3 * Encrypting keys with passphrases
5 * (c) 1999 Straylight/Edgeware
8 /*----- Licensing notice --------------------------------------------------*
10 * This file is part of Catacomb.
12 * Catacomb is free software; you can redistribute it and/or modify
13 * it under the terms of the GNU Library General Public License as
14 * published by the Free Software Foundation; either version 2 of the
15 * License, or (at your option) any later version.
17 * Catacomb is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU Library General Public License for more details.
22 * You should have received a copy of the GNU Library General Public
23 * License along with Catacomb; if not, write to the Free
24 * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
28 /*----- Header files ------------------------------------------------------*/
30 #include <mLib/dstr.h>
35 #include "passphrase.h"
38 #include "blowfish-cbc.h"
40 #include "rmd160-mgf.h"
41 #include "rmd160-hmac.h"
43 /*----- Main code ---------------------------------------------------------*/
47 * Choose a random 160-bit string %$R$%. Take the passphrase %$P$%, and
48 * the message %$m$%. Now, compute %$K_E \cat K_T = H(R \cat P)$%,
49 * %$y_0 = E_{K_E}(m)$% and %$\tau = T_{K_T}(y_0)$%. The ciphertext is
50 * %$y = N \cat \tau \cat y_0$%.
52 * This is not the original format. The original format was insecure, and
53 * has been replaced incompatibly.
56 /* --- @key_lock@ --- *
58 * Arguments: @key_data **kt@ = where to store the destination pointer
59 * @key_data *k@ = source key data block or null to use @*kt@
60 * @const void *e@ = secret to encrypt key with
61 * @size_t esz@ = size of the secret
65 * Use: Encrypts a key data block using a secret.
68 void key_lock(key_data **kt, key_data *k, const void *e, size_t esz)
71 octet b[RMD160_HASHSZ * 2];
79 /* --- Sanity check --- */
81 if (k) key_incref(k); else k = *kt;
82 assert(((void)"Key data is already encrypted",
83 (k->e & KF_ENCMASK) != KENC_ENCRYPT));
85 /* --- Format the stuff in the buffer --- */
87 DENSURE(&d, RMD160_HASHSZ * 2);
88 rand_get(RAND_GLOBAL, d.buf, RMD160_HASHSZ);
89 d.len += RMD160_HASHSZ * 2;
91 m = (octet *)d.buf + RMD160_HASHSZ * 2;
92 msz = d.len - RMD160_HASHSZ * 2;
94 /* --- Hash the passphrase to make a key --- */
96 rmd160_mgfkeybegin(&r);
97 rmd160_mgfkeyadd(&r, d.buf, RMD160_HASHSZ);
98 rmd160_mgfkeyadd(&r, e, esz);
99 rmd160_mgfencrypt(&r, 0, b, sizeof(b));
102 /* --- Encrypt the plaintext --- */
104 blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
105 blowfish_cbcencrypt(&c, m, m, msz);
108 /* --- MAC the ciphertext --- */
110 rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
111 rmd160_macinit(&mc, &mk);
112 rmd160_machash(&mc, m, msz);
113 rmd160_macdone(&mc, d.buf + RMD160_HASHSZ);
120 *kt = key_newencrypted(0, d.buf, d.len);
125 /* --- @key_unlock@ --- *
127 * Arguments: @key_data **kt@ = where to store the destination pointer
128 * @key_data *k@ = source key data block or null to use @*kt@
129 * @const void *e@ = secret to decrypt the block with
130 * @size_t esz@ = size of the secret
132 * Returns: Zero for success, or a @KERR_@ error code.
134 * Use: Unlocks a key using a secret.
137 int key_unlock(key_data **kt, key_data *k, const void *e, size_t esz)
139 octet b[RMD160_HASHSZ * 2];
150 /* --- Sanity check --- */
152 if (!k) { k = *kt; drop = 1; }
153 assert(((void)"Key data isn't encrypted",
154 (k->e & KF_ENCMASK) == KENC_ENCRYPT));
156 /* --- Check the size --- */
158 if (k->u.k.sz < RMD160_HASHSZ * 2)
159 return (KERR_MALFORMED);
160 sz = k->u.k.sz - RMD160_HASHSZ * 2;
162 /* --- Hash the passphrase to make a key --- */
164 rmd160_mgfkeybegin(&r);
165 rmd160_mgfkeyadd(&r, k->u.k.k, RMD160_HASHSZ);
166 rmd160_mgfkeyadd(&r, e, esz);
167 rmd160_mgfencrypt(&r, 0, b, sizeof(b));
170 /* --- Verify the MAC --- */
172 rmd160_hmacinit(&mk, b + RMD160_HASHSZ, RMD160_HASHSZ);
173 rmd160_macinit(&mc, &mk);
174 rmd160_machash(&mc, k->u.k.k + RMD160_HASHSZ * 2, sz);
175 rmd160_macdone(&mc, b + RMD160_HASHSZ);
176 if (!ct_memeq(b + RMD160_HASHSZ,
177 k->u.k.k + RMD160_HASHSZ, RMD160_HASHSZ)) {
184 /* --- Allocate a destination buffer --- */
188 /* --- Decrypt the key data --- */
190 blowfish_cbcinit(&c, b, RMD160_HASHSZ, 0);
191 blowfish_cbcdecrypt(&c, k->u.k.k + RMD160_HASHSZ * 2, p, sz);
194 /* --- Decode the key data into the destination buffer --- */
196 if ((kd = key_decode(p, sz)) == 0) {
205 if (drop) key_drop(k);
208 /* --- Tidy up if things went wrong --- */
216 /* --- @key_plock@ --- *
218 * Arguments: @key_data **kt@ = where to store the destination pointer
219 * @key_data *k@ = source key data block or null to use @*kt@
220 * @const char *tag@ = tag to use for passphrase
222 * Returns: Zero if successful, a @KERR@ error code on failure.
224 * Use: Locks a key by encrypting it with a passphrase.
227 int key_plock(key_data **kt, key_data *k, const char *tag)
231 if (passphrase_read(tag, PMODE_VERIFY, buf, sizeof(buf)))
233 key_lock(kt, k, buf, strlen(buf));
238 /* --- @key_punlock@ --- *
240 * Arguments: @key_data **kt@ = where to store the destination pointer
241 * @key_data *k@ = source key data block or null to use @*kt@
242 * @const char *tag@ = tag to use for passphrase
244 * Returns: Zero if it worked, a @KERR_@ error code on failure.
246 * Use: Unlocks a passphrase-locked key.
249 int key_punlock(key_data **kt, key_data *k, const char *tag)
254 if (passphrase_read(tag, PMODE_READ, buf, sizeof(buf)))
256 rc = key_unlock(kt, k, buf, strlen(buf));
258 if (rc == KERR_BADPASS || !k)
259 passphrase_cancel(tag);
263 /*----- That's all, folks -------------------------------------------------*/