1 /* $NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $ */ 2 3 /*- 4 * Copyright (c) 2008 The NetBSD Foundation, Inc. 5 * All rights reserved. 6 * 7 * This code is derived from software contributed to The NetBSD Foundation 8 * by Martin Sch�tte. 9 * 10 * Redistribution and use in source and binary forms, with or without 11 * modification, are permitted provided that the following conditions 12 * are met: 13 * 1. Redistributions of source code must retain the above copyright 14 * notice, this list of conditions and the following disclaimer. 15 * 2. Redistributions in binary form must reproduce the above copyright 16 * notice, this list of conditions and the following disclaimer in the 17 * documentation and/or other materials provided with the distribution. 18 * 3. All advertising materials mentioning features or use of this software 19 * must display the following acknowledgement: 20 * This product includes software developed by the NetBSD 21 * Foundation, Inc. and its contributors. 22 * 4. Neither the name of The NetBSD Foundation nor the names of its 23 * contributors may be used to endorse or promote products derived 24 * from this software without specific prior written permission. 25 * 26 * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS 27 * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED 28 * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 29 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS 30 * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR 31 * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF 32 * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS 33 * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN 34 * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 35 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 36 * POSSIBILITY OF SUCH DAMAGE. 37 */ 38 /* 39 * sign.c 40 * syslog-sign related code for syslogd 41 * 42 * Martin Sch�tte 43 */ 44 /* 45 * Issues with the current internet draft: 46 * 1. The draft is a bit unclear on the input format for the signature, 47 * so this might have to be changed later. Cf. sign_string_sign() 48 * 2. The draft only defines DSA signatures. I hope it will be extended 49 * to DSS, thus allowing DSA, RSA (ANSI X9.31) and ECDSA (ANSI X9.62) 50 * 3. The draft does not define the data format for public keys in CBs. 51 * This implementation sends public keys in DER encoding. 52 * 4. This current implementation uses high-level OpenSSL API. 53 * I am not sure if these completely implement the FIPS/ANSI standards. 54 * Update after WG discussion in August: 55 * 1. check; next draft will be clearer and specify the format as implemented. 56 * 2. check; definitely only DSA in this version. 57 * 3. remains a problem, so far no statement from authors or WG. 58 * 4. check; used EVP_sha1 method implements FIPS. 59 */ 60 /* 61 * Limitations of this implementation: 62 * - cannot use OpenPGP keys, only PKIX or DSA due to OpenSSL capabilities 63 * - only works for correctly formatted messages, because incorrect messages 64 * are reformatted (e.g. if it receives a message with two spaces between 65 * fields it might even be parsed, but the output will have only one space). 66 */ 67 68 #include <sys/cdefs.h> 69 __RCSID("$NetBSD: sign.c,v 1.7 2018/02/06 21:36:46 christos Exp $"); 70 71 #ifndef DISABLE_SIGN 72 #include "syslogd.h" 73 #ifndef DISABLE_TLS 74 #include "tls.h" 75 #endif /* !DISABLE_TLS */ 76 #include "sign.h" 77 #include "extern.h" 78 79 /* 80 * init all SGs for a given algorithm 81 */ 82 bool 83 sign_global_init(struct filed *Files) 84 { 85 DPRINTF((D_CALL|D_SIGN), "sign_global_init()\n"); 86 if (!