[tripe] / keymgmt.c

/* -*-c-*-
 *
 * $Id$
 *
 * Key loading and storing
 *
 * (c) 2001 Straylight/Edgeware
 */

/*----- Licensing notice --------------------------------------------------* 
 *
 * This file is part of Trivial IP Encryption (TrIPE).
 *
 * TrIPE is free software; you can redistribute it and/or modify
 * it under the terms of the GNU General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or
 * (at your option) any later version.
 * 
 * TrIPE is distributed in the hope that it will be useful,
 * but WITHOUT ANY WARRANTY; without even the implied warranty of
 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 * GNU General Public License for more details.
 * 
 * You should have received a copy of the GNU General Public License
 * along with TrIPE; if not, write to the Free Software Foundation,
 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
 */

/*----- Header files ------------------------------------------------------*/

#include "tripe.h"

/*----- Global variables --------------------------------------------------*/

group *gg;
mp *kpriv;
ge *kpub;
algswitch algs;

/*----- Static variables --------------------------------------------------*/

static key_file *kf_pub;
static const char *kr_priv, *kr_pub, *tag_priv;
static fwatch w_priv, w_pub;

/*----- Key groups --------------------------------------------------------*/

typedef struct kgops {
  const char *ty;
  const char *(*loadpriv)(key_data *, group **, mp **, dstr *);
  const char *(*loadpub)(key_data *, group **, ge **, dstr *);
} kgops;

/* --- Diffie-Hellman --- */

static const char *kgdh_priv(key_data *kd, group **g, mp **x, dstr *t)
{
  key_packstruct kps[DH_PRIVFETCHSZ];
  key_packdef *kp;
  dh_priv dp;
  const char *e;
  int rc;

  kp = key_fetchinit(dh_privfetch, kps, &dp);
  if ((rc = key_unpack(kp, kd, t)) != 0) {
    e = key_strerror(rc);
    goto done;
  }
  *g = group_prime(&dp.dp);
  *x = MP_COPY(dp.x);
  e = 0;
done:
  key_fetchdone(kp);
  return (e);
}

static const char *kgdh_pub(key_data *kd, group **g, ge **p, dstr *t)
{
  key_packstruct kps[DH_PUBFETCHSZ];
  key_packdef *kp;
  dh_pub dp;
  const char *e;
  int rc;

  kp = key_fetchinit(dh_pubfetch, kps, &dp);
  if ((rc = key_unpack(kp, kd, t)) != 0) {
    e = key_strerror(rc);
    goto done;
  }
  *g = group_prime(&dp.dp);
  *p = G_CREATE(*g);
  if (G_FROMINT(*g, *p, dp.y)) {
    e = "bad public value";
    goto done;
  }
  e = 0;
done:
  key_fetchdone(kp);
  return (e);
}

static const kgops kgdh_ops = { "tripe-dh", kgdh_priv, kgdh_pub };

/* --- Elliptic curve --- */

static const char *kgec_priv(key_data *kd, group **g, mp **x, dstr *t)
{
  key_packstruct kps[EC_PRIVFETCHSZ];
  key_packdef *kp;
  ec_priv ep;
  ec_info ei;
  const char *e;
  int rc;

  kp = key_fetchinit(ec_privfetch, kps, &ep);
  if ((rc = key_unpack(kp, kd, t)) != 0) {
    e = key_strerror(rc);
    goto done;
  }
  if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
    goto done;
  *g = group_ec(&ei);
  *x = MP_COPY(ep.x);
  e = 0;
done:
  key_fetchdone(kp);
  return (e);
}

static const char *kgec_pub(key_data *kd, group **g, ge **p, dstr *t)
{
  key_packstruct kps[EC_PUBFETCHSZ];
  key_packdef *kp;
  ec_pub ep;
  ec_info ei;
  const char *e;
  int rc;

  kp = key_fetchinit(ec_pubfetch, kps, &ep);
  if ((rc = key_unpack(kp, kd, t)) != 0) {
    e = key_strerror(rc);
    goto done;
  }
  if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
    goto done;
  *g = group_ec(&ei);
  *p = G_CREATE(*g);
  if (G_FROMEC(*g, *p, &ep.p)) {
    e = "bad public point";
    goto done;
  }
  e = 0;
done:
  key_fetchdone(kp);
  return (e);
}

static const kgops kgec_ops = { "tripe-ec", kgec_priv, kgec_pub };

/* --- Table of supported key types --- */

static const kgops *kgtab[] = { &kgdh_ops, &kgec_ops, 0 };

/*----- Algswitch stuff ---------------------------------------------------*/

/* --- @algs_get@ --- *
 *
 * Arguments:	@algswitch *a@ = where to put the algorithms
 *		@key_file *kf@ = key file (for some stupid reason)
 *		@key *k@ = key to inspect
 *
 * Returns:	Null if OK, or an error message.
 *
 * Use:		Extracts an algorithm choice from a key.
 */

static const char *algs_get(algswitch *a, key_file *kf, key *k)
{
  const char *p;
  char *q;
  dstr d = DSTR_INIT;
  const char *e;

