3 * Key loading and storing
5 * (c) 2001 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Trivial IP Encryption (TrIPE).
12 * TrIPE is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU General Public License as published by
14 * the Free Software Foundation; either version 2 of the License, or
15 * (at your option) any later version.
17 * TrIPE is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
22 * You should have received a copy of the GNU General Public License
23 * along with TrIPE; if not, write to the Free Software Foundation,
24 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
27 /*----- Header files ------------------------------------------------------*/
31 /*----- Global variables --------------------------------------------------*/
39 /*----- Static variables --------------------------------------------------*/
41 static key_file
*kf_pub
;
42 static const char *kr_priv
, *kr_pub
, *tag_priv
;
43 static fwatch w_priv
, w_pub
;
45 /*----- Key groups --------------------------------------------------------*/
47 typedef struct kgops
{
49 const char *(*loadpriv
)(key_data
*, group
**, mp
**, dstr
*);
50 const char *(*loadpub
)(key_data
*, group
**, ge
**, dstr
*);
53 /* --- Diffie-Hellman --- */
55 static const char *kgdh_priv(key_data
*kd
, group
**g
, mp
**x
, dstr
*t
)
57 key_packstruct kps
[DH_PRIVFETCHSZ
];
63 kp
= key_fetchinit(dh_privfetch
, kps
, &dp
);
64 if ((rc
= key_unpack(kp
, kd
, t
)) != 0) {
68 *g
= group_prime(&dp
.dp
);
76 static const char *kgdh_pub(key_data
*kd
, group
**g
, ge
**p
, dstr
*t
)
78 key_packstruct kps
[DH_PUBFETCHSZ
];
84 kp
= key_fetchinit(dh_pubfetch
, kps
, &dp
);
85 if ((rc
= key_unpack(kp
, kd
, t
)) != 0) {
89 *g
= group_prime(&dp
.dp
);
91 if (G_FROMINT(*g
, *p
, dp
.y
)) {
92 e
= "bad public value";
101 static const kgops kgdh_ops
= { "tripe-dh", kgdh_priv
, kgdh_pub
};
103 /* --- Elliptic curve --- */
105 static const char *kgec_priv(key_data
*kd
, group
**g
, mp
**x
, dstr
*t
)
107 key_packstruct kps
[EC_PRIVFETCHSZ
];
114 kp
= key_fetchinit(ec_privfetch
, kps
, &ep
);
115 if ((rc
= key_unpack(kp
, kd
, t
)) != 0) {
116 e
= key_strerror(rc
);
119 if ((e
= ec_getinfo(&ei
, ep
.cstr
)) != 0)
129 static const char *kgec_pub(key_data
*kd
, group
**g
, ge
**p
, dstr
*t
)
131 key_packstruct kps
[EC_PUBFETCHSZ
];
138 kp
= key_fetchinit(ec_pubfetch
, kps
, &ep
);
139 if ((rc
= key_unpack(kp
, kd
, t
)) != 0) {
140 e
= key_strerror(rc
);
143 if ((e
= ec_getinfo(&ei
, ep
.cstr
)) != 0)
147 if (G_FROMEC(*g
, *p
, &ep
.p
)) {
148 e
= "bad public point";
157 static const kgops kgec_ops
= { "tripe-ec", kgec_priv
, kgec_pub
};
159 /* --- Table of supported key types --- */
161 static const kgops
*kgtab
[] = { &kgdh_ops
, &kgec_ops
, 0 };
163 /*----- Algswitch stuff ---------------------------------------------------*/
165 /* --- @algs_get@ --- *
167 * Arguments: @algswitch *a@ = where to put the algorithms
168 * @key_file *kf@ = key file (for some stupid reason)
169 * @key *k@ = key to inspect
171 * Returns: Null if OK, or an error message.
173 * Use: Extracts an algorithm choice from a key.