(GlobalSign.sg == 0 || GlobalSign.sg == 1 87 || GlobalSign.sg == 2 || GlobalSign.sg == 3)) { 88 logerror("sign_init(): invalid SG %d", GlobalSign.sg); 89 return false; 90 } 91 92 if (!sign_get_keys()) 93 return false; 94 95 /* signature algorithm */ 96 /* can probably be merged with the hash algorithm/context but 97 * I leave the optimization for later until the RFC is ready */ 98 GlobalSign.sigctx = EVP_MD_CTX_create(); 99 EVP_MD_CTX_init(GlobalSign.sigctx); 100 101 /* the signature algorithm depends on the type of key */ 102 switch (EVP_PKEY_base_id(GlobalSign.pubkey)) { 103 case EVP_PKEY_DSA: 104 GlobalSign.sig = EVP_sha1(); 105 GlobalSign.sig_len_b64 = SIGN_B64SIGLEN_DSS; 106 break; 107 #ifdef notyet 108 /* this is the place to add non-DSA key types and algorithms */ 109 case EVP_PKEY_RSA: 110 GlobalSign.sig = EVP_sha1(); 111 GlobalSign.sig_len_b64 = 28; 112 break; 113 #endif 114 default: 115 logerror("key type not supported for syslog-sign"); 116 return false; 117 } 118 119 assert(GlobalSign.keytype == 'C' || GlobalSign.keytype == 'K'); 120 assert(GlobalSign.pubkey_b64 && GlobalSign.privkey && 121 GlobalSign.pubkey); 122 123 GlobalSign.gbc = 0; 124 STAILQ_INIT(&GlobalSign.SigGroups); 125 126 /* hash algorithm */ 127 OpenSSL_add_all_digests(); 128 GlobalSign.mdctx = EVP_MD_CTX_create(); 129 EVP_MD_CTX_init(GlobalSign.mdctx); 130 131 /* values for SHA-1 */ 132 GlobalSign.md = EVP_sha1(); 133 GlobalSign.md_len_b64 = 28; 134 GlobalSign.ver = "0111"; 135 136 if (!sign_sg_init(Files)) 137 return false; 138 sign_new_reboot_session(); 139 140 DPRINTF(D_SIGN, "length values: SIGN_MAX_SD_LENGTH %d, " 141 "SIGN_MAX_FRAG_LENGTH %d, SIGN_MAX_SB_LENGTH %d, " 142 "SIGN_MAX_HASH_NUM %d\n", SIGN_MAX_SD_LENGTH, 143 SIGN_MAX_FRAG_LENGTH, SIGN_MAX_SB_LENGTH, SIGN_MAX_HASH_NUM); 144 145 /* set just before return, so it indicates initialization */ 146 GlobalSign.rsid = now; 147 return true; 148 } 149 150 /* 151 * get keys for syslog-sign 152 * either from the X.509 certificate used for TLS 153 * or by generating a new one 154 * 155 * sets the global variables 156 * GlobalSign.keytype, GlobalSign.pubkey_b64, 157 * GlobalSign.privkey, and GlobalSign.pubkey 158 */ 159 bool 160 sign_get_keys(void) 161 { 162 EVP_PKEY *pubkey = NULL, *privkey = NULL; 163 unsigned char *der_pubkey = NULL, *ptr_der_pubkey = NULL; 164 char *pubkey_b64 = NULL; 165 int der_len; 166 167 /* try PKIX/TLS key first */ 168 #ifndef DISABLE_TLS 169 SSL *ssl; 170 if (tls_opt.global_TLS_CTX 171 && (ssl = SSL_new(tls_opt.global_TLS_CTX))) { 172 X509 *cert; 173 DPRINTF(D_SIGN, "Try to get keys from TLS X.509 cert...\n"); 174 175 if (!(cert = SSL_get_certificate(ssl))) { 176 logerror("SSL_get_certificate() failed"); 177 FREE_SSL(ssl); 178 return false; 179 } 180 if (!(privkey = SSL_get_privatekey(ssl))) { 181 logerror("SSL_get_privatekey() failed"); 182 FREE_SSL(ssl); 183 return false; 184 } 185 if (!(pubkey = X509_get_pubkey(cert))) { 186 logerror("X509_get_pubkey() failed"); 187 FREE_SSL(ssl); 188 return false; 189 } 190 /* note: 191 * - privkey is just a pointer into SSL_CTX and 192 * must not be changed nor be free()d 193 * - but pubkey has to be freed with EVP_PKEY_free() 194 */ 195 FREE_SSL(ssl); 196 197 if (EVP_PKEY_DSA != EVP_PKEY_base_id(pubkey)) { 198 DPRINTF(D_SIGN, "X.509 cert has no DSA key\n"); 199 EVP_PKEY_free(pubkey); 200 privkey = NULL; 201 pubkey = NULL; 202 } else { 203 DPRINTF(D_SIGN, "Got public and private key " 204 "from X.509 --> use type PKIX\n"); 205 GlobalSign.keytype = 'C'; 206 GlobalSign.privkey = privkey; 207 GlobalSign.pubkey = pubkey; 208 209 /* base64 certificate encoding */ 210 der_len = i2d_X509(cert, NULL); 211 if (!