#define FAIL(msg) do { e = msg; goto done; } while (0)

  if ((p = key_getattr(kf, k, "cipher")) == 0)
    p = "blowfish-cbc";
  if ((a->c = gcipher_byname(p)) == 0)
    FAIL("unknown-cipher");

  if ((p = key_getattr(kf, k, "hash")) == 0)
    p = "rmd160";
  if ((a->h = ghash_byname(p)) == 0)
    FAIL("unknown-hash");

  if ((p = key_getattr(kf, k, "mgf")) == 0) {
    dstr_reset(&d);
    dstr_putf(&d, "%s-mgf", a->h->name);
    p = d.buf;
  }
  if ((a->mgf = gcipher_byname(p)) == 0)
    FAIL("unknown-mgf-cipher");

  if ((p = key_getattr(kf, k, "mac")) != 0) {
    dstr_reset(&d);
    dstr_puts(&d, p);
    if ((q = strchr(d.buf, '/')) != 0)
      *q++ = 0;
    if ((a->m = gmac_byname(d.buf)) == 0)
      FAIL("unknown-mac");
    if (!q)
      a->tagsz = a->m->hashsz;
    else {
      unsigned long n = strtoul(q, &q, 0);
      if (*q) FAIL("bad-tag-length-string");
      if (n%8 || n > ~(size_t)0) FAIL("bad-tag-length");
      a->tagsz = n/8;
    }
  } else {
    dstr_reset(&d);
    dstr_putf(&d, "%s-hmac", a->h->name);
    if ((a->m = gmac_byname(d.buf)) == 0)
      FAIL("no-hmac-for-hash");
    a->tagsz = a->h->hashsz/2;
  }

  e = 0;
done:
  dstr_destroy(&d);
  return (e);
}

/* --- @algs_check@ --- *
 *
 * Arguments:	@algswitch *a@ = a choice of algorithms
 *		@const group *g@ = the group we're working in
 *
 * Returns:	Null if OK, or an error message.
 *
 * Use:		Checks an algorithm choice for sensibleness.  This also
 *		derives some useful information from the choices, and you
 *		must call this before committing the algorithm selection
 *		for use by @keyset@ functions.
 */

static const char *algs_check(algswitch *a, const group *g)
{
  /* --- Derive the key sizes --- *
   *
   * Must ensure that we have non-empty keys.  This isn't ideal, but it
   * provides a handy sanity check.
   */

  a->hashsz = a->h->hashsz;
  if ((a->cksz = keysz(a->hashsz, a->c->keysz)) == 0)
    return ("no key size found for cipher");
  if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
    return ("no key size found for MAC");

  /* --- Ensure that the tag size is sane --- */

  if (a->tagsz > a->m->hashsz) return ("tag length too large");

  /* --- Ensure the MGF accepts hashes as keys --- */

  if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz)
    return ("MGF not suitable -- restrictive key schedule");

  /* --- All ship-shape and Bristol-fashion --- */

  return (0);
}

/* --- @algs_samep@ --- *
 *
 * Arguments:	@const algswitch *a, *aa@ = two algorithm selections
 *
 * Returns:	Nonzero if the two selections are the same.
 *
 * Use:		Checks sameness of algorithm selections: used to ensure that
 *		peers are using sensible algorithms.
 */

static int algs_samep(const algswitch *a, const algswitch *aa)
{
  return (a->c == aa->c && a->mgf == aa->mgf && a->h == aa->h &&
	  a->m == aa->m && a->tagsz == aa->tagsz);
}

/*----- Main code ---------------------------------------------------------*/

/* --- @keymoan@ --- *
 *
 * Arguments:	@const char *file@ = name of the file
 *              @int line@ = line number in file
 *              @const char *msg@ = error message
 *              @void *p@ = argument pointer
 *
 * Returns:     ---
 *
 * Use:         Reports an error message about loading a key file.
 */

static void keymoan(const char *file, int line, const char *msg, void *p)
{
  a_warn("KEYMGMT",
	 "key-file-error",
	 "%s:%i", file, line,
	 "%s", msg,
	 A_END);
}

/* --- @loadpriv@ --- *
 *
 * Arguments:	@dstr *d@ = string to write errors in
 *
 * Returns:	Zero if OK, nonzero on error.
 *
 * Use:		Loads the private key from its keyfile.
 */

static int loadpriv(dstr *d)
{
  key_file kf;
  key *k;
  key_data **kd;
  dstr t = DSTR_INIT;
  group *g = 0;
  mp *x = 0;
  int rc = -1;
  const kgops **ko;
  const char *e;
  algswitch a;

  /* --- Open the private key file --- */

  if (key_open(&kf, kr_priv, KOPEN_READ, keymoan, 0)) {
    dstr_putf(d, "error reading private keyring `%s': %s",
	      kr_priv, strerror(errno));
    goto done_0;
  }

  /* --- Find the private key --- */

  if (key_qtag(&kf, tag_priv, &t, &k, &kd)) {
    dstr_putf(d, "private key `%s' not found in keyring `%s'",
	      tag_priv, kr_priv);
    goto done_1;
  }

  /* --- Look up the key type in the table --- */

  for (ko = kgtab; *ko; ko++) {
    if (strcmp((*ko)->ty, k->type) == 0)
      goto tymatch;
  }
  dstr_putf(d, "private key `%s' has unknown type `%s'", t.buf, k->type);
  goto done_1;
tymatch:;

  /* --- Load the key --- */

  if ((e = (*ko)->loadpriv(*kd, &g, &x, &t)) != 0) {
    dstr_putf(d, "error reading private key `%s': %s", t.buf, e);
    goto done_1;
  }

  /* --- Check that the key is sensible --- */

  if ((e = G_CHECK(g, &rand_global)) != 0) {
    dstr_putf(d, "bad group in private key `%s': %s", t.buf, e);
    goto done_1;
  }

