int action_list (bool nice_fingerprint, const std::string&filter,
keyring&KR)
{
PREPARE_KEYRING;
for (keyring::keypair_storage::iterator
i = KR.pairs.begin(), e = KR.pairs.end();
i != e; ++i) {
if (keyspec_matches (filter, i->second.pub.name, i->first))
output_key (nice_fingerprint,
"pubkey", "public key in keypair",
i->second.pub.alg, i->first,
i->second.pub.name);
}
for (keyring::pubkey_storage::iterator
i = KR.pubs.begin(), e = KR.pubs.end();
i != e; ++i) {
if (keyspec_matches (filter, i->second.name, i->first))
output_key (nice_fingerprint,
"pubkey", "public key",
i->second.alg, i->first,
i->second.name);
}
return 0;
}
int main(int argc, char *argv[]) {
if (argc != 3) error(2, "Usage: tweetnacl-keypair key.pub key.sec");
unsigned char public_key[crypto_box_PUBLICKEYBYTES];
unsigned char secret_key[crypto_box_SECRETKEYBYTES];
crypto_box_keypair(public_key, secret_key);
if (file_exists(argv[1])) errorf(1, "File <%s> exists", argv[1]);
if (file_exists(argv[2])) errorf(1, "File <%s> exists", argv[2]);
output_key(argv[1], public_key, crypto_box_PUBLICKEYBYTES);
output_key(argv[2], secret_key, crypto_box_SECRETKEYBYTES);
return 0;
}
static void
output_citeparts( fields *f, FILE *outptr, int level, int max )
{
int orig_level;
output_title( f, outptr, level );
output_names( f, outptr, level );
output_origin( f, outptr, level );
output_type( f, outptr, level );
output_language( f, outptr, level );
output_description( f, outptr, level );
if ( level >= 0 && level < max ) {
output_tag( outptr, lvl2indent(level), "relatedItem", NULL, TAG_OPEN, TAG_NEWLINE, "type", "host", NULL );
output_citeparts( f, outptr, incr_level(level,1), max );
output_tag( outptr, lvl2indent(level), "relatedItem", NULL, TAG_CLOSE, TAG_NEWLINE, NULL );
}
/* Look for original item things */
orig_level = original_items( f, level );
if ( orig_level ) {
output_tag( outptr, lvl2indent(level), "relatedItem", NULL, TAG_OPEN, TAG_NEWLINE, "type", "original", NULL );
output_citeparts( f, outptr, orig_level, max );
output_tag( outptr, lvl2indent(level), "relatedItem", NULL, TAG_CLOSE, TAG_NEWLINE, NULL );
}
output_abs( f, outptr, level );
output_notes( f, outptr, level );
output_toc( f, outptr, level );
output_key( f, outptr, level );
output_sn( f, outptr, level );
output_url( f, outptr, level );
output_part( f, outptr, level );
output_recordInfo( f, outptr, level );
}
void output_backend(Backend *backend)
{
if (!backend) return;
printf ("us: %zd, ss: %zd\n", backend->usersize, backend->systemsize);
output_key (backend->mountpoint);
}
static void
output_actions(struct nlattr *parent)
{
struct nlattr *attr;
int rem;
nla_for_each_nested(attr, parent, rem) {
switch (nla_type(attr)) {
case OVS_ACTION_ATTR_OUTPUT:
printf("output %d", nla_get_u32(attr));
break;
case OVS_ACTION_ATTR_USERSPACE:
printf("pktin");
break;
case OVS_ACTION_ATTR_POP_VLAN:
printf("pop-vlan");
break;
case OVS_ACTION_ATTR_PUSH_VLAN: {
struct ovs_action_push_vlan *x = nla_data(attr);
printf("push-vlan { vid=%u pcp=%d }", ntohs(x->vlan_tci) & 0xfff, ntohs(x->vlan_tci) >> 13);
break;
}
case OVS_ACTION_ATTR_SET:
printf("set { ");
output_key(attr);
printf("}");
break;
default:
printf("?");
break;
}
printf(" ");
}
}
void generate_key(void) {
ecc_int256_t secret;
if (!ecdsa_new_secret(&secret))
exit_error(1, 0, "Unable to read random bytes");
output_key(&secret);
}
void new_secret() {
ecc_int256_t secret;
if (!ecdsa_new_secret(&secret))
error(1, 0, "Unable to read random bytes");
output_key(&secret);
}
static void
output_key(struct nlattr *attr)
{
struct nlattr *key_attrs[OVS_KEY_ATTR_MAX+1];
