![[BACK]](/cvsweb/icons/back.gif){kind=icon}
Return to security.c CVS log ![[TXT]](/cvsweb/icons/text.gif){kind=icon}
![[DIR]](/cvsweb/icons/dir.gif){kind=icon}
Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / quipu|
Return to security.c CVS log | Up to [CSRG BSD Unix] / 43BSDReno / contrib / isode-beta / quipu |
1.1 ! root 1: /* security.c - Check security parameters */ ! 2: ! 3: #ifndef lint ! 4: static char *rcsid = "$Header: /f/osi/quipu/RCS/security.c,v 7.1 89/12/19 16:20:47 mrose Exp $"; ! 5: #endif ! 6: ! 7: /* ! 8: * $Header: /f/osi/quipu/RCS/security.c,v 7.1 89/12/19 16:20:47 mrose Exp $ ! 9: * ! 10: * ! 11: * $Log: security.c,v $ ! 12: * Revision 7.1 89/12/19 16:20:47 mrose ! 13: * sync ! 14: * ! 15: * Revision 6.0 89/09/08 10:20:02 mrose ! 16: * *** empty log message *** ! 17: * ! 18: */ ! 19: ! 20: /* ! 21: * NOTICE ! 22: * ! 23: * Acquisition, use, and distribution of this module and related ! 24: * materials are subject to the restrictions of a license agreement. ! 25: * Consult the Preface in the User's Manual for the full terms of ! 26: * this agreement. ! 27: * ! 28: */ ! 29: ! 30: ! 31: #include "logger.h" ! 32: #include "quipu/ds_error.h" ! 33: #include "quipu/commonarg.h" ! 34: ! 35: extern int encode_AF_CertificateToSign(); ! 36: extern int dn_print(); ! 37: extern LLog *log_dsap; ! 38: #ifndef NO_STATS ! 39: extern LLog *log_stat; ! 40: #endif ! 41: ! 42: #define adios(a, b) fatal(-1, b) ! 43: ! 44: unsigned *compute_signature(); ! 45: struct MD4Hash *pe2hash(); ! 46: struct signature *sign_operation_aux(); ! 47: struct signature *sign_operation(); ! 48: ! 49: /* ! 50: * Cache holding keys of trusted certification authorities ! 51: */ ! 52: ! 53: struct ca_record *ca_key_cache = (struct ca_record *) 0; ! 54: ! 55: /* ! 56: * Cache holding keys of users (untrusted) ! 57: */ ! 58: ! 59: struct ca_record *user_key_cache = (struct ca_record *) 0; ! 60: ! 61: /* ! 62: * Own certificate. (For convenient access). ! 63: */ ! 64: ! 65: struct certificate *my_certificate = (struct certificate *) 0; ! 66: ! 67: /* ! 68: * RSA secret key. ! 69: */ ! 70: ! 71: static struct RSASecretKey *my_secret_key; ! 72: static struct RSAParameters *my_key_parms; ! 73: ! 74: struct ca_record *find_user_keyinfo(); ! 75: struct ca_record *find_ca_keyinfo(); ! 76: ! 77: /* ! 78: * Check security parameters - return 0 or the number of the security error. ! 79: */ ! 80: ! 81: /* ARGSUSED */ ! 82: int check_security_parms(data, fnx, sp, sig, nameptr) ! 83: caddr_t data; ! 84: IFP fnx; ! 85: struct security_parms *sp; ! 86: struct signature *sig; ! 87: DN *nameptr; ! 88: { ! 89: extern long time(); ! 90: long time_now; ! 91: long time_then; ! 92: long delta; ! 93: ! 94: /* If parameters are present, they must be valid */ ! 95: ! 96: if (sp != (struct security_parms *) 0) ! 97: { ! 98: if (sp->sp_time != NULLCP) ! 99: { ! 100: (void) time(&time_now); ! 101: time_then = gtime(ut2tm(str2utct(sp->sp_time, strlen(sp->sp_time)))); ! 102: delta = time_now - time_then; ! 103: } ! 104: else ! 105: delta = 0L; ! 106: ! 107: #ifndef NO_STATS ! 108: DLOG(log_stat, LLOG_NOTICE, ! 109: ("Delay=%D s, protection%s requested, certificate%s present", ! 110: delta, ! 111: (sp->sp_target == '\0') ? " not" : "", ! 112: (sp->sp_path == (struct certificate_list *) 0) ? " not" : "" ! 113: )); ! 114: /* NB : must use "" rather than NULLCP for the above to work. */ ! 115: #endif ! 116: } ! 117: ! 118: /* If no signature is provided, nothing else to do */ ! 119: ! 120: if (sig == (struct signature *) 0) ! 121: return (0); ! 122: ! 123: #ifndef NO_STATS ! 124: DLOG(log_stat, LLOG_NOTICE, ("Operation is signed")); ! 125: #endif ! 126: ! 127: /* Policy : signed messages must have security parameters present. */ ! 128: if (sp == (struct security_parms *) 0) ! 129: return (DSE_SC_INVALIDCREDENTIALS); ! 130: ! 131: /* Policy: signed messages must have a time-stamp. */ ! 132: if (sp->sp_time == NULLCP) ! 133: return (DSE_SC_INVALIDCREDENTIALS); ! 134: ! 135: /* Policy: a certification path must be provided. */ ! 136: if (sp->sp_path == (struct certificate_list *) 0) ! 