  /* --- Collect the algorithms --- */

  if ((e = algs_get(&a, &kf, k)) != 0 ||
      (e = algs_check(&a, g)) != 0) {
    dstr_putf(d, "bad symmetric algorithm selection in private key `%s': %s",
	      t.buf, e);
    goto done_1;
  }

  /* --- Good, we're happy --- *
   *
   * Dodginess!  We change the group over here, but don't free any old group
   * elements.  This assumes that the new group is basically the same as the
   * old one, and will happily adopt the existing elements.  If it isn't,
   * then we lose badly.  Check this, then.
   */

  if (gg) {
    if (!group_samep(g, gg)) {
      dstr_putf(d, "private key `%s' has different group", t.buf);
      goto done_1;
    }
    G_DESTROYGROUP(gg);
  }
  if (kpriv)
    mp_drop(kpriv);

  if (kpub)
    G_DESTROY(g, kpub);
  kpub = G_CREATE(g);
  G_EXP(g, kpub, g->g, x);

  /* --- Dump out the group --- */

  IF_TRACING(T_KEYMGMT, {
    trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", t.buf);
    IF_TRACING(T_CRYPTO, {
      trace(T_CRYPTO, "crypto: r = %s", mpstr(g->r));
      trace(T_CRYPTO, "crypto: h = %s", mpstr(g->h));
      trace(T_CRYPTO, "crypto: x = %s", mpstr(x));
      trace(T_CRYPTO, "crypto: cipher = %s", a.c->name);
      trace(T_CRYPTO, "crypto: mgf = %s", a.mgf->name);
      trace(T_CRYPTO, "crypto: hash = %s", a.h->name);
      trace(T_CRYPTO, "crypto: mac = %s/%lu",
	    a.m->name, (unsigned long)a.tagsz * 8);
    })
  })

  /* --- Success! --- */

  gg = g; g = 0;
  algs = a;
  kpriv = x; x = 0;
  rc = 0;

  /* --- Tidy up --- */

done_1:
  key_close(&kf);
done_0:
  dstr_destroy(&t);
  if (x) mp_drop(x);
  if (g) G_DESTROYGROUP(g);
  return (rc);
}

/* --- @loadpub@ --- *
 *
 * Arguments:	@dstr *d@ = string to write errors to
 *
 * Returns:	Zero if OK, nonzero on error.
 *
 * Use:		Reloads the public keyring.
 */

static int loadpub(dstr *d)
{
  key_file *kf = CREATE(key_file);

  if (key_open(kf, kr_pub, KOPEN_READ, keymoan, 0)) {
    dstr_putf(d, "error reading public keyring `%s': %s",
	      kr_pub, strerror(errno));
    DESTROY(kf);
    return (-1);
  }
  kf_pub = kf;
  T( trace(T_KEYMGMT, "keymgmt: loaded public keyring `%s'", kr_pub); )
  return (0);
}

/* --- @km_reload@ --- *
 *
 * Arguments:	---
 *
 * Returns:	Zero if OK, nonzero to force reloading of keys.
 *
 * Use:		Checks the keyrings to see if they need reloading.
 */

int km_reload(void)
{
  dstr d = DSTR_INIT;
  key_file *kf;
  int reload = 0;

  /* --- Check the private key first --- */

  if (fwatch_update(&w_priv, kr_priv)) {
    T( trace(T_KEYMGMT, "keymgmt: private keyring updated: reloading..."); )
    DRESET(&d);
    if (loadpriv(&d))
      a_warn("KEYMGMT", "bad-private-key", "%s", d.buf, A_END);
    else
      reload = 1;
  }

  /* --- Now check the public keys --- */

  if (fwatch_update(&w_pub, kr_pub)) {
    T( trace(T_KEYMGMT, "keymgmt: public keyring updated: reloading..."); )
    kf = kf_pub;
    DRESET(&d);
    if (loadpub(&d))
      a_warn("KEYMGMT", "bad-public-keyring", "%s", d.buf, A_END);
    else {
      reload = 1;
      key_close(kf);
      DESTROY(kf);
    }
  }

  /* --- Done --- */

  return (reload);
}

/* --- @km_init@ --- *
 *
 * Arguments:	@const char *priv@ = private keyring file
 *		@const char *pub@ = public keyring file
 *		@const char *tag@ = tag to load
 *
 * Returns:	---
 *
 * Use:		Initializes, and loads the private key.
 */

void km_init(const char *priv, const char *pub, const char *tag)
{
  dstr d = DSTR_INIT;
  const gchash *const *hh;

  kr_priv = priv;
  kr_pub = pub;
  tag_priv = tag;
  fwatch_init(&w_priv, kr_priv);
  fwatch_init(&w_pub, kr_pub);

  for (hh = ghashtab; *hh; hh++) {
    if ((*hh)->hashsz > MAXHASHSZ) {
      die(EXIT_FAILURE, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d",
	  (*hh)->name, (unsigned long)(*hh)->hashsz, MAXHASHSZ);
    }
  }

  DRESET(&d);
  if (loadpriv(&d))
    die(EXIT_FAILURE, "%s", d.buf);
  if (loadpub(&d))
    die(EXIT_FAILURE, "%s", d.buf);
}