176 static const char *algs_get(algswitch
*a
, key_file
*kf
, key
*k
)
183 #define FAIL(msg) do { e = msg; goto done; } while (0)
185 if ((p
= key_getattr(kf
, k
, "cipher")) == 0)
187 if ((a
->c
= gcipher_byname(p
)) == 0)
188 FAIL("unknown-cipher");
190 if ((p
= key_getattr(kf
, k
, "hash")) == 0)
192 if ((a
->h
= ghash_byname(p
)) == 0)
193 FAIL("unknown-hash");
195 if ((p
= key_getattr(kf
, k
, "mgf")) == 0) {
197 dstr_putf(&d
, "%s-mgf", a
->h
->name
);
200 if ((a
->mgf
= gcipher_byname(p
)) == 0)
201 FAIL("unknown-mgf-cipher");
203 if ((p
= key_getattr(kf
, k
, "mac")) != 0) {
206 if ((q
= strchr(d
.buf
, '/')) != 0)
208 if ((a
->m
= gmac_byname(d
.buf
)) == 0)
211 a
->tagsz
= a
->m
->hashsz
;
213 unsigned long n
= strtoul(q
, &q
, 0);
214 if (*q
) FAIL("bad-tag-length-string");
215 if (n
%8 || n
> ~(size_t)0) FAIL("bad-tag-length");
220 dstr_putf(&d
, "%s-hmac", a
->h
->name
);
221 if ((a
->m
= gmac_byname(d
.buf
)) == 0)
222 FAIL("no-hmac-for-hash");
223 a
->tagsz
= a
->h
->hashsz
/2;
232 /* --- @algs_check@ --- *
234 * Arguments: @algswitch *a@ = a choice of algorithms
235 * @const group *g@ = the group we're working in
237 * Returns: Null if OK, or an error message.
239 * Use: Checks an algorithm choice for sensibleness. This also
240 * derives some useful information from the choices, and you
241 * must call this before committing the algorithm selection
242 * for use by @keyset@ functions.
245 static const char *algs_check(algswitch
*a
, const group
*g
)
247 /* --- Derive the key sizes --- *
249 * Must ensure that we have non-empty keys. This isn't ideal, but it
250 * provides a handy sanity check. Also must be based on a 64- or 128-bit
251 * block cipher or we can't do the data expiry properly.
254 a
->hashsz
= a
->h
->hashsz
;
255 if ((a
->cksz
= keysz(a
->hashsz
, a
->c
->keysz
)) == 0)
256 return ("no key size found for cipher");
257 if ((a
->mksz
= keysz(a
->hashsz
, a
->m
->keysz
)) == 0)
258 return ("no key size found for MAC");
260 /* --- Derive the data limit --- */
262 if (a
->c
->blksz
< 16) a
->expsz
= MEG(64);
263 else a
->expsz
= MEG(2048);
265 /* --- Ensure that the tag size is sane --- */
267 if (a
->tagsz
> a
->m
->hashsz
) return ("tag length too large");
269 /* --- Ensure the MGF accepts hashes as keys --- */
271 if (keysz(a
->hashsz
, a
->mgf
->keysz
) != a
->hashsz
)
272 return ("MGF not suitable -- restrictive key schedule");
274 /* --- All ship-shape and Bristol-fashion --- */
279 /* --- @algs_samep@ --- *
281 * Arguments: @const algswitch *a, *aa@ = two algorithm selections
283 * Returns: Nonzero if the two selections are the same.
285 * Use: Checks sameness of algorithm selections: used to ensure that
286 * peers are using sensible algorithms.
289 static int algs_samep(const algswitch
*a
, const algswitch
*aa
)
291 return (a
->c
== aa
->c
&& a
->mgf
== aa
->mgf
&& a
->h
== aa
->h
&&
292 a
->m
== aa
->m
&& a
->tagsz
== aa
->tagsz
);
295 /*----- Main code ---------------------------------------------------------*/
297 /* --- @keymoan@ --- *
299 * Arguments: @const char *file@ = name of the file
300 * @int line@ = line number in file
301 * @const char *msg@ = error message
302 * @void *p@ = argument pointer
306 * Use: Reports an error message about loading a key file.
309 static void keymoan(const char *file
, int line
, const char *msg
, void *p
)
318 /* --- @loadpriv@ --- *
320 * Arguments: @dstr *d@ = string to write errors in
322 * Returns: Zero if OK, nonzero on error.
