0
0
Fork 0
mirror of https://github.com/matrix-construct/construct synced 2024-11-26 08:42:34 +01:00
construct/modules/s_keys.cc
2019-05-26 19:13:20 -07:00

771 lines
14 KiB
C++

// Matrix Construct
//
// Copyright (C) Matrix Construct Developers, Authors & Contributors
// Copyright (C) 2016-2018 Jason Volk <jason@zemos.net>
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice is present in all copies. The
// full license for this software is available in the LICENSE file.
namespace ircd::m
{
static bool keys_cache_get(const string_view &server, const string_view &key_id, const keys::closure &);
static size_t keys_cache_set(const json::object &);
void create_my_key();
static void create_my_key_hookfn(const m::event &, m::vm::eval &);
static void init_my_ed25519();
static void init_my_tls_crt();
void init_my_keys();
extern conf::item<milliseconds> keys_get_timeout;
extern conf::item<milliseconds> keys_query_timeout;
extern conf::item<std::string> ed25519_key_dir;
extern conf::item<std::string> tls_key_dir;
extern m::hookfn<m::vm::eval &> create_my_key_hook;
}
ircd::mapi::header
IRCD_MODULE
{
"Server keys"
};
//
// ircd/m/keys.h
//
bool
IRCD_MODULE_EXPORT
ircd::m::verify(const m::keys &keys,
std::nothrow_t)
noexcept try
{
return verify(keys, std::nothrow);
}
catch(const std::exception &e)
{
log::error
{
m::log, "key verification for '%s' failed :%s",
json::get<"server_name"_>(keys, "<no server name>"_sv),
e.what()
};
return false;
}
void
IRCD_MODULE_EXPORT
ircd::m::verify(const m::keys &keys)
{
const auto &valid_until_ts
{
at<"valid_until_ts"_>(keys)
};
if(valid_until_ts < ircd::time<milliseconds>())
throw ircd::error
{
"Key was valid until %s", timestr(valid_until_ts / 1000L)
};
const json::object &verify_keys
{
at<"verify_keys"_>(keys)
};
const string_view &key_id
{
begin(verify_keys)->first
};
const json::object &key
{
begin(verify_keys)->second
};
const ed25519::pk pk
{
[&key](auto &pk)
{
b64decode(pk, unquote(key.at("key")));
}
};
const json::object &signatures
{
at<"signatures"_>(keys)
};
const string_view &server_name
{
unquote(at<"server_name"_>(keys))
};
const json::object &server_signatures
{
signatures.at(server_name)
};
const ed25519::sig sig{[&server_signatures, &key_id](auto &sig)
{
b64decode(sig, unquote(server_signatures.at(key_id)));
}};
m::keys copy{keys};
at<"signatures"_>(copy) = string_view{};
thread_local char buf[4096];
const const_buffer preimage
{
json::stringify(mutable_buffer{buf}, copy)
};
if(!pk.verify(preimage, sig))
throw m::error
{
http::UNAUTHORIZED, "M_INVALID_SIGNATURE",
"Failed to verify signature for public key of '%s'",
server_name
};
}
//
// ircd::m::keys
//
decltype(ircd::m::keys_get_timeout)
ircd::m::keys_query_timeout
{
{ "name", "ircd.keys.query.timeout" },
{ "default", 20000L }
};
bool
IRCD_MODULE_EXPORT
ircd::m::keys::query(const string_view &query_server,
const queries &queries,
const closure_bool &closure)
try
{
assert(!query_server.empty());
m::v1::key::opts opts;
opts.remote = net::hostport{query_server};
opts.dynamic = true;
const unique_buffer<mutable_buffer> buf
{
16_KiB
};
m::v1::key::query request
{
queries, buf, std::move(opts)
};
request.wait(milliseconds(keys_query_timeout));
const auto &code(request.get());
const json::array &response
{
request
};
for(const json::object &key_ : response) try
