ims-volte-vowifi
/
strongswan
9
0
Fork 0
Code Pull Requests Releases Activity
strongswan/src/libstrongswan/plugins/agent/agent_private_key.c

578 lines
12 KiB
C
Raw Blame History

/*
* Copyright (C) 2013-2019 Tobias Brunner
* Copyright (C) 2008-2009 Martin Willi
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#include "agent_private_key.h"
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <arpa/inet.h>
#include <errno.h>
#include <library.h>
#include <utils/chunk.h>
#include <utils/debug.h>
#ifndef UNIX_PATH_MAX
#define UNIX_PATH_MAX 108
#endif /* UNIX_PATH_MAX */
typedef struct private_agent_private_key_t private_agent_private_key_t;
typedef enum agent_msg_type_t agent_msg_type_t;
/**
* Private data of a agent_private_key_t object.
*/
struct private_agent_private_key_t {
/**
* Public interface for this signer.
*/
agent_private_key_t public;
/**
* Path to the UNIX socket
*/
char *path;
/**
* public key encoded in SSH format
*/
chunk_t key;
/**
* public key
*/
public_key_t *pubkey;
/**
* keysize in bytes
*/
size_t key_size;
/**
* reference count
*/
refcount_t ref;
};
/**
* Message types for ssh-agent protocol
*/
enum agent_msg_type_t {
SSH_AGENT_FAILURE = 5,
SSH_AGENT_SUCCESS = 6,
SSH_AGENT_ID_REQUEST = 11,
SSH_AGENT_ID_RESPONSE = 12,
SSH_AGENT_SIGN_REQUEST = 13,
SSH_AGENT_SIGN_RESPONSE = 14,
};
/**
* Flags for signatures
*/
enum agent_signature_flags_t {
SSH_AGENT_FLAG_SHA2_256 = 2,
SSH_AGENT_FLAG_SHA2_512 = 4,
};
/**
* read a byte from a blob
*/
static u_char read_byte(chunk_t *blob)
{
u_char val;
if (blob->len < sizeof(u_char))
{
return 0;
}
val = *(blob->ptr);
*blob = chunk_skip(*blob, sizeof(u_char));
return val;
}
/**
* read a uint32_t from a blob
*/
static uint32_t read_uint32(chunk_t *blob)
{
uint32_t val;
if (blob->len < sizeof(uint32_t))
{
return 0;
}
val = ntohl(*(uint32_t*)blob->ptr);
*blob = chunk_skip(*blob, sizeof(uint32_t));
return val;
}
/**
* read a ssh-agent "string" length/value from a blob
*/
static chunk_t read_string(chunk_t *blob)
{
int len;
chunk_t str;
len = read_uint32(blob);
if (len > blob->len)
{
return chunk_empty;
}
str = chunk_create(blob->ptr, len);
*blob = chunk_skip(*blob, + len);
return str;
}
/**
* open socket connection to the ssh-agent
*/
static int open_connection(char *path)
{
struct sockaddr_un addr;
int s;
s = socket(AF_UNIX, SOCK_STREAM, 0);
if (s == -1)
{
DBG1(DBG_LIB, "opening ssh-agent socket %s failed: %s:", path,
strerror(errno));
return -1;
}
addr.sun_family = AF_UNIX;
addr.sun_path[UNIX_PATH_MAX - 1] = '\0';
strncpy(addr.sun_path, path, UNIX_PATH_MAX - 1);
if (connect(s, (struct sockaddr*)&addr, SUN_LEN(&addr)) != 0)
{
DBG1(DBG_LIB, "connecting to ssh-agent socket failed: %s",
strerror(errno));
close(s);
return -1;
}
return s;
}
/**
* Get the first usable key from the agent
*/
static bool read_key(private_agent_private_key_t *this, public_key_t *pubkey)
{
int socket, len;
char buf[2048];
chunk_t blob, key;
bool success = FALSE;
socket = open_connection(this->path);
if (socket < 0)
{
return FALSE;
}
len = htonl(1);
buf[0] = SSH_AGENT_ID_REQUEST;
if (write(socket, &len, sizeof(len)) != sizeof(len) ||
write(socket, &buf, 1) != 1)
{
DBG1(DBG_LIB, "writing to ssh-agent failed");
goto done;
}
blob = chunk_create(buf, sizeof(buf));
blob.len = read(socket, blob.ptr, blob.len);
if (blob.len < sizeof(uint32_t) + sizeof(u_char) ||
read_uint32(&blob) != blob.len ||
read_byte(&blob) != SSH_AGENT_ID_RESPONSE)
{
DBG1(DBG_LIB, "received invalid ssh-agent identity response");
goto done;
}
read_uint32(&blob);
while (blob.len)
{
key = read_string(&blob);
if (!key.len)
{
break;
}
this->pubkey = lib->creds->create(lib->creds, CRED_PUBLIC_KEY, KEY_ANY,