(ptr_der_pubkey = der_pubkey = malloc(der_len)) 212 || !(pubkey_b64 = malloc(der_len*2))) { 213 free(der_pubkey); 214 logerror("malloc() failed"); 215 return false; 216 } 217 if (i2d_X509(cert, &ptr_der_pubkey) <= 0) { 218 logerror("i2d_X509() failed"); 219 return false; 220 } 221 b64_ntop(der_pubkey, der_len, pubkey_b64, der_len*2); 222 free(der_pubkey); 223 /* try to resize memory object as needed */ 224 GlobalSign.pubkey_b64 = realloc(pubkey_b64, 225 strlen(pubkey_b64)+1); 226 if (!GlobalSign.pubkey_b64) 227 GlobalSign.pubkey_b64 = pubkey_b64; 228 } 229 } 230 #endif /* !DISABLE_TLS */ 231 if (!(privkey && pubkey)) { /* PKIX not available --> generate key */ 232 DSA *dsa; 233 234 DPRINTF(D_SIGN, "Unable to get keys from X.509 " 235 "--> use DSA with type 'K'\n"); 236 if (!(privkey = EVP_PKEY_new())) { 237 logerror("EVP_PKEY_new() failed"); 238 return false; 239 } 240 if ((dsa = DSA_new()) == NULL) { 241 logerror("DSA_new() failed"); 242 return false; 243 } 244 if (!DSA_generate_parameters_ex(dsa, SIGN_GENCERT_BITS, NULL, 0, 245 NULL, NULL, NULL)) { 246 logerror("DSA_generate_parameters_ex() failed"); 247 return false; 248 } 249 if (!DSA_generate_key(dsa)) { 250 logerror("DSA_generate_key() failed"); 251 return false; 252 } 253 if (!EVP_PKEY_assign_DSA(privkey, dsa)) { 254 logerror("EVP_PKEY_assign_DSA() failed"); 255 return false; 256 } 257 GlobalSign.keytype = 'K'; /* public/private keys used */ 258 GlobalSign.privkey = privkey; 259 GlobalSign.pubkey = privkey; 260 261 /* pubkey base64 encoding */ 262 der_len = i2d_DSA_PUBKEY(dsa, NULL); 263 if (!(ptr_der_pubkey = der_pubkey = malloc(der_len)) 264 || !(pubkey_b64 = malloc(der_len*2))) { 265 free(der_pubkey); 266 logerror("malloc() failed"); 267 return false; 268 } 269 if (i2d_DSA_PUBKEY(dsa, &ptr_der_pubkey) <= 0) { 270 logerror("i2d_DSA_PUBKEY() failed"); 271 free(der_pubkey); 272 free(pubkey_b64); 273 return false; 274 } 275 b64_ntop(der_pubkey, der_len, pubkey_b64, der_len*2); 276 free(der_pubkey); 277 /* try to resize memory object as needed */ 278 GlobalSign.pubkey_b64 = realloc(pubkey_b64, 279 strlen(pubkey_b64) + 1); 280 if (!GlobalSign.pubkey_b64) 281 GlobalSign.pubkey_b64 = pubkey_b64; 282 } 283 return true; 284 } 285 286 /* 287 * init SGs 288 */ 289 bool 290 sign_sg_init(struct filed *Files) 291 { 292 struct signature_group_t *sg, *newsg, *last_sg; 293 struct filed_queue *fq; 294 struct string_queue *sqentry, *last_sqentry; 295 struct filed *f; 296 unsigned int i; 297 298 /* note on SG 1 and 2: 299 * it is assumed that redundant signature groups 300 * and especially signature groups without an associated 301 * destination are harmless. 302 * this currently holds true because sign_append_hash() 303 * is called from fprintlog(), so only actually used 304 * signature group get hashes and need memory for them 305 */ 306 /* possible optimization for SGs 1 and 2: 307 * use a struct signature_group_t *newsg[IETF_NUM_PRIVALUES] 308 * for direct group lookup 309 */ 310 311 #define ALLOC_OR_FALSE(x) do { \ 312 if(!((x) = calloc(1, sizeof(*(x))))) { \ 313 logerror("Unable to allocate memory"); \ 314 return false; \ 315 } \ 316 } while (/*CONSTCOND*/0) 317 318 #define ALLOC_SG(x) do { \ 319 ALLOC_OR_FALSE(x); \ 320 (x)->last_msg_num = 1; /* cf. section 4.2.5 */ \ 321 STAILQ_INIT(&(x)->hashes); \ 322 STAILQ_INIT(&(x)->files); \ 323 } while (/*CONSTCOND*/0) 324 325 /* alloc(fq) and add to SGs file queue */ 326 #define ASSIGN_FQ() do { \ 327 ALLOC_OR_FALSE(fq); \ 328 fq->f = f; \ 329 f->f_sg = newsg; \ 330 DPRINTF(D_SIGN, "SG@%p <--> f@%p\n", newsg, f); \ 331 