/* --- @km_getpubkey@ --- *
 *
 * Arguments:	@const char *tag@ = public key tag to load
 *		@ge *kpub@ = where to put the public key
 *		@time_t *t_exp@ = where to put the expiry time
 *
 * Returns:	Zero if OK, nonzero if it failed.
 *
 * Use:		Fetches a public key from the keyring.
 */

int km_getpubkey(const char *tag, ge *kpub, time_t *t_exp)
{
  key *k;
  key_data **kd;
  dstr t = DSTR_INIT;
  const kgops **ko;
  const char *e;
  group *g = 0;
  ge *p = 0;
  algswitch a;
  int rc = -1;

  /* --- Find the key --- */

  if (key_qtag(kf_pub, tag, &t, &k, &kd)) {
    a_warn("KEYMGMT", "public-key", "%s", tag, "not-found", A_END);
    goto done;
  }

  /* --- Look up the key type in the table --- */

  for (ko = kgtab; *ko; ko++) {
    if (strcmp((*ko)->ty, k->type) == 0)
      goto tymatch;
  }
  a_warn("KEYMGMT",
	 "public-key", "%s", t.buf,
	 "unknown-type", "%s", k->type,
	 A_END);
  goto done;
tymatch:;

  /* --- Load the key --- */

  if ((e = (*ko)->loadpub(*kd, &g, &p, &t)) != 0) {
    a_warn("KEYMGMT", "public-key", "%s", t.buf, "bad", "%s", e, A_END);
    goto done;
  }

  /* --- Ensure that the group is correct --- *
   *
   * Dodginess!  We assume that if this works, our global group is willing to
   * adopt this public element.  Probably reasonable.
   */

  if (!group_samep(gg, g)) {
    a_warn("KEYMGMT", "public-key", "%s", t.buf, "incorrect-group", A_END);
    goto done;
  }

  /* --- Check the public group element --- */

  if (group_check(gg, p)) {
    a_warn("KEYMGMT",
	   "public-key", "%s", t.buf,
	   "bad-public-group-element",
	   A_END);
    goto done;
  }

  /* --- Check the algorithms --- */

  if ((e = algs_get(&a, kf_pub, k)) != 0) {
    a_warn("KEYMGMT",
	   "public-key", "%s", t.buf,
	   "bad-algorithm-selection", e,
	   A_END);
    goto done;
  }
  if (!algs_samep(&a, &algs)) {
    a_warn("KEYMGMT",
	   "public-key", "%s", t.buf,
	   "algorithm-mismatch",
	   A_END);
    goto done;
  }

  /* --- Dump the public key --- */

  IF_TRACING(T_KEYMGMT, {
    trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", t.buf);
    trace(T_CRYPTO, "crypto: p = %s", gestr(gg, p));
  })

  /* --- OK, accept the public key --- */

  *t_exp = k->exp;
  G_COPY(gg, kpub, p);
  rc = 0;

  /* --- Tidy up --- */

done:
  if (p) G_DESTROY(g, p);
  if (g) G_DESTROYGROUP(g);
  dstr_destroy(&t);
  return (rc);
}

