/* -*-c-*-
*
- * $Id: key-pass.c,v 1.3 2004/03/27 00:04:19 mdw Exp $
+ * $Id: key-pass.c,v 1.5 2004/04/08 01:36:15 mdw Exp $
*
* Encrypting keys with passphrases
*
* MA 02111-1307, USA.
*/
-/*----- Revision history --------------------------------------------------*
- *
- * $Log: key-pass.c,v $
- * Revision 1.3 2004/03/27 00:04:19 mdw
- * INCOMPATIBLE CHANGE. Use proper authentication on encrypted keys.
- *
- * Revision 1.2 2000/06/17 11:26:35 mdw
- * `rand_getgood' is deprecated.
- *
- * Revision 1.1 1999/12/22 15:47:48 mdw
- * Major key-management revision.
- *
- */
-
/*----- Header files ------------------------------------------------------*/
#include <mLib/dstr.h>
{
octet b[RMD160_HASHSZ * 2];
char buf[256];
- octet *p;
+ octet *p = 0;
size_t sz;
/* --- Sanity check --- */
assert(((void)"Key data isn't encrypted",
(k->e & KF_ENCMASK) == KENC_ENCRYPT));
- /* --- Allocate a destination buffer --- */
+ /* --- Check the size --- */
if (k->u.k.sz < RMD160_HASHSZ * 2)
- return (-1);;
+ return (-1);
sz = k->u.k.sz - RMD160_HASHSZ * 2;
- p = xmalloc(k->u.k.sz);
/* --- Fetch the passphrase --- */
BURN(buf);
}
- /* --- Decrypt the key data --- */
-
- {
- blowfish_cbcctx c;
- blowfish_cbcinit(&c, b, sizeof(b), 0);
- blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ, p, sz);
- BURN(c);
- }
-
/* --- Verify the MAC --- */
{
rmd160_macctx mc;
rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
rmd160_macinit(&mc, &mk);
- rmd160_machash(&mc, p, sz);
- rmd160_macdone(&mc, b);
- if (memcmp(b, k->u.k.k + RMD160_HASHSZ, RMD160_HASHSZ) != 0) {
+ rmd160_machash(&mc, k->u.k.k + RMD160_HASHSZ * 2, sz);
+ rmd160_macdone(&mc, b + RMD160_HASHSZ);
+ if (memcmp(b + RMD160_HASHSZ, k->u.k.k + RMD160_HASHSZ,
+ RMD160_HASHSZ) != 0) {
passphrase_cancel(tag);
goto fail;
}
BURN(mc);
}
+ /* --- Allocate a destination buffer --- */
+
+ p = xmalloc(sz);
+
+ /* --- Decrypt the key data --- */
+
+ {
+ blowfish_cbcctx c;
+ blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
+ blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ * 2, p, sz);
+ BURN(c);
+ }
+
/* --- Decode the key data into the destination buffer --- */
if (k == kt) {