[u/mdw/catacomb] / key-pass.c

/* -*-c-*-
 *
 * $Id: key-pass.c,v 1.4 2004/03/28 01:58:26 mdw Exp $
 *
 * Encrypting keys with passphrases
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: key-pass.c,v $
 * Revision 1.4  2004/03/28 01:58:26  mdw
 * Ooops, fix all the bugs.
 *
 * Revision 1.3  2004/03/27 00:04:19  mdw
 * INCOMPATIBLE CHANGE.  Use proper authentication on encrypted keys.
 *
 * Revision 1.2  2000/06/17 11:26:35  mdw
 * `rand_getgood' is deprecated.
 *
 * Revision 1.1  1999/12/22 15:47:48  mdw
 * Major key-management revision.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/dstr.h>

#include "key.h"
#include "paranoia.h"
#include "passphrase.h"
#include "rand.h"

#include "blowfish-cbc.h"
#include "rmd160.h"
#include "rmd160-mgf.h"
#include "rmd160-hmac.h"

/*----- Main code ---------------------------------------------------------*/

/* --- Format --- *
 *
 * Choose a random 160-bit string %$R$%.  Take the passphrase %$P$%, and
 * the message %$m$%.  Now, compute %$K_E \cat K_T = H(R \cat P)$%,
 * %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%.  The ciphertext is
 * %$y = N \cat \tau \cat y_0$%.
 *
 * This is not the original format.  The original format was insecure, and
 * has been replaced incompatibly.
 */

/* --- @key_plock@ --- *
 *
 * Arguments:	@const char *tag@ = tag to use for passphrase
 *		@key_data *k@ = source key data block
 *		@key_data *kt@ = target key data block
 *
 * Returns:	Zero if successful, nonzero if there was a problem.
 *
 * Use:		Locks a key by encrypting it with a passphrase.
 */

int key_plock(const char *tag, key_data *k, key_data *kt)
{
  dstr d = DSTR_INIT;
  octet b[RMD160_HASHSZ * 2];
  octet *m;
  size_t msz;
  char buf[256];

  /* --- Sanity check --- */

  assert(((void)"Key data is already encrypted",
	  (k->e & KF_ENCMASK) != KENC_ENCRYPT));

  /* --- Format the stuff in the buffer --- */

  DENSURE(&d, RMD160_HASHSZ * 2);
  rand_get(RAND_GLOBAL, d.buf, RMD160_HASHSZ);
  d.len += RMD160_HASHSZ * 2;
  key_encode(k, &d, 0);
  if (k == kt)
    key_destroy(k);
  m = (octet *)d.buf + RMD160_HASHSZ * 2;
  msz = d.len - RMD160_HASHSZ * 2;

  /* --- Read the passphrase --- */

  if (passphrase_read(tag, PMODE_VERIFY, buf, sizeof(buf))) {
    dstr_destroy(&d);
    return (-1);
  }

  /* --- Hash the passphrase to make a key --- */

  {
    rmd160_mgfctx r;
    rmd160_mgfkeybegin(&r);
    rmd160_mgfkeyadd(&r, d.buf, RMD160_HASHSZ);
    rmd160_mgfkeyadd(&r, buf, strlen(buf));
    rmd160_mgfencrypt(&r, 0, b, sizeof(b));
    BURN(r);
    BURN(buf);
  }

  /* --- Encrypt the plaintext --- */

  {
    blowfish_cbcctx c;
    blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
    blowfish_cbcencrypt(&c, m, m, msz);
    BURN(c);
  }

  /* --- MAC the ciphertext --- */

  {
    rmd160_mackey mk;
    rmd160_macctx mc;
    rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
    rmd160_macinit(&mc, &mk);
    rmd160_machash(&mc, m, msz);
    rmd160_macdone(&mc, d.buf + RMD160_HASHSZ);
    BURN(mk);
    BURN(mc);
  }