/*----- That's all, folks -------------------------------------------------*/
Commit	Line	Data
410c8acf	1	/* --c--
410c8acf	2	*
3cdc3f3a	3	* $Id$
410c8acf	4	*
	5	* Key loading and storing
	6	*
	7	* (c) 2001 Straylight/Edgeware
	8	*/
	9
	10	/----- Licensing notice --------------------------------------------------
	11	*
	12	* This file is part of Trivial IP Encryption (TrIPE).
	13	*
	14	* TrIPE is free software; you can redistribute it and/or modify
	15	* it under the terms of the GNU General Public License as published by
	16	* the Free Software Foundation; either version 2 of the License, or
	17	* (at your option) any later version.
	18	*
	19	* TrIPE is distributed in the hope that it will be useful,
	20	* but WITHOUT ANY WARRANTY; without even the implied warranty of
	21	* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	22	* GNU General Public License for more details.
	23	*
	24	* You should have received a copy of the GNU General Public License
	25	* along with TrIPE; if not, write to the Free Software Foundation,
	26	* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
	27	*/
	28
410c8acf	29	/----- Header files ------------------------------------------------------/
	30
	31	#include "tripe.h"
	32
	33	/----- Global variables --------------------------------------------------/
	34
52c03a2a	35	group *gg;
52c03a2a	36	mp *kpriv;
9317aa92	37	ge *kpub;
b5c45da1	38	algswitch algs;
410c8acf	39
	40	/----- Static variables --------------------------------------------------/
	41
	42	static key_file *kf_pub;
	43	static const char kr_priv, kr_pub, *tag_priv;
	44	static fwatch w_priv, w_pub;
	45
52c03a2a	46	/----- Key groups --------------------------------------------------------/
	47
	48	typedef struct kgops {
	49	const char *ty;
	50	const char (loadpriv)(key_data , group , mp , dstr );
	51	const char (loadpub)(key_data , group , ge , dstr );
	52	} kgops;
	53
	54	/* --- Diffie-Hellman --- */
	55
	56	static const char kgdh_priv(key_data kd, group g, mp x, dstr *t)
	57	{
	58	key_packstruct kps[DH_PRIVFETCHSZ];
	59	key_packdef *kp;
	60	dh_priv dp;
	61	const char *e;
	62	int rc;
	63
	64	kp = key_fetchinit(dh_privfetch, kps, &dp);
	65	if ((rc = key_unpack(kp, kd, t)) != 0) {
	66	e = key_strerror(rc);
	67	goto done;
	68	}
	69	*g = group_prime(&dp.dp);
	70	*x = MP_COPY(dp.x);
	71	e = 0;
	72	done:
	73	key_fetchdone(kp);
	74	return (e);
	75	}
	76
	77	static const char kgdh_pub(key_data kd, group g, ge p, dstr *t)
	78	{
	79	key_packstruct kps[DH_PUBFETCHSZ];
	80	key_packdef *kp;
	81	dh_pub dp;
	82	const char *e;
	83	int rc;
	84
	85	kp = key_fetchinit(dh_pubfetch, kps, &dp);
	86	if ((rc = key_unpack(kp, kd, t)) != 0) {
	87	e = key_strerror(rc);
	88	goto done;
	89	}
	90	*g = group_prime(&dp.dp);
	91	p = G_CREATE(g);
	92	if (G_FROMINT(g, p, dp.y)) {
	93	e = "bad public value";
	94	goto done;
	95	}
	96	e = 0;
	97	done:
	98	key_fetchdone(kp);
	99	return (e);
	100	}
	101
	102	static const kgops kgdh_ops = { "tripe-dh", kgdh_priv, kgdh_pub };
	103
	104	/* --- Elliptic curve --- */
	105
	106	static const char kgec_priv(key_data kd, group g, mp x, dstr *t)
	107	{
	108	key_packstruct kps[EC_PRIVFETCHSZ];
	109	key_packdef *kp;
110	ec_priv ep;
111	ec_info ei;
112	const char *e;
113	int rc;
114
115	kp = key_fetchinit(ec_privfetch, kps, &ep);
116	if ((rc = key_unpack(kp, kd, t)) != 0) {
117	e = key_strerror(rc);
118	goto done;
119	}
120	if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
121	goto done;
122	*g = group_ec(&ei);
123	*x = MP_COPY(ep.x);
124	e = 0;
125	done:
126	key_fetchdone(kp);
127	return (e);
128	}
129
130	static const char kgec_pub(key_data kd, group g, ge p, dstr *t)
131	{
132	key_packstruct kps[EC_PUBFETCHSZ];
133	key_packdef *kp;
134	ec_pub ep;
135	ec_info ei;
136	const char *e;
137	int rc;
138
139	kp = key_fetchinit(ec_pubfetch, kps, &ep);
140	if ((rc = key_unpack(kp, kd, t)) != 0) {
141	e = key_strerror(rc);
142	goto done;
143	}
144	if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
145	goto done;
146	*g = group_ec(&ei);
147	p = G_CREATE(g);
148	if (G_FROMEC(g, p, &ep.p)) {
149	e = "bad public point";
150	goto done;
151	}
152	e = 0;
153	done:
154	key_fetchdone(kp);
155	return (e);
156	}
157
158	static const kgops kgec_ops = { "tripe-ec", kgec_priv, kgec_pub };
159
160	/* --- Table of supported key types --- */
161
162	static const kgops *kgtab[] = { &kgdh_ops, &kgec_ops, 0 };
163
b5c45da1	164	/----- Algswitch stuff ---------------------------------------------------/
	165
	166	/* --- @algs_get@ --- *
	167	*
	168	* Arguments: @algswitch *a@ = where to put the algorithms
