5 * Key loading and storing
7 * (c) 2001 Straylight/Edgeware
10 /*----- Licensing notice --------------------------------------------------*
12 * This file is part of Trivial IP Encryption (TrIPE).
14 * TrIPE is free software; you can redistribute it and/or modify
15 * it under the terms of the GNU General Public License as published by
16 * the Free Software Foundation; either version 2 of the License, or
17 * (at your option) any later version.
19 * TrIPE is distributed in the hope that it will be useful,
20 * but WITHOUT ANY WARRANTY; without even the implied warranty of
21 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
22 * GNU General Public License for more details.
24 * You should have received a copy of the GNU General Public License
25 * along with TrIPE; if not, write to the Free Software Foundation,
26 * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
29 /*----- Header files ------------------------------------------------------*/
33 /*----- Global variables --------------------------------------------------*/
41 /*----- Static variables --------------------------------------------------*/
43 static key_file *kf_pub;
44 static const char *kr_priv, *kr_pub, *tag_priv;
45 static fwatch w_priv, w_pub;
47 /*----- Key groups --------------------------------------------------------*/
49 typedef struct kgops {
51 const char *(*loadpriv)(key_data *, group **, mp **, dstr *);
52 const char *(*loadpub)(key_data *, group **, ge **, dstr *);
55 /* --- Diffie-Hellman --- */
57 static const char *kgdh_priv(key_data *kd, group **g, mp **x, dstr *t)
59 key_packstruct kps[DH_PRIVFETCHSZ];
65 kp = key_fetchinit(dh_privfetch, kps, &dp);
66 if ((rc = key_unpack(kp, kd, t)) != 0) {
70 *g = group_prime(&dp.dp);
78 static const char *kgdh_pub(key_data *kd, group **g, ge **p, dstr *t)
80 key_packstruct kps[DH_PUBFETCHSZ];
86 kp = key_fetchinit(dh_pubfetch, kps, &dp);
87 if ((rc = key_unpack(kp, kd, t)) != 0) {
91 *g = group_prime(&dp.dp);
93 if (G_FROMINT(*g, *p, dp.y)) {
94 e = "bad public value";
103 static const kgops kgdh_ops = { "tripe-dh", kgdh_priv, kgdh_pub };
105 /* --- Elliptic curve --- */
107 static const char *kgec_priv(key_data *kd, group **g, mp **x, dstr *t)
109 key_packstruct kps[EC_PRIVFETCHSZ];
116 kp = key_fetchinit(ec_privfetch, kps, &ep);
117 if ((rc = key_unpack(kp, kd, t)) != 0) {
118 e = key_strerror(rc);
121 if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
131 static const char *kgec_pub(key_data *kd, group **g, ge **p, dstr *t)
133 key_packstruct kps[EC_PUBFETCHSZ];
140 kp = key_fetchinit(ec_pubfetch, kps, &ep);
141 if ((rc = key_unpack(kp, kd, t)) != 0) {
142 e = key_strerror(rc);
145 if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
149 if (G_FROMEC(*g, *p, &ep.p)) {
150 e = "bad public point";
159 static const kgops kgec_ops = { "tripe-ec", kgec_priv, kgec_pub };
161 /* --- Table of supported key types --- */
163 static const kgops *kgtab[] = { &kgdh_ops, &kgec_ops, 0 };
165 /*----- Algswitch stuff ---------------------------------------------------*/
167 /* --- @algs_get@ --- *
169 * Arguments: @algswitch *a@ = where to put the algorithms
170 * @key_file *kf@ = key file (for some stupid reason)
171 * @key *k@ = key to inspect
173 * Returns: Null if OK, or an error message.
175 * Use: Extracts an algorithm choice from a key.
178 static const char *algs_get(algswitch *a, key_file *kf, key *k)
185 #define FAIL(msg) do { e = msg; goto done; } while (0)
187 if ((p = key_getattr(kf, k, "cipher")) == 0)
189 if ((a->c = gcipher_byname(p)) == 0)
190 FAIL("unknown-cipher");
192 if ((p = key_getattr(kf, k, "hash")) == 0)
194 if ((a->h = ghash_byname(p)) == 0)
195 FAIL("unknown-hash");
197 if ((p = key_getattr(kf, k, "mgf")) == 0) {
199 dstr_putf(&d, "%s-mgf", a->h->name);
202 if ((a->mgf = gcipher_byname(p)) == 0)
203 FAIL("unknown-mgf-cipher");
205 if ((p = key_getattr(kf, k, "mac")) != 0) {
208 if ((q = strchr(d.buf, '/')) != 0)
210 if ((a->m = gmac_byname(d.buf)) == 0)
213 a->tagsz = a->m->hashsz;
215 unsigned long n = strtoul(q, &q, 0);
216 if (*q) FAIL("bad-tag-length-string");
217 if (n%8 || n > ~(size_t)0) FAIL("bad-tag-length");
222 dstr_putf(&d, "%s-hmac", a->h->name);
223 if ((a->m = gmac_byname(d.buf)) == 0)
224 FAIL("no-hmac-for-hash");
225 a->tagsz = a->h->hashsz/2;
234 /* --- @algs_check@ --- *
236 * Arguments: @algswitch *a@ = a choice of algorithms
237 * @const group *g@ = the group we're working in
239 * Returns: Null if OK, or an error message.