BUILD_BLOB_SSHKEY, key, BUILD_END);
if (!this->pubkey)
{
continue;
}
if (pubkey && !private_key_belongs_to(&this->public.key, pubkey))
{
this->pubkey->destroy(this->pubkey);
this->pubkey = NULL;
continue;
}
this->key = chunk_clone(key);
success = TRUE;
break;
}
done:
close(socket);
return success;
}
static bool scheme_supported(private_agent_private_key_t *this,
signature_scheme_t scheme, uint32_t *flags,
char **prefix)
{
switch (this->pubkey->get_type(this->pubkey))
{
case KEY_RSA:
switch (scheme)
{
case SIGN_RSA_EMSA_PKCS1_SHA1:
*prefix = "ssh-rsa";
return TRUE;
case SIGN_RSA_EMSA_PKCS1_SHA2_256:
*flags |= SSH_AGENT_FLAG_SHA2_256;
*prefix = "rsa-sha2-256";
return TRUE;
case SIGN_RSA_EMSA_PKCS1_SHA2_512:
*flags |= SSH_AGENT_FLAG_SHA2_512;
*prefix = "rsa-sha2-512";
return TRUE;
default:
break;
}
return FALSE;
case KEY_ED25519:
*prefix = "ssh-ed25519";
return scheme == SIGN_ED25519;
case KEY_ED448:
*prefix = "ssh-ed448";
return scheme == SIGN_ED448;
case KEY_ECDSA:
return scheme == SIGN_ECDSA_256 ||
scheme == SIGN_ECDSA_384 ||
scheme == SIGN_ECDSA_521;
default:
return FALSE;
}
}
METHOD(private_key_t, sign, bool,
private_agent_private_key_t *this, signature_scheme_t scheme, void *params,
chunk_t data, chunk_t *signature)
{
key_type_t type;
uint32_t len, flags = 0;
char buf[2048], *prefix = NULL;
chunk_t blob;
int socket;
bool success = FALSE;
if (!scheme_supported(this, scheme, &flags, &prefix))
{
DBG1(DBG_LIB, "signature scheme %N not supported by ssh-agent",
signature_scheme_names, scheme);
return FALSE;
}
socket = open_connection(this->path);
if (socket < 0)
{
return FALSE;
}
len = htonl(1 + sizeof(uint32_t) * 3 + this->key.len + data.len);
buf[0] = SSH_AGENT_SIGN_REQUEST;
if (write(socket, &len, sizeof(len)) != sizeof(len) ||
write(socket, &buf, 1) != 1)
{
DBG1(DBG_LIB, "writing to ssh-agent failed");
goto done;
}
len = htonl(this->key.len);
if (write(socket, &len, sizeof(len)) != sizeof(len) ||
write(socket, this->key.ptr, this->key.len) != this->key.len)
{
DBG1(DBG_LIB, "writing to ssh-agent failed");
goto done;
}
len = htonl(data.len);
if (write(socket, &len, sizeof(len)) != sizeof(len) ||
write(socket, data.ptr, data.len) != data.len)
{
DBG1(DBG_LIB, "writing to ssh-agent failed");
goto done;
}
flags = htonl(flags);
if (write(socket, &flags, sizeof(flags)) != sizeof(flags))
{
DBG1(DBG_LIB, "writing to ssh-agent failed");
goto done;
}
blob = chunk_create(buf, sizeof(buf));
blob.len = read(socket, blob.ptr, blob.len);
if (blob.len < sizeof(uint32_t) + sizeof(u_char) ||
read_uint32(&blob) != blob.len ||
read_byte(&blob) != SSH_AGENT_SIGN_RESPONSE)
{
DBG1(DBG_LIB, "received invalid ssh-agent signature response");
goto done;
}
/* parse length */
blob = read_string(&blob);
/* verify type */
if (prefix && !chunk_equals(read_string(&blob), chunk_from_str(prefix)))
{
DBG1(DBG_LIB, "ssh-agent didn't return requested %s signature", prefix);
goto done;
}
type = this->pubkey->get_type(this->pubkey);
if (type == KEY_RSA || type == KEY_ED25519 || type == KEY_ED448)
{ /* for RSA/EdDSA, the signature has no special encoding */
blob = read_string(&blob);
if (blob.len)
{
*signature = chunk_clone(blob);
success = TRUE;
}
}
else
{ /* parse ECDSA signatures */
blob = read_string(&blob);
if (blob.len)
{
chunk_t r, s;
r = read_string(&blob);
s = read_string(&blob);
if (r.len && s.len)
{
*signature = chunk_cat("cc", r, s);
success = TRUE;
}
}
}
if (!success)
{
DBG1(DBG_LIB, "received invalid ssh-agent signature response");
}
done:
close(socket);
return success;
}
METHOD(private_key_t, get_type, key_type_t,
private_agent_private_key_t *this)
{
return this->pubkey->get_type(this->pubkey);
}
METHOD(private_key_t, decrypt, bool,