324 * Use: Loads the private key from its keyfile.
327 static int loadpriv(dstr
*d
)
340 /* --- Open the private key file --- */
342 if (key_open(&kf
, kr_priv
, KOPEN_READ
, keymoan
, 0)) {
343 dstr_putf(d
, "error reading private keyring `%s': %s",
344 kr_priv
, strerror(errno
));
348 /* --- Find the private key --- */
350 if (key_qtag(&kf
, tag_priv
, &t
, &k
, &kd
)) {
351 dstr_putf(d
, "private key `%s' not found in keyring `%s'",
356 /* --- Look up the key type in the table --- */
358 for (ko
= kgtab
; *ko
; ko
++) {
359 if (strcmp((*ko
)->ty
, k
->type
) == 0)
362 dstr_putf(d
, "private key `%s' has unknown type `%s'", t
.buf
, k
->type
);
366 /* --- Load the key --- */
368 if ((e
= (*ko
)->loadpriv(*kd
, &g
, &x
, &t
)) != 0) {
369 dstr_putf(d
, "error reading private key `%s': %s", t
.buf
, e
);
373 /* --- Check that the key is sensible --- */
375 if ((e
= G_CHECK(g
, &rand_global
)) != 0) {
376 dstr_putf(d
, "bad group in private key `%s': %s", t
.buf
, e
);
380 /* --- Collect the algorithms --- */
382 if ((e
= algs_get(&a
, &kf
, k
)) != 0 ||
383 (e
= algs_check(&a
, g
)) != 0) {
384 dstr_putf(d
, "bad symmetric algorithm selection in private key `%s': %s",
389 /* --- Good, we're happy --- *
391 * Dodginess! We change the group over here, but don't free any old group
392 * elements. This assumes that the new group is basically the same as the
393 * old one, and will happily adopt the existing elements. If it isn't,
394 * then we lose badly. Check this, then.
398 if (!group_samep(g
, gg
)) {
399 dstr_putf(d
, "private key `%s' has different group", t
.buf
);
410 G_EXP(g
, kpub
, g
->g
, x
);
411 indexsz
= mp_octets(g
->r
);
413 /* --- Dump out the group --- */
415 IF_TRACING(T_KEYMGMT
, {
416 trace(T_KEYMGMT
, "keymgmt: extracted private key `%s'", t
.buf
);
417 IF_TRACING(T_CRYPTO
, {
418 trace(T_CRYPTO
, "crypto: r = %s", mpstr(g
->r
));
419 trace(T_CRYPTO
, "crypto: h = %s", mpstr(g
->h
));
420 trace(T_CRYPTO
, "crypto: x = %s", mpstr(x
));
421 trace(T_CRYPTO
, "crypto: cipher = %s", a
.c
->name
);
422 trace(T_CRYPTO
, "crypto: mgf = %s", a
.mgf
->name
);
423 trace(T_CRYPTO
, "crypto: hash = %s", a
.h
->name
);
424 trace(T_CRYPTO
, "crypto: mac = %s/%lu",
425 a
.m
->name
, (unsigned long)a
.tagsz
* 8);
429 /* --- Success! --- */
436 /* --- Tidy up --- */
443 if (g
) G_DESTROYGROUP(g
);
447 /* --- @loadpub@ --- *
449 * Arguments: @dstr *d@ = string to write errors to
451 * Returns: Zero if OK, nonzero on error.
453 * Use: Reloads the public keyring.
456 static int loadpub(dstr
*d
)
458 key_file
*kf
= CREATE(key_file
);
460 if (key_open(kf
, kr_pub
, KOPEN_READ
, keymoan
, 0)) {
461 dstr_putf(d
, "error reading public keyring `%s': %s",
462 kr_pub
, strerror(errno
));
467 T( trace(T_KEYMGMT
, "keymgmt: loaded public keyring `%s'", kr_pub
); )
471 /* --- @km_reload@ --- *
475 * Returns: Zero if OK, nonzero to force reloading of keys.
477 * Use: Checks the keyrings to see if they need reloading.
