3 * $Id: key-pass.c,v 1.4 2004/03/28 01:58:26 mdw Exp $
5 * Encrypting keys with passphrases
7 * (c) 1999 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Catacomb.
14 * Catacomb is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU Library General Public License as
16 * published by the Free Software Foundation; either version 2 of the
17 * License, or (at your option) any later version.
19 * Catacomb is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU Library General Public License for more details.
24 * You should have received a copy of the GNU Library General Public
25 * License along with Catacomb; if not, write to the Free
26 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
30 /*----- Revision history --------------------------------------------------*
32 * $Log: key-pass.c,v $
33 * Revision 1.4 2004/03/28 01:58:26 mdw
34 * Ooops, fix all the bugs.
36 * Revision 1.3 2004/03/27 00:04:19 mdw
37 * INCOMPATIBLE CHANGE. Use proper authentication on encrypted keys.
39 * Revision 1.2 2000/06/17 11:26:35 mdw
40 * `rand_getgood' is deprecated.
42 * Revision 1.1 1999/12/22 15:47:48 mdw
43 * Major key-management revision.
47 /*----- Header files ------------------------------------------------------*/
49 #include <mLib/dstr.h>
53 #include "passphrase.h"
56 #include "blowfish-cbc.h"
58 #include "rmd160-mgf.h"
59 #include "rmd160-hmac.h"
61 /*----- Main code ---------------------------------------------------------*/
65 * Choose a random 160-bit string %$R$%. Take the passphrase %$P$%, and
66 * the message %$m$%. Now, compute %$K_E \cat K_T = H(R \cat P)$%,
67 * %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%. The ciphertext is
68 * %$y = N \cat \tau \cat y_0$%.
70 * This is not the original format. The original format was insecure, and
71 * has been replaced incompatibly.
74 /* --- @key_plock@ --- *
76 * Arguments: @const char *tag@ = tag to use for passphrase
77 * @key_data *k@ = source key data block
78 * @key_data *kt@ = target key data block
80 * Returns: Zero if successful, nonzero if there was a problem.
82 * Use: Locks a key by encrypting it with a passphrase.
85 int key_plock(const char *tag
, key_data
*k
, key_data
*kt
)
88 octet b
[RMD160_HASHSZ
* 2];
93 /* --- Sanity check --- */
95 assert(((void)"Key data is already encrypted",
96 (k
->e
& KF_ENCMASK
) != KENC_ENCRYPT
));
98 /* --- Format the stuff in the buffer --- */
100 DENSURE(&d
, RMD160_HASHSZ
* 2);
101 rand_get(RAND_GLOBAL
, d
.buf
, RMD160_HASHSZ
);
102 d
.len
+= RMD160_HASHSZ
* 2;
103 key_encode(k
, &d
, 0);
106 m
= (octet
*)d
.buf
+ RMD160_HASHSZ
* 2;
107 msz
= d
.len
- RMD160_HASHSZ
* 2;
109 /* --- Read the passphrase --- */
111 if (passphrase_read(tag
, PMODE_VERIFY
, buf
, sizeof(buf
))) {
116 /* --- Hash the passphrase to make a key --- */
120 rmd160_mgfkeybegin(&r
);
121 rmd160_mgfkeyadd(&r
, d
.buf
, RMD160_HASHSZ
);
122 rmd160_mgfkeyadd(&r
, buf
, strlen(buf
));
123 rmd160_mgfencrypt(&r
, 0, b
, sizeof(b
));
128 /* --- Encrypt the plaintext --- */
132 blowfish_cbcinit(&c
, b
, RMD160_HASHSZ
, 0);
133 blowfish_cbcencrypt(&c
, m
, m
, msz
);
137 /* --- MAC the ciphertext --- */
142 rmd160_hmacinit(&mk
, b
+ RMD160_HASHSZ
, RMD160_HASHSZ
);
143 rmd160_macinit(&mc
, &mk
);
144 rmd160_machash(&mc
, m
, msz
);
145 rmd160_macdone(&mc
, d
.buf
+ RMD160_HASHSZ
);
153 key_encrypted(kt
, d
.buf
, d
.len
);
158 /* --- @key_punlock@ --- *
160 * Arguments: @const char *tag@ = tag to use for passphrase
161 * @key_data *k@ = source key data block
162 * @key_data *kt@ = target key data block
164 * Returns: Zero if it worked, nonzero if it didn't.
166 * Use: Unlocks a passphrase-locked key.
169 int key_punlock(const char *tag
, key_data
*k
, key_data
*kt
)
171 octet b
[RMD160_HASHSZ
* 2];
176 /* --- Sanity check --- */
178 assert(((void)"Key data isn't encrypted",
179 (k
->e
& KF_ENCMASK
) == KENC_ENCRYPT
));
181 /* --- Check the size --- */
183 if (k
->u
.k
.sz
< RMD160_HASHSZ
* 2)
185 sz
= k
->u
.k
.sz
- RMD160_HASHSZ
* 2;
187 /* --- Fetch the passphrase --- */
189 if (passphrase_read(tag
, PMODE_READ
, buf
, sizeof(buf
)))
192 /* --- Hash the passphrase to make a key --- */
196 rmd160_mgfkeybegin(&r
);
197 rmd160_mgfkeyadd(&r
, k
->u
.k
.k
, RMD160_HASHSZ
);
198 rmd160_mgfkeyadd(&r
, buf
, strlen(buf
));
199 rmd160_mgfencrypt(&r
, 0, b
, sizeof(b
));
204 /* --- Verify the MAC --- */
209 rmd160_hmacinit(&mk
, b
+ RMD160_HASHSZ
, RMD160_HASHSZ
);
210 rmd160_macinit(&mc
, &mk
);
211 rmd160_machash(&mc
, k
->u
.k
.k
+ RMD160_HASHSZ
* 2, sz
);
212 rmd160_macdone(&mc
, b
+ RMD160_HASHSZ
);
213 if (memcmp(b
+ RMD160_HASHSZ
, k
->u
.k
.k
+ RMD160_HASHSZ
,
214 RMD160_HASHSZ
) != 0) {
215 passphrase_cancel(tag
);
222 /* --- Allocate a destination buffer --- */
226 /* --- Decrypt the key data --- */
230 blowfish_cbcinit(&c
, b
, RMD160_HASHSZ
, 0);
231 blowfish_cbcdecrypt(&c
, k
->u
.k
.k
+ RMD160_HASHSZ
* 2, p
, sz
);
235 /* --- Decode the key data into the destination buffer --- */
239 passphrase_cancel(tag
);
241 if (key_decode(p
, sz
, kt
))
249 /* --- Tidy up if things went wrong --- */
257 /*----- That's all, folks -------------------------------------------------*/