STAILQ_INSERT_TAIL(&newsg->files, fq, entries); \ 332 } while (/*CONSTCOND*/0) 333 334 switch (GlobalSign.sg) { 335 case 0: 336 /* one SG, linked to all files */ 337 ALLOC_SG(newsg); 338 newsg->spri = 0; 339 for (f = Files; f; f = f->f_next) 340 ASSIGN_FQ(); 341 STAILQ_INSERT_TAIL(&GlobalSign.SigGroups, 342 newsg, entries); 343 break; 344 case 1: 345 /* every PRI gets one SG */ 346 for (i = 0; i < IETF_NUM_PRIVALUES; i++) { 347 int fac, prilev; 348 fac = LOG_FAC(i); 349 prilev = LOG_PRI(i); 350 ALLOC_SG(newsg); 351 newsg->spri = i; 352 353 /* now find all destinations associated with this SG */ 354 for (f = Files; f; f = f->f_next) 355 /* check priorities */ 356 if (MATCH_PRI(f, fac, prilev)) 357 ASSIGN_FQ(); 358 STAILQ_INSERT_TAIL(&GlobalSign.SigGroups, 359 newsg, entries); 360 } 361 break; 362 case 2: 363 /* PRI ranges get one SG, boundaries given by the 364 * SPRI, indicating the largest PRI in the SG 365 * 366 * either GlobalSign.sig2_delims has a list of 367 * user configured delimiters, or we use a default 368 * and set up one SG per facility 369 */ 370 if (STAILQ_EMPTY(&GlobalSign.sig2_delims)) { 371 DPRINTF(D_SIGN, "sign_sg_init(): set default " 372 "values for SG 2\n"); 373 for (i = 0; i < (IETF_NUM_PRIVALUES>>3); i++) { 374 ALLOC_OR_FALSE(sqentry); 375 sqentry->data = NULL; 376 sqentry->key = (i<<3); 377 STAILQ_INSERT_TAIL(&GlobalSign.sig2_delims, 378 sqentry, entries); 379 } 380 } 381 assert(!STAILQ_EMPTY(&GlobalSign.sig2_delims)); 382 383 /* add one more group at the end */ 384 last_sqentry = STAILQ_LAST(&GlobalSign.sig2_delims, 385 string_queue, entries); 386 if (last_sqentry->key < IETF_NUM_PRIVALUES) { 387 ALLOC_OR_FALSE(sqentry); 388 sqentry->data = NULL; 389 sqentry->key = IETF_NUM_PRIVALUES-1; 390 STAILQ_INSERT_TAIL(&GlobalSign.sig2_delims, 391 sqentry, entries); 392 } 393 394 STAILQ_FOREACH(sqentry, &GlobalSign.sig2_delims, entries) { 395 unsigned int min_pri = 0; 396 ALLOC_SG(newsg); 397 newsg->spri = sqentry->key; 398 399 /* check _all_ priorities in SG */ 400 last_sg = STAILQ_LAST(&GlobalSign.SigGroups, 401 signature_group_t, entries); 402 if (last_sg) 403 min_pri = last_sg->spri + 1; 404 405 DPRINTF(D_SIGN, "sign_sg_init(): add SG@%p: SG=\"2\"," 406 " SPRI=\"%d\" -- for msgs with " 407 "%d <= pri <= %d\n", 408 newsg, newsg->spri, min_pri, newsg->spri); 409 /* now find all destinations associated with this SG */ 410 for (f = Files; f; f = f->f_next) { 411 bool match = false; 412 for (i = min_pri; i <= newsg->spri; i++) { 413 int fac, prilev; 414 fac = LOG_FAC(i); 415 prilev = LOG_PRI(i); 416 if (MATCH_PRI(f, fac, prilev)) { 417 match = true; 418 break; 419 } 420 } 421 if (match) 422 ASSIGN_FQ(); 423 } 424 STAILQ_INSERT_TAIL(&GlobalSign.SigGroups, 425 newsg, entries); 426 } 427 break; 428 case 3: 429 /* every file (with flag) gets one SG */ 430 for (f = Files; f; f = f->f_next) { 431 if (!(f->f_flags & FFLAG_SIGN)) { 432 f->f_sg = NULL; 433 continue; 434 } 435 ALLOC_SG(newsg); 436 newsg->spri = f->f_file; /* not needed but shows SGs */ 437 ASSIGN_FQ(); 438 STAILQ_INSERT_TAIL(&GlobalSign.SigGroups, 439 newsg, entries); 440 } 441 break; 442 } 443 DPRINTF((D_PARSE|D_SIGN), "sign_sg_init() set up these " 444 "Signature Groups:\n"); 445 STAILQ_FOREACH(sg, &GlobalSign.SigGroups, entries) { 446 DPRINTF((D_PARSE|D_SIGN), "SG@%p with SG=\"%d\", SPRI=\"%d\"," 447 " associated files:\n", sg, GlobalSign.sg, sg->spri); 448 STAILQ_FOREACH(fq, &sg->files, entries) { 449 DPRINTF((D_PARSE|D_SIGN), " f@%p with type %d\n", 450 fq->f, fq->f->f_type); 451 } 452 } 453 return true; 454 } 455 456 /* 457 * free all SGs for a given algorithm 458 */ 459 void 460 