	169	* @key_file *kf@ = key file (for some stupid reason)
	170	* @key *k@ = key to inspect
	171	*
	172	* Returns: Null if OK, or an error message.
	173	*
	174	* Use: Extracts an algorithm choice from a key.
	175	*/
	176
	177	static const char algs_get(algswitch a, key_file kf, key k)
	178	{
	179	const char *p;
	180	char *q;
	181	dstr d = DSTR_INIT;
	182	const char *e;
	183
	184	#define FAIL(msg) do { e = msg; goto done; } while (0)
	185
	186	if ((p = key_getattr(kf, k, "cipher")) == 0)
	187	p = "blowfish-cbc";
	188	if ((a->c = gcipher_byname(p)) == 0)
3cdc3f3a	189	FAIL("unknown-cipher");
b5c45da1	190
	191	if ((p = key_getattr(kf, k, "hash")) == 0)
	192	p = "rmd160";
	193	if ((a->h = ghash_byname(p)) == 0)
3cdc3f3a	194	FAIL("unknown-hash");
b5c45da1	195
74ee77cb	196	if ((p = key_getattr(kf, k, "mgf")) == 0) {
b5c45da1	197	dstr_reset(&d);
74ee77cb	198	dstr_putf(&d, "%s-mgf", a->h->name);
b5c45da1	199	p = d.buf;
	200	}
	201	if ((a->mgf = gcipher_byname(p)) == 0)
3cdc3f3a	202	FAIL("unknown-mgf-cipher");
b5c45da1	203
	204	if ((p = key_getattr(kf, k, "mac")) != 0) {
	205	dstr_reset(&d);
	206	dstr_puts(&d, p);
	207	if ((q = strchr(d.buf, '/')) != 0)
	208	*q++ = 0;
	209	if ((a->m = gmac_byname(d.buf)) == 0)
3cdc3f3a	210	FAIL("unknown-mac");
b5c45da1	211	if (!q)
	212	a->tagsz = a->m->hashsz;
	213	else {
	214	unsigned long n = strtoul(q, &q, 0);
3cdc3f3a	215	if (*q) FAIL("bad-tag-length-string");
3cdc3f3a	216	if (n%8 \|\| n > ~(size_t)0) FAIL("bad-tag-length");
b5c45da1	217	a->tagsz = n/8;
	218	}
	219	} else {
	220	dstr_reset(&d);
	221	dstr_putf(&d, "%s-hmac", a->h->name);
	222	if ((a->m = gmac_byname(d.buf)) == 0)
3cdc3f3a	223	FAIL("no-hmac-for-hash");
b5c45da1	224	a->tagsz = a->h->hashsz/2;
	225	}
	226
	227	e = 0;
	228	done:
	229	dstr_destroy(&d);
	230	return (e);
	231	}
	232
	233	/* --- @algs_check@ --- *
	234	*
	235	* Arguments: @algswitch *a@ = a choice of algorithms
	236	* @const group *g@ = the group we're working in
	237	*
	238	* Returns: Null if OK, or an error message.
	239	*
	240	* Use: Checks an algorithm choice for sensibleness. This also
	241	* derives some useful information from the choices, and you
	242	* must call this before committing the algorithm selection
	243	* for use by @keyset@ functions.
	244	*/
	245
	246	static const char algs_check(algswitch a, const group *g)
	247	{
	248	/* --- Derive the key sizes --- *
	249	*
	250	* Must ensure that we have non-empty keys. This isn't ideal, but it
	251	* provides a handy sanity check.
	252	*/
	253
	254	a->hashsz = a->h->hashsz;
	255	if ((a->cksz = keysz(a->hashsz, a->c->keysz)) == 0)
	256	return ("no key size found for cipher");
	257	if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
	258	return ("no key size found for MAC");
	259
	260	/* --- Ensure that the tag size is sane --- */
	261
	262	if (a->tagsz > a->m->hashsz) return ("tag length too large");
	263
	264	/* --- Ensure the MGF accepts hashes as keys --- */
	265
	266	if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz)
	267	return ("MGF not suitable -- restrictive key schedule");
	268
	269	/* --- All ship-shape and Bristol-fashion --- */
	270
	271	return (0);
	272	}
	273
	274	/* --- @algs_samep@ --- *
	275	*
	276	* Arguments: @const algswitch a, aa@ = two algorithm selections
	277	*
	278	* Returns: Nonzero if the two selections are the same.
	279	*
	280	* Use: Checks sameness of algorithm selections: used to ensure that
	281	* peers are using sensible algorithms.
	282	*/
	283
	284	static int algs_samep(const algswitch a, const algswitch aa)
	285	{
	286	return (a->c == aa->c && a->mgf == aa->mgf && a->h == aa->h &&
	287	a->m == aa->m && a->tagsz == aa->tagsz);
288	}
289
410c8acf	290	/----- Main code ---------------------------------------------------------/
	291
	292	/* --- @keymoan@ --- *
	293	*
56814747	294	* Arguments: @const char *file@ = name of the file
410c8acf	295	* @int line@ = line number in file
	296	* @const char *msg@ = error message
	297	* @void *p@ = argument pointer
	298	*
	299	* Returns: ---
	300	*
	301	* Use: Reports an error message about loading a key file.
	302	*/
	303
	304	static void keymoan(const char file, int line, const char msg, void *p)
f43df819 MW	305	{
	306	a_warn("KEYMGMT",
	307	"key-file-error",
	308	"%s:%i", file, line,
	309	"%s", msg,
	310	A_END);
	311	}
410c8acf	312
	313	/* --- @loadpriv@ --- *
	314	*
	315	* Arguments: @dstr *d@ = string to write errors in
410c8acf	316	*
	317	* Returns: Zero if OK, nonzero on error.
	318	*
	319	* Use: Loads the private key from its keyfile.
	320	*/
	321
52c03a2a	322	static int loadpriv(dstr *d)
410c8acf	323	{
410c8acf	324	key_file kf;
