Fix distribution.

[u/mdw/catacomb] / key-pass.c

/* -*-c-*-
 *
 * $Id: key-pass.c,v 1.3 2004/03/27 00:04:19 mdw Exp $
 *
 * Encrypting keys with passphrases
 *
 * (c) 1999 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Catacomb.
 *
 * Catacomb is free software; you can redistribute it and/or modify
 * it under the terms of the GNU Library General Public License as
 * published by the Free Software Foundation; either version 2 of the
 * License, or (at your option) any later version.
 * 
 * Catacomb is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU Library General Public License for more details.
 * 
 * You should have received a copy of the GNU Library General Public
 * License along with Catacomb; if not, write to the Free
 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
 * MA 02111-1307, USA.
 */

/*----- Revision history --------------------------------------------------* 
 *
 * $Log: key-pass.c,v $
 * Revision 1.3  2004/03/27 00:04:19  mdw
 * INCOMPATIBLE CHANGE.  Use proper authentication on encrypted keys.
 *
 * Revision 1.2  2000/06/17 11:26:35  mdw
 * `rand_getgood' is deprecated.
 *
 * Revision 1.1  1999/12/22 15:47:48  mdw
 * Major key-management revision.
 *
 */

/*----- Header files ------------------------------------------------------*/

#include <mLib/dstr.h>

#include "key.h"
#include "paranoia.h"
#include "passphrase.h"
#include "rand.h"

#include "blowfish-cbc.h"
#include "rmd160.h"
#include "rmd160-mgf.h"
#include "rmd160-hmac.h"

/*----- Main code ---------------------------------------------------------*/

/* --- Format --- *
 *
 * Choose a random 160-bit string %$R$%.  Take the passphrase %$P$%, and
 * the message %$m$%.  Now, compute %$K_E \cat K_T = H(R \cat P)$%,
 * %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%.  The ciphertext is
 * %$y = N \cat \tau \cat y_0$%.
 *
 * This is not the original format.  The original format was insecure, and
 * has been replaced incompatibly.
 */

/* --- @key_plock@ --- *
 *
 * Arguments:	@const char *tag@ = tag to use for passphrase
 *		@key_data *k@ = source key data block
 *		@key_data *kt@ = target key data block
 *
 * Returns:	Zero if successful, nonzero if there was a problem.
 *
 * Use:		Locks a key by encrypting it with a passphrase.
 */

int key_plock(const char *tag, key_data *k, key_data *kt)
{
  dstr d = DSTR_INIT;
  octet b[RMD160_HASHSZ * 2];
  octet *m;
  size_t msz;
  char buf[256];

  /* --- Sanity check --- */

  assert(((void)"Key data is already encrypted",
	  (k->e & KF_ENCMASK) != KENC_ENCRYPT));

  /* --- Format the stuff in the buffer --- */

  DENSURE(&d, RMD160_HASHSZ * 2);
  rand_get(RAND_GLOBAL, d.buf, RMD160_HASHSZ);
  d.len += RMD160_HASHSZ * 2;
  key_encode(k, &d, 0);
  if (k == kt)
    key_destroy(k);
  m = (octet *)d.buf + RMD160_HASHSZ * 2;
  msz = d.len - RMD160_HASHSZ * 2;

  /* --- Read the passphrase --- */

  if (passphrase_read(tag, PMODE_VERIFY, buf, sizeof(buf))) {
    dstr_destroy(&d);
    return (-1);
  }

  /* --- Hash the passphrase to make a key --- */

  {
    rmd160_mgfctx r;
    rmd160_mgfkeybegin(&r);
    rmd160_mgfkeyadd(&r, d.buf, RMD160_HASHSZ);
    rmd160_mgfkeyadd(&r, buf, strlen(buf));
    rmd160_mgfencrypt(&r, 0, b, sizeof(b));
    BURN(r);
    BURN(buf);
  }

  /* --- Encrypt the plaintext --- */

  {
    blowfish_cbcctx c;
    blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
    blowfish_cbcencrypt(&c, m, m, msz);
    BURN(c);
  }

  /* --- MAC the ciphertext --- */

  {
    rmd160_mackey mk;
    rmd160_macctx mc;
    rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
    rmd160_macinit(&mc, &mk);
    rmd160_machash(&mc, m, msz);
    rmd160_macdone(&mc, d.buf + RMD160_HASHSZ);
    BURN(mk);
    BURN(mc);
  }

  /* --- Done --- */

  BURN(b);
  key_encrypted(kt, d.buf, d.len);
  dstr_destroy(&d);
  return (0);
}

/* --- @key_punlock@ --- *
 *
 * Arguments:	@const char *tag@ = tag to use for passphrase
 *		@key_data *k@ = source key data block
 *		@key_data *kt@ = target key data block
 *
 * Returns:	Zero if it worked, nonzero if it didn't.
 *
 * Use:		Unlocks a passphrase-locked key.
 */

int key_punlock(const char *tag, key_data *k, key_data *kt)
{
  octet b[RMD160_HASHSZ * 2];
  char buf[256];
  octet *p;
  size_t sz;

  /* --- Sanity check --- */

  assert(((void)"Key data isn't encrypted",
	  (k->e & KF_ENCMASK) == KENC_ENCRYPT));

  /* --- Allocate a destination buffer --- */

  if (k->u.k.sz < RMD160_HASHSZ * 2)
    return (-1);;
  sz = k->u.k.sz - RMD160_HASHSZ * 2;
  p = xmalloc(k->u.k.sz);

  /* --- Fetch the passphrase --- */

  if (passphrase_read(tag, PMODE_READ, buf, sizeof(buf)))
    goto fail;

  /* --- Hash the passphrase to make a key --- */

  {
    rmd160_mgfctx r;
    rmd160_mgfkeybegin(&r);
    rmd160_mgfkeyadd(&r, k->u.k.k, RMD160_HASHSZ);
    rmd160_mgfkeyadd(&r, buf, strlen(buf));
    rmd160_mgfencrypt(&r, 0, b, sizeof(b));
    BURN(r);
    BURN(buf);
  }

  /* --- Decrypt the key data --- */

  {
    blowfish_cbcctx c;
    blowfish_cbcinit(&c, b, sizeof(b), 0);
    blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ, p, sz);
    BURN(c);
  }

  /* --- Verify the MAC --- */

  {
    rmd160_mackey mk;
    rmd160_macctx mc;
    rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
    rmd160_macinit(&mc, &mk);
    rmd160_machash(&mc, p, sz);
    rmd160_macdone(&mc, b);
    if (memcmp(b, k->u.k.k + RMD160_HASHSZ, RMD160_HASHSZ) != 0) {
      passphrase_cancel(tag);
      goto fail;
    }
    BURN(mk);
    BURN(mc);
  }

  /* --- Decode the key data into the destination buffer --- */

  if (k == kt) {
    key_destroy(k);
    passphrase_cancel(tag);
  }
  if (key_decode(p, sz, kt))
    goto fail;

  /* --- Done --- */

  free(p);
  return (0);

  /* --- Tidy up if things went wrong --- */

fail:
  BURN(b);
  free(p);
  return (-1);
}

/*----- That's all, folks -------------------------------------------------*/