sign_global_free(void) 461 { 462 struct signature_group_t *sg, *tmp_sg; 463 struct filed_queue *fq, *tmp_fq; 464 465 DPRINTF((D_CALL|D_SIGN), "sign_global_free()\n"); 466 STAILQ_FOREACH_SAFE(sg, &GlobalSign.SigGroups, entries, tmp_sg) { 467 if (!STAILQ_EMPTY(&sg->hashes)) { 468 /* send CB and SB twice to get minimal redundancy 469 * for the last few message hashes */ 470 sign_send_certificate_block(sg); 471 sign_send_certificate_block(sg); 472 sign_send_signature_block(sg, true); 473 sign_send_signature_block(sg, true); 474 sign_free_hashes(sg); 475 } 476 fq = STAILQ_FIRST(&sg->files); 477 while (fq != NULL) { 478 tmp_fq = STAILQ_NEXT(fq, entries); 479 free(fq); 480 fq = tmp_fq; 481 } 482 STAILQ_REMOVE(&GlobalSign.SigGroups, 483 sg, signature_group_t, entries); 484 free(sg); 485 } 486 sign_free_string_queue(&GlobalSign.sig2_delims); 487 488 if (GlobalSign.privkey) { 489 GlobalSign.privkey = NULL; 490 } 491 if (GlobalSign.pubkey) { 492 EVP_PKEY_free(GlobalSign.pubkey); 493 GlobalSign.pubkey = NULL; 494 } 495 if(GlobalSign.mdctx) { 496 EVP_MD_CTX_destroy(GlobalSign.mdctx); 497 GlobalSign.mdctx = NULL; 498 } 499 if(GlobalSign.sigctx) { 500 EVP_MD_CTX_destroy(GlobalSign.sigctx); 501 GlobalSign.sigctx = NULL; 502 } 503 FREEPTR(GlobalSign.pubkey_b64); 504 } 505 506 /* 507 * create and send certificate block 508 */ 509 bool 510 sign_send_certificate_block(struct signature_group_t *sg) 511 { 512 struct filed_queue *fq; 513 struct buf_msg *buffer; 514 char *tstamp; 515 char payload[SIGN_MAX_PAYLOAD_LENGTH]; 516 char sd[SIGN_MAX_SD_LENGTH]; 517 size_t payload_len, sd_len, fragment_len; 518 size_t payload_index = 0; 519 520 /* do nothing if CBs already sent or if there was no message in SG */ 521 if (!sg->resendcount 522 || ((sg->resendcount == SIGN_RESENDCOUNT_CERTBLOCK) 523 && STAILQ_EMPTY(&sg->hashes))) 524 return false; 525 526 DPRINTF((D_CALL|D_SIGN), "sign_send_certificate_block(%p)\n", sg); 527 tstamp = make_timestamp(NULL, true, (size_t)-1); 528 529 payload_len = snprintf(payload, sizeof(payload), "%s %c %s", tstamp, 530 GlobalSign.keytype, GlobalSign.pubkey_b64); 531 if (payload_len >= sizeof(payload)) { 532 DPRINTF(D_SIGN, "Buffer too small for syslog-sign setup\n"); 533 return false; 534 } 535 536 while (payload_index < payload_len) { 537 if (payload_len - payload_index <= SIGN_MAX_FRAG_LENGTH) 538 fragment_len = payload_len - payload_index; 539 else 540 fragment_len = SIGN_MAX_FRAG_LENGTH; 541 542 /* format SD */ 543 sd_len = snprintf(sd, sizeof(sd), "[ssign-cert " 544 "VER=\"%s\" RSID=\"%" PRIuFAST64 "\" SG=\"%d\" " 545 "SPRI=\"%d\" TBPL=\"%zu\" INDEX=\"%zu\" " 546 "FLEN=\"%zu\" FRAG=\"%.*s\" " 547 "SIGN=\"\"]", 548 GlobalSign.ver, GlobalSign.rsid, GlobalSign.sg, 549 sg->spri, payload_len, payload_index+1, 550 fragment_len, (int)fragment_len, 551 &payload[payload_index]); 552 assert(sd_len < sizeof(sd)); 553 assert(sd[sd_len] == '\0'); 554 assert(sd[sd_len-1] == ']'); 555 assert(sd[sd_len-2] == '"'); 556 557 if (!sign_msg_sign(&buffer, sd, sizeof(sd))) 558 return 0; 559 DPRINTF((D_CALL|D_SIGN), "sign_send_certificate_block(): " 560 "calling fprintlog()\n"); 561 562 STAILQ_FOREACH(fq, &sg->files, entries) { 563 /* we have to preserve the f_prevcount */ 564 int tmpcnt; 565 tmpcnt = fq->f->f_prevcount; 566 fprintlog(fq->f, buffer, NULL); 567 fq->f->f_prevcount = tmpcnt; 568 } 569 sign_inc_gbc(); 570 DELREF(buffer); 571 payload_index += fragment_len; 572 } 573 sg->resendcount--; 574 return true; 575 } 576 577 /* 578 * determine the SG for a message 579 * returns NULL if -sign not configured or no SG for this priority 580 */ 581 struct signature_group_t * 582 sign_get_sg(int