private_agent_private_key_t *this, encryption_scheme_t scheme,
chunk_t crypto, chunk_t *plain)
{
DBG1(DBG_LIB, "private key decryption not supported by ssh-agent");
return FALSE;
}
METHOD(private_key_t, get_keysize, int,
private_agent_private_key_t *this)
{
return this->pubkey->get_keysize(this->pubkey);
}
/**
* Private data for RSA scheme enumerator
*/
typedef struct {
enumerator_t public;
int index;
bool reverse;
} scheme_enumerator_t;
static signature_params_t rsa_schemes[] = {
{ .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_256 },
{ .scheme = SIGN_RSA_EMSA_PKCS1_SHA2_512 },
};
METHOD(enumerator_t, enumerate_rsa_scheme, bool,
scheme_enumerator_t *this, va_list args)
{
signature_params_t **params;
VA_ARGS_VGET(args, params);
if ((this->reverse && --this->index >= 0) ||
(!this->reverse && ++this->index < countof(rsa_schemes)))
{
*params = &rsa_schemes[this->index];
return TRUE;
}
return FALSE;
}
/**
* Create an enumerator for the supported RSA signature schemes
*/
static enumerator_t *create_rsa_enumerator(private_agent_private_key_t *this)
{
scheme_enumerator_t *enumerator;
INIT(enumerator,
.public = {
.enumerate = enumerator_enumerate_default,
.venumerate = _enumerate_rsa_scheme,
.destroy = (void*)free,
},
.index = -1,
.reverse = FALSE,
);
/* propose SHA-512 first for larger keys */
if (get_keysize(this) > 3072)
{
enumerator->index = countof(rsa_schemes);
enumerator->reverse = TRUE;
}
return &enumerator->public;
}
METHOD(private_key_t, supported_signature_schemes, enumerator_t*,
private_agent_private_key_t *this)
{
key_type_t type = get_type(this);
switch (type)
{
case KEY_RSA:
return create_rsa_enumerator(this);
case KEY_ED25519:
case KEY_ED448:
case KEY_ECDSA:
return signature_schemes_for_key(type, get_keysize(this));
default:
break;
}
return enumerator_create_empty();
}
METHOD(private_key_t, get_public_key, public_key_t*,
private_agent_private_key_t *this)
{
return this->pubkey->get_ref(this->pubkey);
}
METHOD(private_key_t, get_encoding, bool,
private_agent_private_key_t *this, cred_encoding_type_t type,
chunk_t *encoding)
{
return FALSE;
}
METHOD(private_key_t, get_fingerprint, bool,
private_agent_private_key_t *this, cred_encoding_type_t type, chunk_t *fp)
{
return this->pubkey->get_fingerprint(this->pubkey, type, fp);
}
METHOD(private_key_t, get_ref, private_key_t*,
private_agent_private_key_t *this)
{
ref_get(&this->ref);
return &this->public.key;
}
METHOD(private_key_t, destroy, void,
private_agent_private_key_t *this)
{
if (ref_put(&this->ref))
{
chunk_free(&this->key);
DESTROY_IF(this->pubkey);
free(this->path);
free(this);
}
}
/**
* See header.
*/
agent_private_key_t *agent_private_key_open(key_type_t type, va_list args)
{
private_agent_private_key_t *this;
public_key_t *pubkey = NULL;
char *path = NULL;
while (TRUE)
{
switch (va_arg(args, builder_part_t))
{
case BUILD_AGENT_SOCKET:
path = va_arg(args, char*);
continue;
case BUILD_PUBLIC_KEY:
pubkey = va_arg(args, public_key_t*);
continue;
case BUILD_END:
break;
default:
return NULL;
}
break;
}
if (!path)
{
return NULL;
}
INIT(this,
.public = {
.key = {
.get_type = _get_type,
.supported_signature_schemes = _supported_signature_schemes,
.sign = _sign,
.decrypt = _decrypt,
.get_keysize = _get_keysize,
.get_public_key = _get_public_key,
.belongs_to = private_key_belongs_to,
.equals = private_key_equals,
.get_fingerprint = _get_fingerprint,
.has_fingerprint = private_key_has_fingerprint,
.get_encoding = _get_encoding,
.get_ref = _get_ref,
.destroy = _destroy,
},
},
.path = strdup(path),
.ref = 1,
);
if (!read_key(this, pubkey))
{
destroy(this);
return NULL;
}
return &this->public;
}
View Git Blame Copy Permalink