git.distorted.org.uk Git - u/mdw/catacomb/blob - key-pass.c

   1 /* -*-c-*-
   2  *
   3  * $Id$
   4  *
   5  * Encrypting keys with passphrases
   6  *
   7  * (c) 1999 Straylight/Edgeware
   8  */
   9
  10 /*----- Licensing notice --------------------------------------------------*
  11  *
  12  * This file is part of Catacomb.
  13  *
  14  * Catacomb is free software; you can redistribute it and/or modify
  15  * it under the terms of the GNU Library General Public License as
  16  * published by the Free Software Foundation; either version 2 of the
  17  * License, or (at your option) any later version.
  18  *
  19  * Catacomb is distributed in the hope that it will be useful,
  20  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22  * GNU Library General Public License for more details.
  23  *
  24  * You should have received a copy of the GNU Library General Public
  25  * License along with Catacomb; if not, write to the Free
  26  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
  27  * MA 02111-1307, USA.
  28  */
  29
  30 /*----- Header files ------------------------------------------------------*/
  31
  32 #include <mLib/dstr.h>
  33
  34 #include "key.h"
  35 #include "paranoia.h"
  36 #include "passphrase.h"
  37 #include "rand.h"
  38
  39 #include "blowfish-cbc.h"
  40 #include "rmd160.h"
  41 #include "rmd160-mgf.h"
  42 #include "rmd160-hmac.h"
  43
  44 /*----- Main code ---------------------------------------------------------*/
  45
  46 /* --- Format --- *
  47  *
  48  * Choose a random 160-bit string %$R$%.  Take the passphrase %$P$%, and
  49  * the message %$m$%.  Now, compute %$K_E \cat K_T = H(R \cat P)$%,
  50  * %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%.  The ciphertext is
  51  * %$y = N \cat \tau \cat y_0$%.
  52  *
  53  * This is not the original format.  The original format was insecure, and
  54  * has been replaced incompatibly.
  55  */
  56
  57 /* --- @key_lock@ --- *
  58  *
  59  * Arguments:   @key_data *kt@ = destination block
  60  *              @key_data *k@ = source key data block
  61  *              @const void *e@ = secret to encrypt key with
  62  *              @size_t esz@ = size of the secret
  63  *
  64  * Returns:     ---
  65  *
  66  * Use:         Encrypts a key data block using a secret.
  67  */
  68
  69 void key_lock(key_data *kt, key_data *k, const void *e, size_t esz)
  70 {
  71   dstr d = DSTR_INIT;
  72   octet b[RMD160_HASHSZ * 2];
  73   octet *m;
  74   size_t msz;
  75   rmd160_mgfctx r;
  76   blowfish_cbcctx c;
  77   rmd160_mackey mk;
  78   rmd160_macctx mc;
  79
  80   /* --- Sanity check --- */
  81
  82   assert(((void)"Key data is already encrypted",
  83           (k->e & KF_ENCMASK) != KENC_ENCRYPT));
  84
  85   /* --- Format the stuff in the buffer --- */
  86
  87   DENSURE(&d, RMD160_HASHSZ * 2);
  88   rand_get(RAND_GLOBAL, d.buf, RMD160_HASHSZ);
  89   d.len += RMD160_HASHSZ * 2;
  90   key_encode(k, &d, 0);
  91   if (k == kt)
  92     key_destroy(k);
  93   m = (octet *)d.buf + RMD160_HASHSZ * 2;
  94   msz = d.len - RMD160_HASHSZ * 2;
  95
  96   /* --- Hash the passphrase to make a key --- */
  97
  98   rmd160_mgfkeybegin(&r);
  99   rmd160_mgfkeyadd(&r, d.buf, RMD160_HASHSZ);
 100   rmd160_mgfkeyadd(&r, e, esz);
 101   rmd160_mgfencrypt(&r, 0, b, sizeof(b));
 102   BURN(r);
 103
 104   /* --- Encrypt the plaintext --- */
 105
 106   blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
 107   blowfish_cbcencrypt(&c, m, m, msz);
 108   BURN(c);
 109
 110   /* --- MAC the ciphertext --- */
 111
 112   rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
 113   rmd160_macinit(&mc, &mk);
 114   rmd160_machash(&mc, m, msz);
 115   rmd160_macdone(&mc, d.buf + RMD160_HASHSZ);
 116   BURN(mk);
 117   BURN(mc);
 118
 119   /* --- Done --- */
 120
 121   BURN(b);
 122   key_encrypted(kt, d.buf, d.len);
 123   dstr_destroy(&d);
 124 }
 125
 126 /* --- @key_unlock@ --- *
 127  *
 128  * Arguments:   @key_data *kt@ = target block
 129  *              @key_data *k@ = source key data block
 130  *              @const void *e@ = secret to decrypt the block with
 131  *              @size_t esz@ = size of the secret
 132  *
 133  * Returns:     Zero for success, or a @KERR_@ error code.