pri, struct filed *f) 583 { 584 struct signature_group_t *sg, *rc = NULL; 585 586 if (GlobalSign.rsid && f) 587 switch (GlobalSign.sg) { 588 case 0: 589 rc = f->f_sg; 590 break; 591 case 1: 592 case 2: 593 STAILQ_FOREACH(sg, &GlobalSign.SigGroups, entries) { 594 if (sg->spri >= (unsigned int)pri) { 595 rc = sg; 596 break; 597 } 598 } 599 break; 600 case 3: 601 if (f->f_flags & FFLAG_SIGN) 602 rc = f->f_sg; 603 else 604 rc = NULL; 605 break; 606 } 607 608 DPRINTF((D_CALL|D_SIGN), "sign_get_sg(%d, %p) --> %p\n", pri, f, rc); 609 return rc; 610 } 611 612 /* 613 * create and send signature block 614 * 615 * uses a sliding window for redundancy 616 * if force==true then simply send all available hashes, e.g. on shutdown 617 * 618 * sliding window checks implicitly assume that new hashes are appended 619 * to the SG between two calls. if that is not the case (e.g. with repeated 620 * messages) the queue size will shrink. 621 * this has no negative consequences except generating more and shorter SBs 622 * than expected and confusing the operator because two consecutive SBs will 623 * have same FMNn 624 */ 625 unsigned 626 sign_send_signature_block(struct signature_group_t *sg, bool force) 627 { 628 char sd[SIGN_MAX_SD_LENGTH]; 629 size_t sd_len; 630 size_t sg_num_hashes = 0; /* hashes in SG queue */ 631 size_t hashes_in_sb = 0; /* number of hashes in current SB */ 632 size_t hashes_sent = 0; /* count of hashes sent */ 633 struct string_queue *qentry, *old_qentry; 634 struct buf_msg *buffer; 635 struct filed_queue *fq; 636 size_t i; 637 638 if (!sg) return 0; 639 DPRINTF((D_CALL|D_SIGN), "sign_send_signature_block(%p, %d)\n", 640 sg, force); 641 642 STAILQ_FOREACH(qentry, &sg->hashes, entries) 643 sg_num_hashes++; 644 645 /* only act if a division is full */ 646 if (!sg_num_hashes 647 || (!force && (sg_num_hashes % SIGN_HASH_DIVISION_NUM))) 648 return 0; 649 650 /* if no CB sent so far then do now, just before first SB */ 651 if (sg->resendcount == SIGN_RESENDCOUNT_CERTBLOCK) 652 sign_send_certificate_block(sg); 653 654 /* shortly after reboot we have shorter SBs */ 655 hashes_in_sb = MIN(sg_num_hashes, SIGN_HASH_NUM); 656 657 DPRINTF(D_SIGN, "sign_send_signature_block(): " 658 "sg_num_hashes = %zu, hashes_in_sb = %zu, SIGN_HASH_NUM = %d\n", 659 sg_num_hashes, hashes_in_sb, SIGN_HASH_NUM); 660 if (sg_num_hashes > SIGN_HASH_NUM) { 661 DPRINTF(D_SIGN, "sign_send_signature_block(): sg_num_hashes" 662 " > SIGN_HASH_NUM -- This should not happen!\n"); 663 } 664 665 /* now the SD */ 666 qentry = STAILQ_FIRST(&sg->hashes); 667 sd_len = snprintf(sd, sizeof(sd), "[ssign " 668 "VER=\"%s\" RSID=\"%" PRIuFAST64 "\" SG=\"%d\" " 669 "SPRI=\"%d\" GBC=\"%" PRIuFAST64 "\" FMN=\"%" PRIuFAST64 "\" " 670 "CNT=\"%zu\" HB=\"", 671 GlobalSign.ver, GlobalSign.rsid, GlobalSign.sg, 672 sg->spri, GlobalSign.gbc, qentry->key, 673 hashes_in_sb); 674 while (hashes_sent < hashes_in_sb) { 675 assert(qentry); 676 sd_len += snprintf(sd+sd_len, sizeof(sd)-sd_len, "%s ", 677 qentry->data); 678 hashes_sent++; 679 qentry = STAILQ_NEXT(qentry, entries); 680 } 681 /* overwrite last space and close SD */ 682 assert(sd_len < sizeof(sd)); 683 assert(sd[sd_len] == '\0'); 684 assert(sd[sd_len-1] == ' '); 685 sd[sd_len-1] = '\0'; 686 sd_len = strlcat(sd, "\" SIGN=\"\"]", sizeof(sd)); 687 688 if (sign_msg_sign(&buffer, sd, sizeof(sd))) { 689 DPRINTF((D_CALL|D_SIGN), "sign_send_signature_block(): calling" 690 " fprintlog(), sending %zu out of %zu hashes\n", 691 MIN(SIGN_MAX_HASH_NUM, sg_num_hashes), sg_num_hashes); 692 693 STAILQ_FOREACH(fq, &sg->files, entries) { 694 int tmpcnt; 695 tmpcnt = fq->f->f_prevcount; 696 