git.distorted.org.uk Git - u/mdw/catacomb/blob - key-pass.c

   1 /* -*-c-*-
   2  *
   3  * $Id: key-pass.c,v 1.4 2004/03/28 01:58:26 mdw Exp $
   4  *
   5  * Encrypting keys with passphrases
   6  *
   7  * (c) 1999 Straylight/Edgeware
   8  */
   9
  10 /*----- Licensing notice --------------------------------------------------*
  11  *
  12  * This file is part of Catacomb.
  13  *
  14  * Catacomb is free software; you can redistribute it and/or modify
  15  * it under the terms of the GNU Library General Public License as
  16  * published by the Free Software Foundation; either version 2 of the
  17  * License, or (at your option) any later version.
  18  *
  19  * Catacomb is distributed in the hope that it will be useful,
  20  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  21  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  22  * GNU Library General Public License for more details.
  23  *
  24  * You should have received a copy of the GNU Library General Public
  25  * License along with Catacomb; if not, write to the Free
  26  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
  27  * MA 02111-1307, USA.
  28  */
  29
  30 /*----- Revision history --------------------------------------------------*
  31  *
  32  * $Log: key-pass.c,v $
  33  * Revision 1.4  2004/03/28 01:58:26  mdw
  34  * Ooops, fix all the bugs.
  35  *
  36  * Revision 1.3  2004/03/27 00:04:19  mdw
  37  * INCOMPATIBLE CHANGE.  Use proper authentication on encrypted keys.
  38  *
  39  * Revision 1.2  2000/06/17 11:26:35  mdw
  40  * `rand_getgood' is deprecated.
  41  *
  42  * Revision 1.1  1999/12/22 15:47:48  mdw
  43  * Major key-management revision.
  44  *
  45  */
  46
  47 /*----- Header files ------------------------------------------------------*/
  48
  49 #include <mLib/dstr.h>
  50
  51 #include "key.h"
  52 #include "paranoia.h"
  53 #include "passphrase.h"
  54 #include "rand.h"
  55
  56 #include "blowfish-cbc.h"
  57 #include "rmd160.h"
  58 #include "rmd160-mgf.h"
  59 #include "rmd160-hmac.h"
  60
  61 /*----- Main code ---------------------------------------------------------*/
  62
  63 /* --- Format --- *
  64  *
  65  * Choose a random 160-bit string %$R$%.  Take the passphrase %$P$%, and
  66  * the message %$m$%.  Now, compute %$K_E \cat K_T = H(R \cat P)$%,
  67  * %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%.  The ciphertext is
  68  * %$y = N \cat \tau \cat y_0$%.
  69  *
  70  * This is not the original format.  The original format was insecure, and
  71  * has been replaced incompatibly.
  72  */
  73
  74 /* --- @key_plock@ --- *
  75  *
  76  * Arguments:   @const char *tag@ = tag to use for passphrase
  77  *              @key_data *k@ = source key data block
  78  *              @key_data *kt@ = target key data block
  79  *
  80  * Returns:     Zero if successful, nonzero if there was a problem.
  81  *
  82  * Use:         Locks a key by encrypting it with a passphrase.
  83  */
  84
  85 int key_plock(const char *tag, key_data *k, key_data *kt)
  86 {
  87   dstr d = DSTR_INIT;
  88   octet b[RMD160_HASHSZ * 2];
  89   octet *m;
  90   size_t msz;
  91   char buf[256];
  92
  93   /* --- Sanity check --- */
  94
  95   assert(((void)"Key data is already encrypted",
  96           (k->e & KF_ENCMASK) != KENC_ENCRYPT));
  97
  98   /* --- Format the stuff in the buffer --- */
  99
 100   DENSURE(&d, RMD160_HASHSZ * 2);
 101   rand_get(RAND_GLOBAL, d.buf, RMD160_HASHSZ);
 102   d.len += RMD160_HASHSZ * 2;
 103   key_encode(k, &d, 0);
 104   if (k == kt)
 105     key_destroy(k);
 106   m = (octet *)d.buf + RMD160_HASHSZ * 2;
 107   msz = d.len - RMD160_HASHSZ * 2;
 108
 109   /* --- Read the passphrase --- */
 110
 111   if (passphrase_read(tag, PMODE_VERIFY, buf, sizeof(buf))) {
