chiark / gitweb /
math/t/{mpx,mpmont}: Add some extra tests for flushing out `mul4' bugs.
[catacomb] / key / key-pass.c
CommitLineData
d11a0bf7 1/* -*-c-*-
d11a0bf7 2 *
3 * Encrypting keys with passphrases
4 *
5 * (c) 1999 Straylight/Edgeware
6 */
7
45c0fd36 8/*----- Licensing notice --------------------------------------------------*
d11a0bf7 9 *
10 * This file is part of Catacomb.
11 *
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
45c0fd36 16 *
d11a0bf7 17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
45c0fd36 21 *
d11a0bf7 22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
25 * MA 02111-1307, USA.
26 */
27
d11a0bf7 28/*----- Header files ------------------------------------------------------*/
29
30#include <mLib/dstr.h>
31
0f9bd85a 32#include "key-data.h"
d11a0bf7 33#include "paranoia.h"
34#include "passphrase.h"
35#include "rand.h"
36
37#include "blowfish-cbc.h"
38#include "rmd160.h"
59b2b448 39#include "rmd160-mgf.h"
40#include "rmd160-hmac.h"
d11a0bf7 41
42/*----- Main code ---------------------------------------------------------*/
43
59b2b448 44/* --- Format --- *
45 *
46 * Choose a random 160-bit string %$R$%. Take the passphrase %$P$%, and
47 * the message %$m$%. Now, compute %$K_E \cat K_T = H(R \cat P)$%,
48 * %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%. The ciphertext is
49 * %$y = N \cat \tau \cat y_0$%.
50 *
51 * This is not the original format. The original format was insecure, and
52 * has been replaced incompatibly.
53 */
54
1dda051b 55/* --- @key_lock@ --- *
d11a0bf7 56 *
ef13e9a4 57 * Arguments: @key_data **kt@ = where to store the destination pointer
58 * @key_data *k@ = source key data block or null to use @*kt@
1dda051b 59 * @const void *e@ = secret to encrypt key with
60 * @size_t esz@ = size of the secret
d11a0bf7 61 *
1dda051b 62 * Returns: ---
d11a0bf7 63 *
1dda051b 64 * Use: Encrypts a key data block using a secret.
d11a0bf7 65 */
66
ef13e9a4 67void key_lock(key_data **kt, key_data *k, const void *e, size_t esz)
d11a0bf7 68{
69 dstr d = DSTR_INIT;
59b2b448 70 octet b[RMD160_HASHSZ * 2];
71 octet *m;
72 size_t msz;
1dda051b 73 rmd160_mgfctx r;
74 blowfish_cbcctx c;
75 rmd160_mackey mk;
76 rmd160_macctx mc;
d11a0bf7 77
78 /* --- Sanity check --- */
79
ef13e9a4 80 if (k) key_incref(k); else k = *kt;
d11a0bf7 81 assert(((void)"Key data is already encrypted",
82 (k->e & KF_ENCMASK) != KENC_ENCRYPT));
83
59b2b448 84 /* --- Format the stuff in the buffer --- */
d11a0bf7 85
59b2b448 86 DENSURE(&d, RMD160_HASHSZ * 2);
87 rand_get(RAND_GLOBAL, d.buf, RMD160_HASHSZ);
88 d.len += RMD160_HASHSZ * 2;
d11a0bf7 89 key_encode(k, &d, 0);
59b2b448 90 m = (octet *)d.buf + RMD160_HASHSZ * 2;
91 msz = d.len - RMD160_HASHSZ * 2;
d11a0bf7 92
59b2b448 93 /* --- Hash the passphrase to make a key --- */
d11a0bf7 94
1dda051b 95 rmd160_mgfkeybegin(&r);
96 rmd160_mgfkeyadd(&r, d.buf, RMD160_HASHSZ);
97 rmd160_mgfkeyadd(&r, e, esz);
98 rmd160_mgfencrypt(&r, 0, b, sizeof(b));
99 BURN(r);
d11a0bf7 100
59b2b448 101 /* --- Encrypt the plaintext --- */
d11a0bf7 102
1dda051b 103 blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
104 blowfish_cbcencrypt(&c, m, m, msz);
105 BURN(c);
d11a0bf7 106
59b2b448 107 /* --- MAC the ciphertext --- */
108
1dda051b 109 rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
110 rmd160_macinit(&mc, &mk);
111 rmd160_machash(&mc, m, msz);
112 rmd160_macdone(&mc, d.buf + RMD160_HASHSZ);
113 BURN(mk);
114 BURN(mc);
59b2b448 115
116 /* --- Done --- */
d11a0bf7 117
59b2b448 118 BURN(b);
ef13e9a4 119 *kt = key_newencrypted(0, d.buf, d.len);
120 key_drop(k);
d11a0bf7 121 dstr_destroy(&d);
d11a0bf7 122}
123
1dda051b 124/* --- @key_unlock@ --- *
d11a0bf7 125 *
ef13e9a4 126 * Arguments: @key_data **kt@ = where to store the destination pointer
127 * @key_data *k@ = source key data block or null to use @*kt@
1dda051b 128 * @const void *e@ = secret to decrypt the block with
129 * @size_t esz@ = size of the secret
d11a0bf7 130 *
1dda051b 131 * Returns: Zero for success, or a @KERR_@ error code.