fprintlog(fq->f, buffer, NULL); 697 fq->f->f_prevcount = tmpcnt; 698 } 699 sign_inc_gbc(); 700 DELREF(buffer); 701 } 702 /* always drop the oldest division of hashes */ 703 if (sg_num_hashes >= SIGN_HASH_NUM) { 704 qentry = STAILQ_FIRST(&sg->hashes); 705 for (i = 0; i < SIGN_HASH_DIVISION_NUM; i++) { 706 old_qentry = qentry; 707 qentry = STAILQ_NEXT(old_qentry, entries); 708 STAILQ_REMOVE(&sg->hashes, old_qentry, 709 string_queue, entries); 710 FREEPTR(old_qentry->data); 711 FREEPTR(old_qentry); 712 } 713 } 714 return hashes_sent; 715 } 716 717 void 718 sign_free_hashes(struct signature_group_t *sg) 719 { 720 DPRINTF((D_CALL|D_SIGN), "sign_free_hashes(%p)\n", sg); 721 sign_free_string_queue(&sg->hashes); 722 } 723 724 void 725 sign_free_string_queue(struct string_queue_head *sqhead) 726 { 727 struct string_queue *qentry, *tmp_qentry; 728 729 DPRINTF((D_CALL|D_SIGN), "sign_free_string_queue(%p)\n", sqhead); 730 STAILQ_FOREACH_SAFE(qentry, sqhead, entries, tmp_qentry) { 731 STAILQ_REMOVE(sqhead, qentry, string_queue, entries); 732 FREEPTR(qentry->data); 733 free(qentry); 734 } 735 assert(STAILQ_EMPTY(sqhead)); 736 } 737 738 /* 739 * hash one syslog message 740 */ 741 bool 742 sign_msg_hash(char *line, char **hash) 743 { 744 unsigned char md_value[EVP_MAX_MD_SIZE]; 745 unsigned char md_b64[EVP_MAX_MD_SIZE*2]; 746 /* TODO: exact expression for b64 length? */ 747 unsigned md_len = 0; 748 749 DPRINTF((D_CALL|D_SIGN), "sign_msg_hash('%s')\n", line); 750 751 SSL_CHECK_ONE(EVP_DigestInit_ex(GlobalSign.mdctx, GlobalSign.md, NULL)); 752 SSL_CHECK_ONE(EVP_DigestUpdate(GlobalSign.mdctx, line, strlen(line))); 753 SSL_CHECK_ONE(EVP_DigestFinal_ex(GlobalSign.mdctx, md_value, &md_len)); 754 755 b64_ntop(md_value, md_len, (char *)md_b64, EVP_MAX_MD_SIZE*2); 756 *hash = strdup((char *)md_b64); 757 758 DPRINTF((D_CALL|D_SIGN), "sign_msg_hash() --> \"%s\"\n", *hash); 759 return true; 760 } 761 762 /* 763 * append hash to SG queue 764 */ 765 bool 766 sign_append_hash(char *hash, struct signature_group_t *sg) 767 { 768 struct string_queue *qentry; 769 770 /* if one SG is shared by several destinations 771 * prevent duplicate entries */ 772 if ((qentry = STAILQ_LAST(&sg->hashes, string_queue, entries)) 773 && !strcmp(qentry->data, hash)) { 774 DPRINTF((D_CALL|D_SIGN), "sign_append_hash('%s', %p): " 775 "hash already in queue\n", hash, sg); 776 return false; 777 } 778 779 MALLOC(qentry, sizeof(*qentry)); 780 qentry->key = sign_assign_msg_num(sg); 781 qentry->data = hash; 782 STAILQ_INSERT_TAIL(&sg->hashes, qentry, entries); 783 DPRINTF((D_CALL|D_SIGN), "sign_append_hash('%s', %p): " 784 "#%" PRIdFAST64 "\n", hash, sg, qentry->key); 785 return true; 786 } 787 788 /* 789 * sign one syslog-sign message 790 * 791 * requires a ssign or ssigt-cert SD element 792 * ending with ' SIGN=""]' in sd 793 * linesize is available memory (= sizeof(sd)) 794 * 795 * function will calculate signature and return a new buffer 796 */ 797 bool 798 sign_msg_sign(struct buf_msg **bufferptr, char *sd, size_t linesize) 799 { 800 char *signature, *line; 801 size_t linelen, tlsprefixlen, endptr, newlinelen; 802 struct buf_msg *buffer; 803 804 DPRINTF((D_CALL|D_SIGN), "sign_msg_sign()\n"); 805 endptr = strlen(sd); 806 807 assert(endptr < linesize); 808 assert(sd[endptr] == '\0'); 809 assert(sd[endptr-1] == ']'); 810 assert(sd[endptr-2] == '"'); 811 812 /* set up buffer */ 813 buffer = buf_msg_new(0); 814 buffer->timestamp = make_timestamp(NULL, !BSDOutputFormat, 0); 815 buffer->prog = appname; 816 buffer->pid = include_pid; 817 buffer->recvhost = buffer->host = LocalFQDN; 818 buffer->pri = 110; 819 buffer->flags = IGN_CONS|SIGN_MSG; 820 buffer->sd = sd; 821 822 /* SD ready, now format and sign */ 823 if (!format_buffer(buffer, &line, &linelen, NULL, 824 &tlsprefixlen, NULL)) { 825 DPRINTF((D_CALL|D_SIGN), "sign_send_signature_block():" 826 " format_buffer() failed\n"); 827 buffer->sd = NULL; 828 DELREF(buffer); 829 return false; 830 } 831 if (!sign_string_sign(line+tlsprefixlen, &signature)) { 832 DPRINTF((D_CALL|D_SIGN), "sign_send_signature_block():" 833 " sign_string_sign() failed\n"); 834 buffer->sd = NULL; 835 DELREF(buffer); 836 FREEPTR(line); 837 return false; 838 } 839 FREEPTR(line); 840 sd[endptr-2] = '\0'; 841 newlinelen = strlcat(sd, signature, linesize); 842 newlinelen = strlcat(sd, "\"]", linesize); 843 844 if (newlinelen >= linesize) { 845 DPRINTF(D_SIGN, "sign_send_signature_block(): " 846 "buffer too small\n"); 847 buffer->sd = NULL; 848 DELREF(buffer); 849 return false; 850 } 851 assert(newlinelen < linesize); 852 assert(sd[newlinelen] == '\0'); 853 assert(sd[newlinelen-1] == ']'); 854 assert(sd[newlinelen-2] == '"'); 855 856 buffer->sd = strdup(sd); 857 *bufferptr = buffer; 858 return true; 859 } 860 861 /* 862 * sign one string 863 */ 864 bool 865 sign_string_sign(char *line, char **signature) 866 { 867 char buf[SIGN_MAX_LENGTH+1]; 868 unsigned char sig_value[SIGN_B64SIGLEN_DSS]; 869 unsigned char sig_b64[SIGN_B64SIGLEN_DSS]; 870 unsigned sig_len = 0; 871 char *p, *q; 872 /* 873 * The signature is calculated over the completely formatted 874 * syslog-message, including all of the PRI, HEADER, and hashes 875 * in the hash block, excluding spaces between fields, and also 876 * excluding the signature field (SD Parameter Name "SIGN", "=", 877 * and corresponding value). 878 * 879 * -- I am not quite sure which spaces are to be removed. 880 * Only the ones inside the "ssign" element or those between 881 * header fields as well? 882 */ 883 /* removes the string ' SIGN=""' */ 884 for (p = line, q = buf; 885 *p && (q - buf <= SIGN_MAX_LENGTH);) { 886 if (strncmp(p, " SIGN=\"\"", 8) == 0) 887 p += 8; 888 *q++ = *p++; 889 } 890 *q = '\0'; 891 892 SSL_CHECK_ONE(EVP_SignInit(GlobalSign.sigctx, GlobalSign.sig)); 893 SSL_CHECK_ONE(EVP_SignUpdate(GlobalSign.sigctx, buf, q-buf)); 894 assert(GlobalSign.privkey); 895 SSL_CHECK_ONE(EVP_SignFinal(GlobalSign.sigctx, sig_value, &sig_len, 896 GlobalSign.privkey)); 897 898 b64_ntop(sig_value, sig_len, (char *)sig_b64, sizeof(sig_b64)); 899 *signature = strdup((char *)sig_b64); 900 901 DPRINTF((D_CALL|D_SIGN), "sign_string_sign('%s') --> '%s'\n", 902 buf, *signature); 903 return *signature != NULL; 904 } 905 906 void 907 sign_new_reboot_session(void) 908 { 909 struct signature_group_t *sg; 910 911 DPRINTF((D_CALL|D_SIGN), "sign_new_reboot_session()\n"); 912 913 /* global counters */ 914 GlobalSign.gbc = 0; 915 /* might be useful for later analysis: 916 * rebooted session IDs are sequential, 917 * normal IDs are almost always not */ 918 GlobalSign.rsid++; 919 920 assert(GlobalSign.sg <= 3); 921 /* reset SGs */ 922 STAILQ_FOREACH(sg, &GlobalSign.SigGroups, entries) { 923 sg->resendcount = SIGN_RESENDCOUNT_CERTBLOCK; 924 sg->last_msg_num = 1; 925 } 926 } 927 928 /* get msg_num, increment counter, check overflow */ 929 uint_fast64_t 930 sign_assign_msg_num(struct signature_group_t *sg) 931 { 932 uint_fast64_t old; 933 934 old = sg->last_msg_num++; 935 if (sg->last_msg_num > SIGN_MAX_COUNT) 936 sign_new_reboot_session(); 937 return old; 938 } 939 940 941 /* increment gbc, check overflow */ 942 void 943 sign_inc_gbc(void) 944 { 945 if (++GlobalSign.gbc > SIGN_MAX_COUNT) 946 sign_new_reboot_session(); 947 } 948 #endif /* !DISABLE_SIGN */ 949