{
const m::keys &key
{
key_
};
verify(key);
log::debug
{
m::log, "Verified keys for '%s' from '%s'",
at<"server_name"_>(key),
query_server
};
if(!closure(key_))
return false;
}
catch(const std::exception &e)
{
log::derror
{
"Failed to verify keys for '%s' from '%s' :%s",
key_.get("server_name"),
query_server,
e.what()
};
}
return true;
}
catch(const ctx::timeout &e)
{
throw m::error
{
http::REQUEST_TIMEOUT, "M_TIMEOUT",
"Failed to query keys from '%s' in time",
query_server
};
}
decltype(ircd::m::keys_get_timeout)
ircd::m::keys_get_timeout
{
{ "name", "ircd.keys.get.timeout" },
{ "default", 20000L }
};
void
IRCD_MODULE_EXPORT
ircd::m::keys::get(const string_view &server_name,
const string_view &key_id,
const closure &closure)
try
{
assert(!server_name.empty());
if(keys_cache_get(server_name, key_id, closure))
return;
if(server_name == my_host())
throw m::NOT_FOUND
{
"keys for '%s' (that's myself) not found", server_name
};
log::debug
{
m::log, "Keys for %s not cached; querying network...", server_name
};
m::v1::key::opts opts;
const unique_buffer<mutable_buffer> buf
{
16_KiB
};
m::v1::key::keys request
{
server_name, buf, std::move(opts)
};
request.wait(milliseconds(keys_get_timeout));
const auto &status(request.get());
const json::object &response
{
request
};
const json::object &keys
{
response
};
verify(m::keys(keys));
log::debug
{
m::log, "Verified keys from '%s'", server_name
};
keys_cache_set(keys);
closure(keys);
}
catch(const ctx::timeout &e)
{
throw m::error
{
http::REQUEST_TIMEOUT, "M_TIMEOUT",
"Failed to fetch keys for '%s' in time",
server_name
};
}
//
// init
//
void
IRCD_MODULE_EXPORT
ircd::m::init_my_keys()
{
init_my_ed25519();
init_my_tls_crt();
}
decltype(ircd::m::tls_key_dir)
ircd::m::tls_key_dir
{
{ "name", "ircd.keys.tls_key_dir" },
{ "default", fs::cwd() }
};
void
ircd::m::init_my_tls_crt()
{
if(empty(m::self::origin))
throw error
{
"The m::self::origin must be set to init my ed25519 key."
};
const std::string private_key_path_parts[]
{
std::string{tls_key_dir},
m::self::origin + ".crt.key",
};
const std::string public_key_path_parts[]
{
std::string{tls_key_dir},
m::self::origin + ".crt.key.pub",
};
const std::string dhparam_path_parts[]
{
std::string{tls_key_dir},
m::self::origin + ".crt.dh",
};
const std::string certificate_path_parts[]
{
std::string{tls_key_dir},
m::self::origin + ".crt",
};
const std::string private_key_file
{
fs::path_string(private_key_path_parts)
};
const std::string public_key_file
{
fs::path_string(public_key_path_parts)
};
const std::string cert_file
{
fs::path_string(certificate_path_parts)
};
if(!fs::exists(private_key_file) && !ircd::write_avoid)
{
log::warning
{
"Failed to find certificate private key @ `%s'; creating...",
private_key_file
};
openssl::genrsa(private_key_file, public_key_file);
}
/*
const std::string dhparam_file
{
fs::path(dhparam_path_parts)
};
if(!fs::exists(dhparam_file))
{
log::warning
{
"Failed to find dhparam file @ `%s'; creating; "
"this will take about 2 to 5 minutes...",
dhparam_file
};
openssl::gendh(dhparam_file);
}
*/
const json::object config{};
if(!fs::exists(cert_file) && !ircd::write_avoid)
{
const json::object &certificate
{
config.get("certificate")
};
const json::object &self_
{
certificate.get(m::self::origin)
};
std::string subject
{