  /* --- Done --- */

  BURN(b);
  key_encrypted(kt, d.buf, d.len);
  dstr_destroy(&d);
  return (0);
}

/* --- @key_punlock@ --- *
 *
 * Arguments:	@const char *tag@ = tag to use for passphrase
 *		@key_data *k@ = source key data block
 *		@key_data *kt@ = target key data block
 *
 * Returns:	Zero if it worked, nonzero if it didn't.
 *
 * Use:		Unlocks a passphrase-locked key.
 */

int key_punlock(const char *tag, key_data *k, key_data *kt)
{
  octet b[RMD160_HASHSZ * 2];
  char buf[256];
  octet *p = 0;
  size_t sz;

  /* --- Sanity check --- */

  assert(((void)"Key data isn't encrypted",
	  (k->e & KF_ENCMASK) == KENC_ENCRYPT));

  /* --- Check the size --- */

  if (k->u.k.sz < RMD160_HASHSZ * 2)
    return (-1);
  sz = k->u.k.sz - RMD160_HASHSZ * 2;

  /* --- Fetch the passphrase --- */

  if (passphrase_read(tag, PMODE_READ, buf, sizeof(buf)))
    goto fail;

  /* --- Hash the passphrase to make a key --- */

  {
    rmd160_mgfctx r;
    rmd160_mgfkeybegin(&r);
    rmd160_mgfkeyadd(&r, k->u.k.k, RMD160_HASHSZ);
    rmd160_mgfkeyadd(&r, buf, strlen(buf));
    rmd160_mgfencrypt(&r, 0, b, sizeof(b));
    BURN(r);
    BURN(buf);
  }

  /* --- Verify the MAC --- */

  {
    rmd160_mackey mk;
    rmd160_macctx mc;
    rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
    rmd160_macinit(&mc, &mk);
    rmd160_machash(&mc, k->u.k.k + RMD160_HASHSZ * 2, sz);
    rmd160_macdone(&mc, b + RMD160_HASHSZ);
    if (memcmp(b + RMD160_HASHSZ, k->u.k.k + RMD160_HASHSZ,
	       RMD160_HASHSZ) != 0) {
      passphrase_cancel(tag);
      goto fail;
    }
    BURN(mk);
    BURN(mc);
  }

  /* --- Allocate a destination buffer --- */

  p = xmalloc(sz);

  /* --- Decrypt the key data --- */

  {
    blowfish_cbcctx c;
    blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
    blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ * 2, p, sz);
    BURN(c);
  }

  /* --- Decode the key data into the destination buffer --- */

  if (k == kt) {
    key_destroy(k);
    passphrase_cancel(tag);
  }
  if (key_decode(p, sz, kt))
    goto fail;

  /* --- Done --- */

  free(p);
  return (0);