d11a0bf7 132 *
1dda051b 133 * Use: Unlocks a key using a secret.
d11a0bf7 134 */
135
ef13e9a4 136int key_unlock(key_data **kt, key_data *k, const void *e, size_t esz)
d11a0bf7 137{
59b2b448 138 octet b[RMD160_HASHSZ * 2];
8ef2f81d 139 octet *p = 0;
1dda051b 140 int rc;
ef13e9a4 141 int drop = 0;
142 key_data *kd;
1dda051b 143 rmd160_mgfctx r;
144 blowfish_cbcctx c;
145 rmd160_mackey mk;
146 rmd160_macctx mc;
d11a0bf7 147 size_t sz;
148
149 /* --- Sanity check --- */
150
ef13e9a4 151 if (!k) { k = *kt; drop = 1; }
d11a0bf7 152 assert(((void)"Key data isn't encrypted",
153 (k->e & KF_ENCMASK) == KENC_ENCRYPT));
154
8ef2f81d 155 /* --- Check the size --- */
d11a0bf7 156
59b2b448 157 if (k->u.k.sz < RMD160_HASHSZ * 2)
1dda051b 158 return (KERR_MALFORMED);
59b2b448 159 sz = k->u.k.sz - RMD160_HASHSZ * 2;
d11a0bf7 160
59b2b448 161 /* --- Hash the passphrase to make a key --- */
d11a0bf7 162
1dda051b 163 rmd160_mgfkeybegin(&r);
164 rmd160_mgfkeyadd(&r, k->u.k.k, RMD160_HASHSZ);
165 rmd160_mgfkeyadd(&r, e, esz);
166 rmd160_mgfencrypt(&r, 0, b, sizeof(b));
167 BURN(r);
d11a0bf7 168
59b2b448 169 /* --- Verify the MAC --- */
170
1dda051b 171 rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
172 rmd160_macinit(&mc, &mk);
173 rmd160_machash(&mc, k->u.k.k + RMD160_HASHSZ * 2, sz);
174 rmd160_macdone(&mc, b + RMD160_HASHSZ);
175 if (memcmp(b + RMD160_HASHSZ, k->u.k.k + RMD160_HASHSZ,
176 RMD160_HASHSZ) != 0) {
177 rc = KERR_BADPASS;
178 goto fail;
d11a0bf7 179 }
1dda051b 180 BURN(mk);
181 BURN(mc);
d11a0bf7 182
8ef2f81d 183 /* --- Allocate a destination buffer --- */
184
185 p = xmalloc(sz);
186
187 /* --- Decrypt the key data --- */
188
1dda051b 189 blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
190 blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ * 2, p, sz);
191 BURN(c);
8ef2f81d 192
d11a0bf7 193 /* --- Decode the key data into the destination buffer --- */
194
ef13e9a4 195 if ((kd = key_decode(p, sz)) == 0) {
1dda051b 196 rc = KERR_MALFORMED;
59b2b448 197 goto fail;
1dda051b 198 }
ef13e9a4 199 *kt = kd;
d11a0bf7 200
201 /* --- Done --- */
202
12ed8a1f 203 xfree(p);
ef13e9a4 204 if (drop) key_drop(k);
d11a0bf7 205 return (0);
206
207 /* --- Tidy up if things went wrong --- */
208
59b2b448 209fail:
210 BURN(b);
12ed8a1f 211 xfree(p);
1dda051b 212 return (rc);
213}
214
215/* --- @key_plock@ --- *
216 *
ef13e9a4 217 * Arguments: @key_data **kt@ = where to store the destination pointer
218 * @key_data *k@ = source key data block or null to use @*kt@
219 * @const char *tag@ = tag to use for passphrase
1dda051b 220 *
221 * Returns: Zero if successful, a @KERR@ error code on failure.
222 *
223 * Use: Locks a key by encrypting it with a passphrase.
224 */
225
ef13e9a4 226int key_plock(key_data **kt, key_data *k, const char *tag)
1dda051b 227{
228 char buf[256];
229
230 if (passphrase_read(tag, PMODE_VERIFY, buf, sizeof(buf)))
231 return (KERR_IO);
232 key_lock(kt, k, buf, strlen(buf));
233 BURN(buf);
234 return (0);
235}
236
237/* --- @key_punlock@ --- *
238 *
ef13e9a4 239 * Arguments: @key_data **kt@ = where to store the destination pointer
240 * @key_data *k@ = source key data block or null to use @*kt@
241 * @const char *tag@ = tag to use for passphrase
1dda051b 242 *
243 * Returns: Zero if it worked, a @KERR_@ error code on failure.
244 *
245 * Use: Unlocks a passphrase-locked key.
246 */
247
ef13e9a4 248int key_punlock(key_data **kt, key_data *k, const char *tag)
1dda051b 249{
250 char buf[256];
251 int rc;
252
253 if (passphrase_read(tag, PMODE_READ, buf, sizeof(buf)))
254 return (KERR_IO);
255 rc = key_unlock(kt, k, buf, strlen(buf));
256 BURN(buf);
ef13e9a4 257 if (rc == KERR_BADPASS || !k)
1dda051b 258 passphrase_cancel(tag);
259 return (rc);
d11a0bf7 260}
261
262/*----- That's all, folks -------------------------------------------------*/