if (nla_parse_nested(key_attrs, OVS_KEY_ATTR_MAX, attr, NULL) < 0) {
abort();
}
#define key(attr_type, c_type, fmt, ...) \
if (key_attrs[attr_type]) { \
c_type __attribute__((unused)) *x = nla_data(key_attrs[attr_type]); \
printf(fmt " ", ##__VA_ARGS__); \
}
key(OVS_KEY_ATTR_IN_PORT, uint32_t, "port=%u", *x);
key(OVS_KEY_ATTR_ETHERNET, struct ovs_key_ethernet,
"eth src=" FORMAT_MAC " dst=" FORMAT_MAC,
VALUE_MAC(x->eth_src), VALUE_MAC(x->eth_dst));
key(OVS_KEY_ATTR_VLAN, uint16_t,
"vlan=%u pcp=%u",
ntohs(*x) & 0xfff, ntohs(*x) >> 13);
if (key_attrs[OVS_KEY_ATTR_ENCAP]) {
output_key(key_attrs[OVS_KEY_ATTR_ENCAP]);
} else {
key(OVS_KEY_ATTR_ETHERTYPE, uint16_t, "type=%#.4hx", ntohs(*x));
}
key(OVS_KEY_ATTR_IPV4, struct ovs_key_ipv4,
"ipv4 src=" FORMAT_IPV4 " dst=" FORMAT_IPV4 " tos=%hhu ttl=%u proto=%u",
VALUE_IPV4((uint8_t *)&x->ipv4_src),
VALUE_IPV4((uint8_t *)&x->ipv4_dst),
x->ipv4_tos,
x->ipv4_ttl,
x->ipv4_proto);
key(OVS_KEY_ATTR_TCP, struct ovs_key_tcp,
"tcp src=%hu dst=%hu", ntohs(x->tcp_src), ntohs(x->tcp_dst));
key(OVS_KEY_ATTR_TCP_FLAGS, uint16_t,
"flags=%#x", ntohs(*x));
key(OVS_KEY_ATTR_UDP, struct ovs_key_udp,
"udp src=%hu dst=%hu", ntohs(x->udp_src), ntohs(x->udp_dst));
key(OVS_KEY_ATTR_SCTP, struct ovs_key_sctp,
"sctp src=%hu dst=%hu", ntohs(x->sctp_src), ntohs(x->sctp_dst));
key(OVS_KEY_ATTR_ICMP, struct ovs_key_icmp,
"icmp type=%hhu code=%hhu", x->icmp_type, x->icmp_code);
key(OVS_KEY_ATTR_ICMPV6, struct ovs_key_icmpv6,
"icmpv6 type=%hhu code=%hhu", x->icmpv6_type, x->icmpv6_code);
key(OVS_KEY_ATTR_ARP, struct ovs_key_arp,
"arp op=%hu sip="FORMAT_IPV4" tip="FORMAT_IPV4" sha="FORMAT_MAC" tha="FORMAT_MAC,
ntohs(x->arp_op),
VALUE_IPV4((uint8_t *)&x->arp_sip),
VALUE_IPV4((uint8_t *)&x->arp_tip),
VALUE_MAC(x->arp_sha),
VALUE_MAC(x->arp_tha));
#undef key
}
void output_keyset (KeySet *ks)
{
Key *k;
ksRewind(ks);
while ((k = ksNext(ks)) != 0)
{
output_key (k);
}
}
/* exported interface documented in keydb.h */
int
write_keyring(const char *fname)
{
int fd;
FILE *fh;
struct snum_to_key_s *base = ents;
char *fname2 = malloc(strlen(fname) + 5);
strcpy(fname2, fname);
strcat(fname2, ".tmp");
fd = open(fname2, O_CREAT | O_EXCL | O_WRONLY, 0600);
if (fd == -1) {
/* Unable to open keyring */
perror("open");
free(fname2);
return -1;
}
fh = fdopen(fd, "w");
if (fh == NULL) {
free(fname2);
close(fd);
return -1;
}
fprintf(fh, "# Do not edit this directly, this file is managed by ekey-setkey\n");
while (base) {
output_key(fh, base->snum, base->ltkey);
base = base->next;
}
fflush(fh);
fclose(fh);
if (rename(fname2, fname) == -1) {
perror("rename");
free(fname2);
unlink(fname2);
return -1;
}
free(fname2);
return 0;
}
void show_key(void) {
char secret_string[65];
ecc_int256_t pubkey, secret;
if (fgets(secret_string, sizeof(secret_string), stdin) == NULL)
goto secret_error;
if (!parsehex(secret.p, secret_string, 32))
goto secret_error;
ecdsa_public_from_secret(&pubkey, &secret);
output_key(&pubkey);
return;
secret_error:
exit_error(1, 0, "Error reading secret");
}
static int
show_kflow__(struct nl_msg *msg, void *arg)
{
struct nlmsghdr *nlh = nlmsg_hdr(msg);
struct nlattr *attrs[OVS_FLOW_ATTR_MAX+1];
if (genlmsg_parse(nlh, sizeof(struct ovs_header),
attrs, OVS_FLOW_ATTR_MAX,
NULL) < 0) {
abort();
}
output_key(attrs[OVS_FLOW_ATTR_KEY]);
printf("-> ");
output_actions(attrs[OVS_FLOW_ATTR_ACTIONS]);
printf("\n");
return NL_OK;
}
int
main(int argc, char **argv)
{
uint8_t *mkey = NULL; /** Master key. */
uint8_t *snum = NULL; /** Serial number */
char *key_path = NULL;
estream_state_t *key_stream ; /** The input stream. */