self_.get("subject")
};
if(empty(subject))
subject = json::strung{json::members
{
{ "CN", m::self::origin }
}};
log::warning
{
"Failed to find SSL certificate @ `%s'; creating for '%s'...",
cert_file,
m::self::origin
};
const unique_buffer<mutable_buffer> buf
{
1_MiB
};
const json::strung opts{json::members
{
{ "private_key_pem_path", private_key_file },
{ "public_key_pem_path", public_key_file },
{ "subject", subject },
}};
const auto cert
{
openssl::genX509_rsa(buf, opts)
};
fs::overwrite(cert_file, cert);
}
const auto cert_pem
{
fs::read(cert_file)
};
const unique_buffer<mutable_buffer> der_buf
{
8_KiB
};
const auto cert_der
{
openssl::cert2d(der_buf, cert_pem)
};
const fixed_buffer<const_buffer, crh::sha256::digest_size> hash
{
sha256{cert_der}
};
m::self::tls_cert_der_sha256_b64 =
{
b64encode_unpadded(hash)
};
log::info
{
m::log, "Certificate `%s' :PEM %zu bytes; DER %zu bytes; sha256b64 %s",
cert_file,
cert_pem.size(),
ircd::size(cert_der),
m::self::tls_cert_der_sha256_b64
};
const unique_buffer<mutable_buffer> print_buf
{
8_KiB
};
log::info
{
m::log, "Certificate `%s' :%s",
cert_file,
openssl::print_subject(print_buf, cert_pem)
};
}
decltype(ircd::m::ed25519_key_dir)
ircd::m::ed25519_key_dir
{
{ "name", "ircd.keys.ed25519_key_dir" },
{ "default", fs::cwd() }
};
void
ircd::m::init_my_ed25519()
{
if(empty(m::self::origin))
throw error
{
"The m::self::origin must be set to init my ed25519 key."
};
const std::string path_parts[]
{
std::string{ed25519_key_dir},
m::self::origin + ".ed25519",
};
const std::string sk_file
{
ircd::string(fs::PATH_MAX_LEN, [&](const mutable_buffer &buf)
{
return fs::path(buf, path_parts);
})
};
if(fs::exists(sk_file) || ircd::write_avoid)
log::info
{
m::log, "Using ed25519 secret key @ `%s'", sk_file
};
else
log::notice
{
m::log, "Creating ed25519 secret key @ `%s'", sk_file
};
m::self::secret_key = ed25519::sk
{
sk_file, &m::self::public_key
};
m::self::public_key_b64 = b64encode_unpadded(m::self::public_key);
const fixed_buffer<const_buffer, sha256::digest_size> hash
{
sha256{m::self::public_key}
};
const auto public_key_hash_b58
{
b58encode(hash)
};
static const auto trunc_size{8};
m::self::public_key_id = fmt::snstringf
{
32, "ed25519:%s", trunc(public_key_hash_b58, trunc_size)
};
log::info
{
m::log, "Current key is '%s' and the public key is: %s",
m::self::public_key_id,
m::self::public_key_b64
};
}
//
// create_my_key
//
decltype(ircd::m::create_my_key_hook)
ircd::m::create_my_key_hook
{
create_my_key_hookfn,
{
{ "_site", "vm.effect" },
{ "room_id", m::my_node.room_id() },
{ "type", "m.room.create" },
}
};
void
ircd::m::create_my_key_hookfn(const m::event &,
m::vm::eval &)
{
create_my_key();
}
void
IRCD_MODULE_EXPORT
ircd::m::create_my_key()
{
const json::members verify_keys_
{{
string_view{m::self::public_key_id},
{
{ "key", m::self::public_key_b64 }
}
}};
const json::members tlsfps
{
{ "sha256", m::self::tls_cert_der_sha256_b64 }
};
const json::value tlsfp[1]
{
{ tlsfps }
};
m::keys my_key;
json::get<"server_name"_>(my_key) = my_host();
json::get<"old_verify_keys"_>(my_key) = "{}";
//TODO: conf
json::get<"valid_until_ts"_>(my_key) =
ircd::time<milliseconds>() + milliseconds(1000UL * 60 * 60 * 24 * 180).count();
const json::strung verify_keys{verify_keys_}; // must be on stack until my_keys serialized.