137: return (DSE_SC_INVALIDCREDENTIALS); ! 138: ! 139: return (DSE_SC_AUTHENTICATION); ! 140: } ! 141: ! 142: ! 143: /* ! 144: * Having decided that a CA is trusted (eg. by looking a tailor file), ! 145: * add its key to the cache. ! 146: */ ! 147: ! 148: int add_ca_key(str) ! 149: char *str; ! 150: { ! 151: struct key_info key; ! 152: DN name; ! 153: char *ptr; ! 154: OID alg; ! 155: ! 156: ptr = index(str, '#'); ! 157: if (ptr == NULLCP) ! 158: return (NOTOK); ! 159: *ptr = '\0'; ! 160: ptr++; ! 161: name = str2dn(str); ! 162: if (name == NULLDN) ! 163: { ! 164: DLOG(log_dsap, LLOG_FATAL, ("Invalid CA name: %s", str)); ! 165: return (NOTOK); ! 166: } ! 167: ! 168: str = ptr; ! 169: ptr = index(str, '#'); ! 170: if (ptr == NULLCP) ! 171: return (NOTOK); ! 172: *ptr = '\0'; ! 173: ptr++; ! 174: alg = name2oid(str); ! 175: if (alg == NULLOID) ! 176: { ! 177: DLOG(log_dsap, LLOG_FATAL, ("Invalid algorithm: %s", str)); ! 178: return (NOTOK); ! 179: } ! 180: key.alg.algorithm = alg; ! 181: ! 182: str = ptr; ! 183: ptr = index(str, '#'); ! 184: if (ptr == NULLCP) ! 185: { ! 186: DLOG(log_dsap, LLOG_FATAL, ("Algorithm parameters missing")); ! 187: return (NOTOK); ! 188: } ! 189: *ptr = '\0'; ! 190: ptr++; ! 191: str2alg(str, &(key.alg)); ! 192: ! 193: str = ptr; ! 194: str2encrypted(str, &(key.value), &(key.n_bits)); ! 195: ! 196: return (add_ca_key_aux(name, &key)); ! 197: } ! 198: ! 199: int add_ca_key_aux(name, key) ! 200: DN name; ! 201: struct key_info *key; ! 202: { ! 203: struct ca_record *new; ! 204: ! 205: pslog(log_dsap, LLOG_NOTICE, "Adding CA:", dn_print, (caddr_t) name); ! 206: ! 207: new = (struct ca_record *) calloc(1, sizeof(*new)); ! 208: if (new == (struct ca_record *) 0) ! 209: return (NOTOK); ! 210: ! 211: new->name = name; ! 212: bcopy((char *)key, (char *)&(new->key), sizeof(struct key_info)); ! 213: new->next = ca_key_cache; ! 214: ca_key_cache = new; ! 215: ! 216: return (OK); ! 217: } ! 218: ! 219: ! 220: /* ARGSUSED */ ! 221: static struct ca_record *find_keyinfo_aux(cache, name) ! 222: struct ca_record *cache; ! 223: DN name; ! 224: { ! 225: struct ca_record *ptr; ! 226: ! 227: ptr = cache; ! 228: ! 229: while (ptr) ! 230: { ! 231: if (dn_cmp(name, ptr->name) == 0) ! 232: return (ptr); ! 233: ptr = ptr->next; ! 234: } ! 235: ! 236: return (ptr); /* ie. NULL */ ! 237: } ! 238: ! 239: struct ca_record *find_user_keyinfo(name) ! 240: DN name; ! 241: { ! 242: return (find_keyinfo_aux(user_key_cache, name)); ! 243: } ! 244: ! 245: struct ca_record *find_ca_keyinfo(name) ! 246: DN name; ! 247: { ! 248: return (find_keyinfo_aux(ca_key_cache, name)); ! 249: } ! 250: ! 251: /* ! 252: * Read RSA secret key from a file. ! 253: */ ! 254: ! 255: /* ARGSUSED */ ! 256: int set_secret_key(str) ! 257: char *str; ! 258: { ! 259: int rc; ! 260: ! 261: return (NOTOK); ! 262: } ! 263: ! 264: /* ! 265: * Compute signature. To do this, have to know canonical BER encoding of the ! 266: * data structure. Hence, this routine takes a PEPY-produced encoder as one ! 267: * parameter, and uses it to produce a PE. ! 268: */ ! 269: ! 270: ! 271: /* ARGSUSED */ ! 272: struct signature *sign_operation(data, encfnx) ! 273: caddr_t data; ! 274: IFP encfnx; ! 275: { ! 276: return sign_operation_aux(data, encfnx, my_secret_key, my_key_parms); ! 277: } ! 278: ! 279: /* ARGSUSED */ ! 280: struct signature *sign_operation_aux(type, fnx, key, parms) ! 281: caddr_t type; ! 282: IFP fnx; ! 283: struct RSASecretKey *key; ! 284: struct RSAParameters *parms; ! 285: { ! 286: struct signature *result; ! 287: unsigned *csig; ! 288: PE pe; ! 289: ! 290: ! 291: result = (struct signature *) calloc(1, sizeof(*result)); ! 292: ! 293: result->encrypted = calloc(64, 1); ! 294: result->n_bits = 512; ! 295: result->alg.algorithm = oid_cpy(ode2oid("sq_mod_n_with_rsa")); ! 296: result->alg.p_type = ALG_PARM_NUMERIC; ! 297: result->alg.un.numeric = 512; ! 298: ! 299: return (result); ! 300: } ! 301: ! 302: ! 303:
This archive runs on limited infrastructure. Preserving old code on modern bandwidth. Automated agents are requested to crawl responsibly.