  /* --- Tidy up if things went wrong --- */

fail:
  BURN(b);
  free(p);
  return (-1);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
d11a0bf7	1	/* --c--
d11a0bf7	2	*
8ef2f81d	3	* $Id: key-pass.c,v 1.4 2004/03/28 01:58:26 mdw Exp $
d11a0bf7	4	*
	5	* Encrypting keys with passphrases
	6	*
	7	* (c) 1999 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Catacomb.
	13	*
	14	* Catacomb is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU Library General Public License as
	16	* published by the Free Software Foundation; either version 2 of the
	17	* License, or (at your option) any later version.
	18	*
	19	* Catacomb is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU Library General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU Library General Public
	25	* License along with Catacomb; if not, write to the Free
	26	* Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
	27	* MA 02111-1307, USA.
	28	*/
	29
	30	/----- Revision history --------------------------------------------------
	31	*
	32	* $Log: key-pass.c,v $
8ef2f81d	33	* Revision 1.4 2004/03/28 01:58:26 mdw
	34	* Ooops, fix all the bugs.
	35	*
59b2b448	36	* Revision 1.3 2004/03/27 00:04:19 mdw
	37	* INCOMPATIBLE CHANGE. Use proper authentication on encrypted keys.
	38	*
bbded534	39	* Revision 1.2 2000/06/17 11:26:35 mdw
	40	* `rand_getgood' is deprecated.
	41	*
d11a0bf7	42	* Revision 1.1 1999/12/22 15:47:48 mdw
	43	* Major key-management revision.
	44	*
	45	*/
	46
	47	/----- Header files ------------------------------------------------------/
	48
	49	#include <mLib/dstr.h>
	50
	51	#include "key.h"
	52	#include "paranoia.h"
	53	#include "passphrase.h"
	54	#include "rand.h"
	55
	56	#include "blowfish-cbc.h"
	57	#include "rmd160.h"
59b2b448	58	#include "rmd160-mgf.h"
59b2b448	59	#include "rmd160-hmac.h"
d11a0bf7	60
	61	/----- Main code ---------------------------------------------------------/
	62
59b2b448	63	/* --- Format --- *
	64	*
	65	* Choose a random 160-bit string %$R$%. Take the passphrase %$P$%, and
	66	* the message %$m$%. Now, compute %$K_E \cat K_T = H(R \cat P)$%,
	67	* %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%. The ciphertext is
	68	* %$y = N \cat \tau \cat y_0$%.
	69	*
	70	* This is not the original format. The original format was insecure, and
	71	* has been replaced incompatibly.
	72	*/
	73
d11a0bf7	74	/* --- @key_plock@ --- *
	75	*
	76	* Arguments: @const char *tag@ = tag to use for passphrase
	77	* @key_data *k@ = source key data block
	78	* @key_data *kt@ = target key data block
	79	*
	80	* Returns: Zero if successful, nonzero if there was a problem.
	81	*
	82	* Use: Locks a key by encrypting it with a passphrase.
	83	*/
	84
	85	int key_plock(const char tag, key_data k, key_data *kt)
	86	{
	87	dstr d = DSTR_INIT;
59b2b448	88	octet b[RMD160_HASHSZ * 2];
	89	octet *m;
	90	size_t msz;
d11a0bf7	91	char buf[256];
	92
	93	/* --- Sanity check --- */
	94
	95	assert(((void)"Key data is already encrypted",
	96	(k->e & KF_ENCMASK) != KENC_ENCRYPT));
	97
59b2b448	98	/* --- Format the stuff in the buffer --- */
d11a0bf7	99
59b2b448	100	DENSURE(&d, RMD160_HASHSZ * 2);
	101	rand_get(RAND_GLOBAL, d.buf, RMD160_HASHSZ);
	102	d.len += RMD160_HASHSZ * 2;
d11a0bf7	103	key_encode(k, &d, 0);
	104	if (k == kt)
	105	key_destroy(k);
59b2b448	106	m = (octet )d.buf + RMD160_HASHSZ 2;
59b2b448	107	msz = d.len - RMD160_HASHSZ * 2;
d11a0bf7	108
59b2b448	109	/* --- Read the passphrase --- */
	110
	111	if (passphrase_read(tag, PMODE_VERIFY, buf, sizeof(buf))) {
	112	dstr_destroy(&d);
	113	return (-1);
	114	}
	115
	116	/* --- Hash the passphrase to make a key --- */
d11a0bf7	117
d11a0bf7	118	{
59b2b448	119	rmd160_mgfctx r;