json::get<"verify_keys"_>(my_key) = verify_keys;
const json::strung tls_fingerprints{json::value{tlsfp, 1}}; // must be on stack until my_keys serialized.
json::get<"tls_fingerprints"_>(my_key) = tls_fingerprints;
const json::strung presig
{
my_key
};
const ed25519::sig sig
{
m::self::secret_key.sign(const_buffer{presig})
};
char signature[256];
const json::strung signatures{json::members
{
{ my_host(),
{
{ string_view{m::self::public_key_id}, b64encode_unpadded(signature, sig) }
}}
}};
json::get<"signatures"_>(my_key) = signatures;
keys_cache_set(json::strung{my_key});
}
//
// cache
//
size_t
ircd::m::keys_cache_set(const json::object &keys)
{
const json::string &server_name
{
keys.at("server_name")
};
const m::node::room node_room
{
server_name
};
if(!exists(node_room.room_id))
create(node_room, m::me.user_id);
const json::object &vks
{
keys.at("verify_keys")
};
size_t ret{0};
for(const auto &member : vks)
{
if(ret > 16)
return ret;
const auto &key_id(unquote(member.first));
send(node_room, m::me.user_id, "ircd.key", key_id, keys);
++ret;
}
return ret;
}
bool
ircd::m::keys_cache_get(const string_view &server_name,
const string_view &key_id,
const keys::closure &closure)
{
const m::node::room node_room
{
server_name
};
const auto reclosure{[&closure]
(const m::event &event)
{
closure(json::get<"content"_>(event));
}};
// Without a key_id we search for the most recent key; note this is not
// the same as making a state_key="" query, as that would be an actual
// ircd.key entry without an id (which shouldn't exist).
return !key_id?
node_room.get(std::nothrow, "ircd.key", reclosure):
node_room.get(std::nothrow, "ircd.key", key_id, reclosure);
}
///////////////////////////////////////////////////////////////////////////////
//
// (internal) ed25519 support sanity test
//
#ifdef RB_DEBUG
#define TEST_ED25519 __attribute__((constructor))
#else
#define TEST_ED25519
#endif
namespace ircd
{
static void _test_ed25519() noexcept TEST_ED25519;
}
void
ircd::_test_ed25519()
noexcept
{
char seed_buf[ed25519::SEED_SZ + 10];
const auto seed
{
b64decode(seed_buf, "YJDBA9Xnr2sVqXD9Vj7XVUnmFZcZrlw8Md7kMW+3XA1")
};
ed25519::pk pk;
ed25519::sk sk{&pk, seed};
const auto SERVER_NAME {"domain"};
const auto KEY_ID {"ed25519:1"};
const auto test{[&]
(const std::string &object) -> bool
{
const auto sig
{
sk.sign(const_buffer{object})
};
char sigb64_buf[128];
const auto sigb64
{
b64encode_unpadded(sigb64_buf, sig)
};
ed25519::sig unsig; const auto unsigb64
{
b64decode(unsig, sigb64)
};
return pk.verify(const_buffer{object}, unsig);
}};
const bool tests[]
{
test(std::string{json::object
{
"{}"
}}),
test(json::strung(json::members
{
{ "one", 1L },
{ "two", "Two" }
})),
};
if(!std::all_of(begin(tests), end(tests), [](const bool &b) { return b; }))
throw ircd::panic
{
"Seeded ed25519 test failed"
};
}