 134  *
 135  * Use:         Unlocks a key using a secret.
 136  */
 137
 138 int key_unlock(key_data *kt, key_data *k, const void *e, size_t esz)
 139 {
 140   octet b[RMD160_HASHSZ * 2];
 141   octet *p = 0;
 142   int rc;
 143   rmd160_mgfctx r;
 144   blowfish_cbcctx c;
 145   rmd160_mackey mk;
 146   rmd160_macctx mc;
 147   size_t sz;
 148
 149   /* --- Sanity check --- */
 150
 151   assert(((void)"Key data isn't encrypted",
 152           (k->e & KF_ENCMASK) == KENC_ENCRYPT));
 153
 154   /* --- Check the size --- */
 155
 156   if (k->u.k.sz < RMD160_HASHSZ * 2)
 157     return (KERR_MALFORMED);
 158   sz = k->u.k.sz - RMD160_HASHSZ * 2;
 159
 160   /* --- Hash the passphrase to make a key --- */
 161
 162   rmd160_mgfkeybegin(&r);
 163   rmd160_mgfkeyadd(&r, k->u.k.k, RMD160_HASHSZ);
 164   rmd160_mgfkeyadd(&r, e, esz);
 165   rmd160_mgfencrypt(&r, 0, b, sizeof(b));
 166   BURN(r);
 167
 168   /* --- Verify the MAC --- */
 169
 170   rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
 171   rmd160_macinit(&mc, &mk);
 172   rmd160_machash(&mc, k->u.k.k + RMD160_HASHSZ * 2, sz);
 173   rmd160_macdone(&mc, b + RMD160_HASHSZ);
 174   if (memcmp(b + RMD160_HASHSZ, k->u.k.k + RMD160_HASHSZ,
 175              RMD160_HASHSZ) != 0) {
 176     rc = KERR_BADPASS;
 177     goto fail;
 178   }
 179   BURN(mk);
 180   BURN(mc);
 181
 182   /* --- Allocate a destination buffer --- */
 183
 184   p = xmalloc(sz);
 185
 186   /* --- Decrypt the key data --- */
 187
 188   blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
 189   blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ * 2, p, sz);
 190   BURN(c);
 191
 192   /* --- Decode the key data into the destination buffer --- */
 193
 194   if (k == kt)
 195     key_destroy(k);
 196   if (key_decode(p, sz, kt)) {
 197     rc = KERR_MALFORMED;
 198     goto fail;
 199   }
 200
 201   /* --- Done --- */
 202
 203   xfree(p);
 204   return (0);
 205
 206   /* --- Tidy up if things went wrong --- */
 207
 208 fail:
 209   BURN(b);
 210   xfree(p);
 211   return (rc);
 212 }
 213
 214 /* --- @key_plock@ --- *
 215  *
 216  * Arguments:   @const char *tag@ = tag to use for passphrase
 217  *              @key_data *k@ = source key data block
 218  *              @key_data *kt@ = target key data block
 219  *
 220  * Returns:     Zero if successful, a @KERR@ error code on failure.
 221  *
 222  * Use:         Locks a key by encrypting it with a passphrase.
 223  */
 224
 225 int key_plock(const char *tag, key_data *k, key_data *kt)
 226 {
 227   char buf[256];
 228
 229   if (passphrase_read(tag, PMODE_VERIFY, buf, sizeof(buf)))
 230     return (KERR_IO);
 231   key_lock(kt, k, buf, strlen(buf));
 232   BURN(buf);
 233   return (0);
 234 }
 235
 236 /* --- @key_punlock@ --- *
 237  *
 238  * Arguments:   @const char *tag@ = tag to use for passphrase
 239  *              @key_data *k@ = source key data block
 240  *              @key_data *kt@ = target key data block
 241  *
 242  * Returns:     Zero if it worked, a @KERR_@ error code on failure.
 243  *
 244  * Use:         Unlocks a passphrase-locked key.
 245  */
 246
 247 int key_punlock(const char *tag, key_data *k, key_data *kt)
 248 {
 249   char buf[256];
 250   int rc;
 251
 252   if (passphrase_read(tag, PMODE_READ, buf, sizeof(buf)))
 253     return (KERR_IO);
 254   rc = key_unlock(kt, k, buf, strlen(buf));
 255   BURN(buf);
 256   if (rc == KERR_BADPASS || k == kt)
 257     passphrase_cancel(tag);
 258   return (rc);
 259 }
 260
 261 /*----- That's all, folks -------------------------------------------------*/