epkt_state_t *epkt; /* The packet handler attached to the framer. */
int opt;
int res;
uint8_t data[128];
uint8_t nonce[12];
uint8_t *mac;
EKeySkein rekeying_state;
uint8_t session_key[32];
int retries;
char *keyring_filename;
bool nokeyring = false;
keyring_filename = strdup(KEYRINGFILE);
while ((opt = getopt(argc, argv, "vhnf:s:m:")) != -1) {
switch (opt) {
case 's': /* set serial number */
snum = malloc(12);
res = pem64_decode_bytes(optarg, 16, snum);
if (res != 12) {
fprintf(stderr, "The serial number given is not the correct length. (%d/12)\n", res);
return EXIT_CODE_CMDLINE;
}
break;
case 'm': /* set master key */
mkey = extract_master_key(optarg, strlen(optarg));
if (mkey == NULL)
return EXIT_CODE_CMDLINE;
break;
case 'f': /* set keyring filename */
free(keyring_filename);
keyring_filename = strdup(optarg);
break;
case 'n': /* do not update the keyring */
nokeyring = true;
break;
case 'v': /* print version number */
printf("%s: Version 1.1\n", argv[0]);
return 0;
case 'h':
default:
fprintf(stderr, usage, argv[0]);
return EXIT_CODE_CMDLINE;
}
}
if (optind >= argc) {
if (snum == NULL) {
fprintf(stderr, "A device path must be given.\n");
fprintf(stderr, usage, argv[0]);
return EXIT_CODE_CMDLINE;
} else {
key_path = calloc(1, 17 + strlen(DEVEKEY));
memcpy(key_path, DEVEKEY, 1 + strlen(DEVEKEY));
pem64_encode_bytes(snum, 12, key_path + 16);
}
} else {
key_path = strdup(argv[optind]);
}
/* load keyring */
if (nokeyring == false) {
if (get_keyring(keyring_filename) < 0) {
free(key_path);
return EXIT_CODE_LOADKEYRING;
}
}
/* ensure master key */
if (mkey == NULL) {
char s[55];
int sidx;
int sodx;
int slen;
if (isatty(STDIN) == 0) {
fprintf(stderr, "A master key must be given.\n");
free(key_path);
return EXIT_CODE_MASTERKEY;
}
printf("Please enter a master key: ");
if (fgets(s, sizeof(s), stdin) == NULL) {
perror("fgets");
}
/* we must allow for the user entering spaces in the input */
slen = strlen(s);
sidx = sodx = 0;
while ((sidx < slen) && (s[sidx] != 0)) {
s[sodx] = s[sidx];
if (s[sidx] != ' ') {
sodx++;
}
sidx++;
}
s[sodx] = 0;
mkey = extract_master_key(s, sodx);
if (mkey == NULL) {
free(key_path);
return EXIT_CODE_MASTERKEY;
}
}
/* open entropy key device */
key_stream = estream_open(key_path);
if (key_stream == NULL) {
perror("Error");
fprintf(stderr, "Unable to open %s as the entropy key device.\n", key_path);
free(key_path);
return EXIT_CODE_EKEYERR;
}
free(key_path);
epkt = epkt_open(eframe_open(key_stream));
/* reset key */
estream_write(key_stream, reset, 1);
epkt_setsessionkey(epkt, NULL, default_session_key);
/* wait for serial packet */
retries = 20;
do {
res = epkt_read(epkt, data, 128);
if (res <= 0) {
if (errno == EWOULDBLOCK)
continue;
perror("Unexpected error");
return 2;
} else if (epkt->pkt_type == PKTTYPE_SNUM) {
break;
}
/* reset key */
estream_write(key_stream, reset, 1);
epkt_setsessionkey(epkt, NULL, default_session_key);
retries--;
} while (retries > 0);
if (retries == 0) {
fprintf(stderr, "Timeout obtaining serial number from key.\n");
return 3;
}
if (res != 12) {
fprintf(stderr, "Bad serial number from key.\n");
return 4;
}
if (snum == NULL) {
/* no serial number */
snum = malloc(res);
memcpy(snum, data, res);
} else {
/* ensure serial number matches */
if (memcmp(snum, data, 12) != 0) {
fprintf(stderr, "Serial number did not match the one specified.\n");
return 4;
}
}
/* Initialise the MAC checksum using the serial number and the default
* shared key
*/
epkt_setsessionkey(epkt, snum, default_session_key);
/* Prepare a nonce */
if (fill_nonce(nonce, 12) != true) {
