directory);
211 	isc_result_t (*parse)(dst_key_t *key, isc_lex_t *lexer, dst_key_t *pub);
212 
213 	/* cleanup */
214 	void (*cleanup)(void);
215 
216 	isc_result_t (*fromlabel)(dst_key_t *key, const char *engine,
217 				  const char *label, const char *pin);
218 	isc_result_t (*dump)(dst_key_t *key, isc_mem_t *mctx, char **buffer,
219 			     int *length);
220 	isc_result_t (*restore)(dst_key_t *key, const char *keystr);
221 };
222 
223 /*%
224  * Initializers
225  */
226 isc_result_t
227 dst__openssl_init(const char *engine);
228 #define dst__pkcs11_init pk11_initialize
229 
230 isc_result_t
231 dst__hmacmd5_init(struct dst_func **funcp);
232 isc_result_t
233 dst__hmacsha1_init(struct dst_func **funcp);
234 isc_result_t
235 dst__hmacsha224_init(struct dst_func **funcp);
236 isc_result_t
237 dst__hmacsha256_init(struct dst_func **funcp);
238 isc_result_t
239 dst__hmacsha384_init(struct dst_func **funcp);
240 isc_result_t
241 dst__hmacsha512_init(struct dst_func **funcp);
242 isc_result_t
243 dst__openssldh_init(struct dst_func **funcp);
244 #if USE_OPENSSL
245 isc_result_t
246 dst__opensslrsa_init(struct dst_func **funcp, unsigned char algorithm);
247 isc_result_t
248 dst__opensslecdsa_init(struct dst_func **funcp);
249 #if HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448
250 isc_result_t
251 dst__openssleddsa_init(struct dst_func **funcp);
252 #endif /* HAVE_OPENSSL_ED25519 || HAVE_OPENSSL_ED448 */
253 #endif /* USE_OPENSSL */
254 #if USE_PKCS11
255 isc_result_t
256 dst__pkcs11rsa_init(struct dst_func **funcp);
257 isc_result_t
258 dst__pkcs11dsa_init(struct dst_func **funcp);
259 isc_result_t
260 dst__pkcs11ecdsa_init(struct dst_func **funcp);
261 isc_result_t
262 dst__pkcs11eddsa_init(struct dst_func **funcp);
263 #endif /* USE_PKCS11 */
264 #ifdef GSSAPI
265 isc_result_t
266 dst__gssapi_init(struct dst_func **funcp);
267 #endif /* GSSAPI */
268 
269 /*%
270  * Destructors
271  */
272 void
273 dst__openssl_destroy(void);
274 #define dst__pkcs11_destroy pk11_finalize
275 
276 /*%
277  * Memory allocators using the DST memory pool.
278  */
279 void *
280 dst__mem_alloc(size_t size);
281 void
282 dst__mem_free(void *ptr);
283 void *
284 dst__mem_realloc(void *ptr, size_t size);
285 
286 ISC_LANG_ENDDECLS
287 
288 /*! \file */
289