486 /* --- Check the private key first --- */
488 if (fwatch_update(&w_priv
, kr_priv
)) {
489 T( trace(T_KEYMGMT
, "keymgmt: private keyring updated: reloading..."); )
492 a_warn("KEYMGMT", "bad-private-key", "%s", d
.buf
, A_END
);
497 /* --- Now check the public keys --- */
499 if (fwatch_update(&w_pub
, kr_pub
)) {
500 T( trace(T_KEYMGMT
, "keymgmt: public keyring updated: reloading..."); )
504 a_warn("KEYMGMT", "bad-public-keyring", "%s", d
.buf
, A_END
);
517 /* --- @km_init@ --- *
519 * Arguments: @const char *priv@ = private keyring file
520 * @const char *pub@ = public keyring file
521 * @const char *tag@ = tag to load
525 * Use: Initializes, and loads the private key.
528 void km_init(const char *priv
, const char *pub
, const char *tag
)
531 const gchash
*const *hh
;
536 fwatch_init(&w_priv
, kr_priv
);
537 fwatch_init(&w_pub
, kr_pub
);
539 for (hh
= ghashtab
; *hh
; hh
++) {
540 if ((*hh
)->hashsz
> MAXHASHSZ
) {
541 die(EXIT_FAILURE
, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d",
542 (*hh
)->name
, (unsigned long)(*hh
)->hashsz
, MAXHASHSZ
);
548 die(EXIT_FAILURE
, "%s", d
.buf
);
550 die(EXIT_FAILURE
, "%s", d
.buf
);
553 /* --- @km_getpubkey@ --- *
555 * Arguments: @const char *tag@ = public key tag to load
556 * @ge *kpub@ = where to put the public key
557 * @time_t *t_exp@ = where to put the expiry time
559 * Returns: Zero if OK, nonzero if it failed.
561 * Use: Fetches a public key from the keyring.
564 int km_getpubkey(const char *tag
, ge
*kpub
, time_t *t_exp
)
576 /* --- Find the key --- */
578 if (key_qtag(kf_pub
, tag
, &t
, &k
, &kd
)) {
579 a_warn("KEYMGMT", "public-key", "%s", tag
, "not-found", A_END
);
583 /* --- Look up the key type in the table --- */
585 for (ko
= kgtab
; *ko
; ko
++) {
586 if (strcmp((*ko
)->ty
, k
->type
) == 0)
590 "public-key", "%s", t
.buf
,
591 "unknown-type", "%s", k
->type
,
596 /* --- Load the key --- */
598 if ((e
= (*ko
)->loadpub(*kd
, &g
, &p
, &t
)) != 0) {
599 a_warn("KEYMGMT", "public-key", "%s", t
.buf
, "bad", "%s", e
, A_END
);
603 /* --- Ensure that the group is correct --- *
605 * Dodginess! We assume that if this works, our global group is willing to
606 * adopt this public element. Probably reasonable.
609 if (!group_samep(gg
, g
)) {
610 a_warn("KEYMGMT", "public-key", "%s", t
.buf
, "incorrect-group", A_END
);
614 /* --- Check the public group element --- */
616 if (group_check(gg
, p
)) {
618 "public-key", "%s", t
.buf
,
619 "bad-public-group-element",
624 /* --- Check the algorithms --- */
626 if ((e
= algs_get(&a
, kf_pub
, k
)) != 0) {
628 "public-key", "%s", t
.buf
,
629 "bad-algorithm-selection", e
,
633 if (!algs_samep(&a
, &algs
)) {
635 "public-key", "%s", t
.buf
,
636 "algorithm-mismatch",
641 /* --- Dump the public key --- */
643 IF_TRACING(T_KEYMGMT
, {
644 trace(T_KEYMGMT
, "keymgmt: extracted public key `%s'", t
.buf
);
645 trace(T_CRYPTO
, "crypto: p = %s", gestr(gg
, p
));
648 /* --- OK, accept the public key --- */
654 /* --- Tidy up --- */
657 if (p
) G_DESTROY(g
, p
);
658 if (g
) G_DESTROYGROUP(g
);
663 /*----- That's all, folks -------------------------------------------------*/