 112     dstr_destroy(&d);
 113     return (-1);
 114   }
 115
 116   /* --- Hash the passphrase to make a key --- */
 117
 118   {
 119     rmd160_mgfctx r;
 120     rmd160_mgfkeybegin(&r);
 121     rmd160_mgfkeyadd(&r, d.buf, RMD160_HASHSZ);
 122     rmd160_mgfkeyadd(&r, buf, strlen(buf));
 123     rmd160_mgfencrypt(&r, 0, b, sizeof(b));
 124     BURN(r);
 125     BURN(buf);
 126   }
 127
 128   /* --- Encrypt the plaintext --- */
 129
 130   {
 131     blowfish_cbcctx c;
 132     blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
 133     blowfish_cbcencrypt(&c, m, m, msz);
 134     BURN(c);
 135   }
 136
 137   /* --- MAC the ciphertext --- */
 138
 139   {
 140     rmd160_mackey mk;
 141     rmd160_macctx mc;
 142     rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
 143     rmd160_macinit(&mc, &mk);
 144     rmd160_machash(&mc, m, msz);
 145     rmd160_macdone(&mc, d.buf + RMD160_HASHSZ);
 146     BURN(mk);
 147     BURN(mc);
 148   }
 149
 150   /* --- Done --- */
 151
 152   BURN(b);
 153   key_encrypted(kt, d.buf, d.len);
 154   dstr_destroy(&d);
 155   return (0);
 156 }
 157
 158 /* --- @key_punlock@ --- *
 159  *
 160  * Arguments:   @const char *tag@ = tag to use for passphrase
 161  *              @key_data *k@ = source key data block
 162  *              @key_data *kt@ = target key data block
 163  *
 164  * Returns:     Zero if it worked, nonzero if it didn't.
 165  *
 166  * Use:         Unlocks a passphrase-locked key.
 167  */
 168
 169 int key_punlock(const char *tag, key_data *k, key_data *kt)
 170 {
 171   octet b[RMD160_HASHSZ * 2];
 172   char buf[256];
 173   octet *p = 0;
 174   size_t sz;
 175
 176   /* --- Sanity check --- */
 177
 178   assert(((void)"Key data isn't encrypted",
 179           (k->e & KF_ENCMASK) == KENC_ENCRYPT));
 180
 181   /* --- Check the size --- */
 182
 183   if (k->u.k.sz < RMD160_HASHSZ * 2)
 184     return (-1);
 185   sz = k->u.k.sz - RMD160_HASHSZ * 2;
 186
 187   /* --- Fetch the passphrase --- */
 188
 189   if (passphrase_read(tag, PMODE_READ, buf, sizeof(buf)))
 190     goto fail;
 191
 192   /* --- Hash the passphrase to make a key --- */
 193
 194   {
 195     rmd160_mgfctx r;
 196     rmd160_mgfkeybegin(&r);
 197     rmd160_mgfkeyadd(&r, k->u.k.k, RMD160_HASHSZ);
 198     rmd160_mgfkeyadd(&r, buf, strlen(buf));
 199     rmd160_mgfencrypt(&r, 0, b, sizeof(b));
 200     BURN(r);
 201     BURN(buf);
 202   }
 203
 204   /* --- Verify the MAC --- */
 205
 206   {
 207     rmd160_mackey mk;
 208     rmd160_macctx mc;
 209     rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
 210     rmd160_macinit(&mc, &mk);
 211     rmd160_machash(&mc, k->u.k.k + RMD160_HASHSZ * 2, sz);
 212     rmd160_macdone(&mc, b + RMD160_HASHSZ);
 213     if (memcmp(b + RMD160_HASHSZ, k->u.k.k + RMD160_HASHSZ,
 214                RMD160_HASHSZ) != 0) {
 215       passphrase_cancel(tag);
 216       goto fail;
 217     }
 218     BURN(mk);
 219     BURN(mc);
 220   }
 221
 222   /* --- Allocate a destination buffer --- */
 223
 224   p = xmalloc(sz);
 225
 226   /* --- Decrypt the key data --- */
 227
 228   {
 229     blowfish_cbcctx c;
 230     blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
 231     blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ * 2, p, sz);
 232     BURN(c);
 233   }
 234
 235   /* --- Decode the key data into the destination buffer --- */
 236
 237   if (k == kt) {
 238     key_destroy(k);
 239     passphrase_cancel(tag);
 240   }
 241   if (key_decode(p, sz, kt))
 242     goto fail;
 243
 244   /* --- Done --- */
 245
 246   free(p);
 247   return (0);
 248
 249   /* --- Tidy up if things went wrong --- */
 250
 251 fail:
 252   BURN(b);
 253   free(p);
 254   return (-1);
 255 }
 256
 257 /*----- That's all, folks -------------------------------------------------*/