52c03a2a	325	key *k;
d59d4fe9	326	key_data **kd;
52c03a2a	327	dstr t = DSTR_INIT;
	328	group *g = 0;
	329	mp *x = 0;
	330	int rc = -1;
	331	const kgops **ko;
	332	const char *e;
b5c45da1	333	algswitch a;
52c03a2a	334
52c03a2a	335	/* --- Open the private key file --- */
410c8acf	336
	337	if (key_open(&kf, kr_priv, KOPEN_READ, keymoan, 0)) {
	338	dstr_putf(d, "error reading private keyring `%s': %s",
	339	kr_priv, strerror(errno));
52c03a2a	340	goto done_0;
	341	}
	342
	343	/* --- Find the private key --- */
	344
	345	if (key_qtag(&kf, tag_priv, &t, &k, &kd)) {
	346	dstr_putf(d, "private key `%s' not found in keyring `%s'",
	347	tag_priv, kr_priv);
	348	goto done_1;
	349	}
	350
	351	/* --- Look up the key type in the table --- */
	352
	353	for (ko = kgtab; *ko; ko++) {
	354	if (strcmp((*ko)->ty, k->type) == 0)
	355	goto tymatch;
	356	}
	357	dstr_putf(d, "private key `%s' has unknown type `%s'", t.buf, k->type);
	358	goto done_1;
	359	tymatch:;
	360
	361	/* --- Load the key --- */
	362
d59d4fe9	363	if ((e = (ko)->loadpriv(kd, &g, &x, &t)) != 0) {
52c03a2a	364	dstr_putf(d, "error reading private key `%s': %s", t.buf, e);
	365	goto done_1;
	366	}
	367
	368	/* --- Check that the key is sensible --- */
	369
	370	if ((e = G_CHECK(g, &rand_global)) != 0) {
	371	dstr_putf(d, "bad group in private key `%s': %s", t.buf, e);
	372	goto done_1;
	373	}
	374
b5c45da1	375	/* --- Collect the algorithms --- */
	376
	377	if ((e = algs_get(&a, &kf, k)) != 0 \|\|
	378	(e = algs_check(&a, g)) != 0) {
	379	dstr_putf(d, "bad symmetric algorithm selection in private key `%s': %s",
	380	t.buf, e);
	381	goto done_1;
	382	}
	383
52c03a2a	384	/* --- Good, we're happy --- *
	385	*
	386	* Dodginess! We change the group over here, but don't free any old group
	387	* elements. This assumes that the new group is basically the same as the
	388	* old one, and will happily adopt the existing elements. If it isn't,
	389	* then we lose badly. Check this, then.
	390	*/
	391
	392	if (gg) {
	393	if (!group_samep(g, gg)) {
	394	dstr_putf(d, "private key `%s' has different group", t.buf);
	395	goto done_1;
410c8acf	396	}
52c03a2a	397	G_DESTROYGROUP(gg);
410c8acf	398	}
52c03a2a	399	if (kpriv)
	400	mp_drop(kpriv);
	401
9317aa92 MW	402	if (kpub)
	403	G_DESTROY(g, kpub);
	404	kpub = G_CREATE(g);
	405	G_EXP(g, kpub, g->g, x);
	406
52c03a2a	407	/* --- Dump out the group --- */
	408
	409	IF_TRACING(T_KEYMGMT, {
	410	trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", t.buf);
	411	IF_TRACING(T_CRYPTO, {
	412	trace(T_CRYPTO, "crypto: r = %s", mpstr(g->r));
	413	trace(T_CRYPTO, "crypto: h = %s", mpstr(g->h));
	414	trace(T_CRYPTO, "crypto: x = %s", mpstr(x));
b5c45da1	415	trace(T_CRYPTO, "crypto: cipher = %s", a.c->name);
	416	trace(T_CRYPTO, "crypto: mgf = %s", a.mgf->name);
	417	trace(T_CRYPTO, "crypto: hash = %s", a.h->name);
	418	trace(T_CRYPTO, "crypto: mac = %s/%lu",
	419	a.m->name, (unsigned long)a.tagsz * 8);
52c03a2a	420	})
	421	})
	422
	423	/* --- Success! --- */
	424
	425	gg = g; g = 0;
b5c45da1	426	algs = a;
52c03a2a	427	kpriv = x; x = 0;
	428	rc = 0;
	429
	430	/* --- Tidy up --- */
	431
	432	done_1:
	433	key_close(&kf);
	434	done_0:
	435	dstr_destroy(&t);
	436	if (x) mp_drop(x);
	437	if (g) G_DESTROYGROUP(g);
410c8acf	438	return (rc);
	439	}
	440
	441	/* --- @loadpub@ --- *
	442	*
	443	* Arguments: @dstr *d@ = string to write errors to
	444	*
	445	* Returns: Zero if OK, nonzero on error.
	446	*
	447	* Use: Reloads the public keyring.
	448	*/
	449
	450	static int loadpub(dstr *d)
	451	{
	452	key_file *kf = CREATE(key_file);
	453
	454	if (key_open(kf, kr_pub, KOPEN_READ, keymoan, 0)) {
	455	dstr_putf(d, "error reading public keyring `%s': %s",
	456	kr_pub, strerror(errno));
	457	DESTROY(kf);
	458	return (-1);
	459	}
	460	kf_pub = kf;
	461	T( trace(T_KEYMGMT, "keymgmt: loaded public keyring `%s'", kr_pub); )
	462	return (0);
	463	}
	464
de014da6	465	/* --- @km_reload@ --- *
410c8acf	466	*
	467	* Arguments: ---
	468	*
	469	* Returns: Zero if OK, nonzero to force reloading of keys.
	470	*
de014da6	471	* Use: Checks the keyrings to see if they need reloading.
410c8acf	472	*/
410c8acf	473
de014da6	474	int km_reload(void)
410c8acf	475	{
410c8acf	476	dstr d = DSTR_INIT;
410c8acf	477	key_file *kf;
	478	int reload = 0;
	479
	480	/* --- Check the private key first --- */
	481
	482	if (fwatch_update(&w_priv, kr_priv)) {
	483	T( trace(T_KEYMGMT, "keymgmt: private keyring updated: reloading..."); )
	484	DRESET(&d);
52c03a2a	485	if (loadpriv(&d))
f43df819	486	a_warn("KEYMGMT", "bad-private-key", "%s", d.buf, A_END);
52c03a2a	487	else