	120	rmd160_mgfkeybegin(&r);
	121	rmd160_mgfkeyadd(&r, d.buf, RMD160_HASHSZ);
	122	rmd160_mgfkeyadd(&r, buf, strlen(buf));
	123	rmd160_mgfencrypt(&r, 0, b, sizeof(b));
	124	BURN(r);
d11a0bf7	125	BURN(buf);
	126	}
	127
59b2b448	128	/* --- Encrypt the plaintext --- */
d11a0bf7	129
	130	{
	131	blowfish_cbcctx c;
59b2b448	132	blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
59b2b448	133	blowfish_cbcencrypt(&c, m, m, msz);
d11a0bf7	134	BURN(c);
	135	}
	136
59b2b448	137	/* --- MAC the ciphertext --- */
	138
	139	{
	140	rmd160_mackey mk;
	141	rmd160_macctx mc;
	142	rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
	143	rmd160_macinit(&mc, &mk);
	144	rmd160_machash(&mc, m, msz);
	145	rmd160_macdone(&mc, d.buf + RMD160_HASHSZ);
	146	BURN(mk);
	147	BURN(mc);
	148	}
	149
	150	/* --- Done --- */
d11a0bf7	151
59b2b448	152	BURN(b);
d11a0bf7	153	key_encrypted(kt, d.buf, d.len);
	154	dstr_destroy(&d);
	155	return (0);
	156	}
	157
	158	/* --- @key_punlock@ --- *
	159	*
	160	* Arguments: @const char *tag@ = tag to use for passphrase
	161	* @key_data *k@ = source key data block
	162	* @key_data *kt@ = target key data block
	163	*
	164	* Returns: Zero if it worked, nonzero if it didn't.
	165	*
	166	* Use: Unlocks a passphrase-locked key.
	167	*/
	168
	169	int key_punlock(const char tag, key_data k, key_data *kt)
	170	{
59b2b448	171	octet b[RMD160_HASHSZ * 2];
d11a0bf7	172	char buf[256];
8ef2f81d	173	octet *p = 0;
d11a0bf7	174	size_t sz;
	175
	176	/* --- Sanity check --- */
	177
	178	assert(((void)"Key data isn't encrypted",
	179	(k->e & KF_ENCMASK) == KENC_ENCRYPT));
	180
8ef2f81d	181	/* --- Check the size --- */
d11a0bf7	182
59b2b448	183	if (k->u.k.sz < RMD160_HASHSZ * 2)
8ef2f81d	184	return (-1);
59b2b448	185	sz = k->u.k.sz - RMD160_HASHSZ * 2;
d11a0bf7	186
59b2b448	187	/* --- Fetch the passphrase --- */
d11a0bf7	188
59b2b448	189	if (passphrase_read(tag, PMODE_READ, buf, sizeof(buf)))
59b2b448	190	goto fail;
d11a0bf7	191
59b2b448	192	/* --- Hash the passphrase to make a key --- */
d11a0bf7	193
d11a0bf7	194	{
59b2b448	195	rmd160_mgfctx r;
	196	rmd160_mgfkeybegin(&r);
	197	rmd160_mgfkeyadd(&r, k->u.k.k, RMD160_HASHSZ);
	198	rmd160_mgfkeyadd(&r, buf, strlen(buf));
	199	rmd160_mgfencrypt(&r, 0, b, sizeof(b));
	200	BURN(r);
d11a0bf7	201	BURN(buf);
	202	}
	203
59b2b448	204	/* --- Verify the MAC --- */
	205
	206	{
	207	rmd160_mackey mk;
	208	rmd160_macctx mc;
	209	rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
	210	rmd160_macinit(&mc, &mk);
8ef2f81d	211	rmd160_machash(&mc, k->u.k.k + RMD160_HASHSZ * 2, sz);
	212	rmd160_macdone(&mc, b + RMD160_HASHSZ);
	213	if (memcmp(b + RMD160_HASHSZ, k->u.k.k + RMD160_HASHSZ,
	214	RMD160_HASHSZ) != 0) {
d11a0bf7	215	passphrase_cancel(tag);
59b2b448	216	goto fail;
d11a0bf7	217	}
59b2b448	218	BURN(mk);
59b2b448	219	BURN(mc);
d11a0bf7	220	}
d11a0bf7	221
8ef2f81d	222	/* --- Allocate a destination buffer --- */
	223
	224	p = xmalloc(sz);
	225
	226	/* --- Decrypt the key data --- */
	227
	228	{
	229	blowfish_cbcctx c;
	230	blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
	231	blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ * 2, p, sz);
	232	BURN(c);
	233	}
	234
d11a0bf7	235	/* --- Decode the key data into the destination buffer --- */
	236
	237	if (k == kt) {
	238	key_destroy(k);
	239	passphrase_cancel(tag);
	240	}
59b2b448	241	if (key_decode(p, sz, kt))
59b2b448	242	goto fail;
d11a0bf7	243
	244	/* --- Done --- */
	245
	246	free(p);
	247	return (0);
	248
	249	/* --- Tidy up if things went wrong --- */
	250
59b2b448	251	fail:
59b2b448	252	BURN(b);
d11a0bf7	253	free(p);
d11a0bf7	254	return (-1);
	255	}
	256
	257	/----- That's all, folks -------------------------------------------------/