fprintf(stderr, "Unable to generate nonce.\n");
return 1;
}
close_nonce();
/* send nonce MAC */
mac = calc_mac(snum, mkey, nonce, 12);
data[0] = 'M';
pem64_encode_bytes(mac, 6, (char *)data + 1);
estream_write(key_stream, data, 9);
/* wait for MAC ack packet */
retries = 20;
do {
res = epkt_read(epkt, data, 128);
if (res <= 0) {
if (errno == EWOULDBLOCK)
continue;
perror("Unexpected error");
return 2;
}
if (epkt->pkt_type == PKTTYPE_LTREKEYMAC)
break;
retries--;
} while (retries > 0);
if (retries == 0) {
fprintf(stderr, "Timeout obtaining MAC acknowledgement packet.\n");
return 3;
}
data[0] = 'L';
data[17] = '.';
pem64_encode_bytes(nonce, 12, (char *)data + 1);
estream_write(key_stream, data, 18);
/* wait for rekey ack packet */
do {
res = epkt_read(epkt, data, 128);
if (res <= 0) {
if (errno == EWOULDBLOCK)
continue;
if (errno == EPROTO) {
fprintf(stderr, "Provided master key does not match the device's.\n");
return 2;
}
perror("Unexpected error");
return 2;
}
} while (epkt->pkt_type != PKTTYPE_LTREKEY);
/* calculate new longterm key */
PrepareSkein(&rekeying_state, snum, &(mkey[0]), EKEY_SKEIN_PERSONALISATION_LRS);
Skein_256_Update(&rekeying_state, &(data[0]), 32);
Skein_256_Update(&rekeying_state, nonce, 12);
Skein_256_Final(&rekeying_state, session_key);
if (nokeyring == false) {
add_ltkey(snum, session_key);
if (put_keyring(keyring_filename) < 0)
return EXIT_CODE_WRITEKEYRING;
} else {
/* just display new key */
output_key(stdout, snum, session_key);
}
return 0;
}
int action_import_sec (bool armor, bool no_action, bool yes, bool fp,
const std::string & filter, const std::string & name,
keyring & KR)
{
std::string data;
read_all_input (data);
if (armor) {
std::string type;
std::vector<std::string> parts;
if (!envelope_read (data, 0, type, parts)) {
err ("error: no data envelope found");
return 1;
}
if (type != ENVELOPE_SECRETS || parts.size() != 1) {
err ("error: wrong envelope format");
return 1;
}
if (!base64_decode (parts[0], data)) {
err ("error: malformed data");
return 1;
}
}
sencode*S = sencode_decode (data);
if (!S) {
err ("error: could not parse input sencode");
if (!armor && envelope_lookalike (data))
err ("notice: input looks ascii-armored, "
"try using the armor option");
return 1;
}
keyring::keypair_storage s;
if (!keyring::parse_keypairs (S, s)) {
err ("error: could not parse input structure");
sencode_destroy (S);
return 1;
}
sencode_destroy (S);
if (!s.size()) {
err ("notice: keyring was empty");
return 0;
}
if (no_action) {
for (keyring::keypair_storage::iterator
i = s.begin(), e = s.end(); i != e; ++i) {
if (keyspec_matches (filter, i->second.pub.name,
i->first))
output_key (fp,
"keypair", "key pair",
i->second.pub.alg, i->first,
i->second.pub.name);
}
return 0;
}
PREPARE_KEYRING;
int rewrites = 0;
for (keyring::keypair_storage::iterator
i = s.begin(), e = s.end(); i != e; ++i) {
if (keyspec_matches (filter, i->second.pub.name, i->first)
&& (KR.pubs.count (i->first)
|| KR.pairs.count (i->first)))
++rewrites;
}
if (rewrites && !yes) {
err ("error: this would overwrite "
<< rewrites << " of your keys. "
"Use Yes option to confirm.");
return 1;
}
//merge into KR. Also prevent keyID collisions
for (keyring::keypair_storage::iterator
i = s.begin(), e = s.end(); i != e; ++i) {
if (keyspec_matches (filter, i->second.pub.name, i->first)) {
KR.remove_pubkey (i->first);
KR.remove_keypair (i->first);
KR.store_keypair (i->first,
name.length() ?
name : i->second.pub.name,
i->second.pub.alg,
i->second.pub.key, i->second.privkey);
}
}
if (!KR.save()) {
err ("error: couldn't save keyring");
return 1;
}
return 0;
}