410c8acf	488	reload = 1;
410c8acf	489	}
	490
	491	/* --- Now check the public keys --- */
	492
	493	if (fwatch_update(&w_pub, kr_pub)) {
	494	T( trace(T_KEYMGMT, "keymgmt: public keyring updated: reloading..."); )
	495	kf = kf_pub;
	496	DRESET(&d);
	497	if (loadpub(&d))
f43df819	498	a_warn("KEYMGMT", "bad-public-keyring", "%s", d.buf, A_END);
410c8acf	499	else {
	500	reload = 1;
	501	key_close(kf);
	502	DESTROY(kf);
	503	}
	504	}
	505
	506	/* --- Done --- */
	507
	508	return (reload);
	509	}
	510
	511	/* --- @km_init@ --- *
	512	*
	513	* Arguments: @const char *priv@ = private keyring file
	514	* @const char *pub@ = public keyring file
	515	* @const char *tag@ = tag to load
	516	*
	517	* Returns: ---
	518	*
	519	* Use: Initializes, and loads the private key.
	520	*/
	521
	522	void km_init(const char priv, const char pub, const char *tag)
	523	{
	524	dstr d = DSTR_INIT;
b5c45da1	525	const gchash const hh;
410c8acf	526
	527	kr_priv = priv;
	528	kr_pub = pub;
	529	tag_priv = tag;
	530	fwatch_init(&w_priv, kr_priv);
	531	fwatch_init(&w_pub, kr_pub);
	532
b5c45da1	533	for (hh = ghashtab; *hh; hh++) {
	534	if ((*hh)->hashsz > MAXHASHSZ) {
	535	die(EXIT_FAILURE, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d",
	536	(hh)->name, (unsigned long)(hh)->hashsz, MAXHASHSZ);
	537	}
	538	}
	539
410c8acf	540	DRESET(&d);
52c03a2a	541	if (loadpriv(&d))
410c8acf	542	die(EXIT_FAILURE, "%s", d.buf);
410c8acf	543	if (loadpub(&d))
	544	die(EXIT_FAILURE, "%s", d.buf);
	545	}
	546
	547	/* --- @km_getpubkey@ --- *
	548	*
	549	* Arguments: @const char *tag@ = public key tag to load
52c03a2a	550	* @ge *kpub@ = where to put the public key
00e64b67	551	* @time_t *t_exp@ = where to put the expiry time
410c8acf	552	*
	553	* Returns: Zero if OK, nonzero if it failed.
	554	*
	555	* Use: Fetches a public key from the keyring.
	556	*/
	557
52c03a2a	558	int km_getpubkey(const char tag, ge kpub, time_t *t_exp)
410c8acf	559	{
00e64b67	560	key *k;
d59d4fe9	561	key_data **kd;
52c03a2a	562	dstr t = DSTR_INIT;
	563	const kgops **ko;
	564	const char *e;
	565	group *g = 0;
	566	ge *p = 0;
b5c45da1	567	algswitch a;
52c03a2a	568	int rc = -1;
	569
	570	/* --- Find the key --- */
	571
	572	if (key_qtag(kf_pub, tag, &t, &k, &kd)) {
f43df819	573	a_warn("KEYMGMT", "public-key", "%s", tag, "not-found", A_END);
52c03a2a	574	goto done;
52c03a2a	575	}
410c8acf	576
52c03a2a	577	/* --- Look up the key type in the table --- */
	578
	579	for (ko = kgtab; *ko; ko++) {
	580	if (strcmp((*ko)->ty, k->type) == 0)
	581	goto tymatch;
	582	}
f43df819 MW	583	a_warn("KEYMGMT",
	584	"public-key", "%s", t.buf,
	585	"unknown-type", "%s", k->type,
	586	A_END);
52c03a2a	587	goto done;
	588	tymatch:;
	589
	590	/* --- Load the key --- */
	591
d59d4fe9	592	if ((e = (ko)->loadpub(kd, &g, &p, &t)) != 0) {
f43df819	593	a_warn("KEYMGMT", "public-key", "%s", t.buf, "bad", "%s", e, A_END);
52c03a2a	594	goto done;
	595	}
	596
	597	/* --- Ensure that the group is correct --- *
	598	*
	599	* Dodginess! We assume that if this works, our global group is willing to
	600	* adopt this public element. Probably reasonable.
	601	*/
	602
	603	if (!group_samep(gg, g)) {
f43df819	604	a_warn("KEYMGMT", "public-key", "%s", t.buf, "incorrect-group", A_END);
52c03a2a	605	goto done;
	606	}
	607
	608	/* --- Check the public group element --- */
	609
	610	if (group_check(gg, p)) {
f43df819 MW	611	a_warn("KEYMGMT",
	612	"public-key", "%s", t.buf,
	613	"bad-public-group-element",
	614	A_END);
52c03a2a	615	goto done;
410c8acf	616	}
52c03a2a	617
b5c45da1	618	/* --- Check the algorithms --- */
	619
	620	if ((e = algs_get(&a, kf_pub, k)) != 0) {
f43df819 MW	621	a_warn("KEYMGMT",
	622	"public-key", "%s", t.buf,
	623	"bad-algorithm-selection", e,
	624	A_END);
b5c45da1	625	goto done;
b5c45da1	626	}
3cdc3f3a	627	if (!algs_samep(&a, &algs)) {
f43df819 MW	628	a_warn("KEYMGMT",
	629	"public-key", "%s", t.buf,
	630	"algorithm-mismatch",
	631	A_END);
b5c45da1	632	goto done;
	633	}
	634
52c03a2a	635	/* --- Dump the public key --- */
52c03a2a	636
410c8acf	637	IF_TRACING(T_KEYMGMT, {
52c03a2a	638	trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", t.buf);
52c03a2a	639	trace(T_CRYPTO, "crypto: p = %s", gestr(gg, p));
410c8acf	640	})
52c03a2a	641
	642	/* --- OK, accept the public key --- */
	643
00e64b67	644	*t_exp = k->exp;
52c03a2a	645	G_COPY(gg, kpub, p);
	646	rc = 0;
	647
	648	/* --- Tidy up --- */
	649
	650	done:
	651	if (p) G_DESTROY(g, p);
	652	if (g) G_DESTROYGROUP(g);
	653	dstr_destroy(&t);
	654	return (rc);
410c8acf	655	}
	656
	657	/----- That's all, folks -------------------------------------------------/