241 * Use: Checks an algorithm choice for sensibleness. This also
242 * derives some useful information from the choices, and you
243 * must call this before committing the algorithm selection
244 * for use by @keyset@ functions.
247 static const char *algs_check(algswitch *a, const group *g)
249 /* --- Derive the key sizes --- *
251 * Must ensure that we have non-empty keys. This isn't ideal, but it
252 * provides a handy sanity check.
255 a->hashsz = a->h->hashsz;
256 if ((a->cksz = keysz(a->hashsz, a->c->keysz)) == 0)
257 return ("no key size found for cipher");
258 if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
259 return ("no key size found for MAC");
261 /* --- Ensure that the tag size is sane --- */
263 if (a->tagsz > a->m->hashsz) return ("tag length too large");
265 /* --- Ensure the MGF accepts hashes as keys --- */
267 if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz)
268 return ("MGF not suitable -- restrictive key schedule");
270 /* --- All ship-shape and Bristol-fashion --- */
275 /* --- @algs_samep@ --- *
277 * Arguments: @const algswitch *a, *aa@ = two algorithm selections
279 * Returns: Nonzero if the two selections are the same.
281 * Use: Checks sameness of algorithm selections: used to ensure that
282 * peers are using sensible algorithms.
285 static int algs_samep(const algswitch *a, const algswitch *aa)
287 return (a->c == aa->c && a->mgf == aa->mgf && a->h == aa->h &&
288 a->m == aa->m && a->tagsz == aa->tagsz);
291 /*----- Main code ---------------------------------------------------------*/
293 /* --- @keymoan@ --- *
295 * Arguments: @const char *file@ = name of the file
296 * @int line@ = line number in file
297 * @const char *msg@ = error message
298 * @void *p@ = argument pointer
302 * Use: Reports an error message about loading a key file.
305 static void keymoan(const char *file, int line, const char *msg, void *p)
314 /* --- @loadpriv@ --- *
316 * Arguments: @dstr *d@ = string to write errors in
318 * Returns: Zero if OK, nonzero on error.
320 * Use: Loads the private key from its keyfile.
323 static int loadpriv(dstr *d)
336 /* --- Open the private key file --- */
338 if (key_open(&kf, kr_priv, KOPEN_READ, keymoan, 0)) {
339 dstr_putf(d, "error reading private keyring `%s': %s",
340 kr_priv, strerror(errno));
344 /* --- Find the private key --- */
346 if (key_qtag(&kf, tag_priv, &t, &k, &kd)) {
347 dstr_putf(d, "private key `%s' not found in keyring `%s'",
352 /* --- Look up the key type in the table --- */
354 for (ko = kgtab; *ko; ko++) {
355 if (strcmp((*ko)->ty, k->type) == 0)
358 dstr_putf(d, "private key `%s' has unknown type `%s'", t.buf, k->type);
362 /* --- Load the key --- */
364 if ((e = (*ko)->loadpriv(*kd, &g, &x, &t)) != 0) {
365 dstr_putf(d, "error reading private key `%s': %s", t.buf, e);
369 /* --- Check that the key is sensible --- */
371 if ((e = G_CHECK(g, &rand_global)) != 0) {
372 dstr_putf(d, "bad group in private key `%s': %s", t.buf, e);
376 /* --- Collect the algorithms --- */
378 if ((e = algs_get(&a, &kf, k)) != 0 ||
379 (e = algs_check(&a, g)) != 0) {
380 dstr_putf(d, "bad symmetric algorithm selection in private key `%s': %s",
385 /* --- Good, we're happy --- *
387 * Dodginess! We change the group over here, but don't free any old group
388 * elements. This assumes that the new group is basically the same as the
389 * old one, and will happily adopt the existing elements. If it isn't,
390 * then we lose badly. Check this, then.
394 if (!group_samep(g, gg)) {
395 dstr_putf(d, "private key `%s' has different group", t.buf);
406 G_EXP(g, kpub, g->g, x);
407 indexsz = mp_octets(g->r);
409 /* --- Dump out the group --- */
411 IF_TRACING(T_KEYMGMT, {
412 trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", t.buf);
413 IF_TRACING(T_CRYPTO, {
414 trace(T_CRYPTO, "crypto: r = %s", mpstr(g->r));
415 trace(T_CRYPTO, "crypto: h = %s", mpstr(g->h));
416 trace(T_CRYPTO, "crypto: x = %s", mpstr(x));
417 trace(T_CRYPTO, "crypto: cipher = %s", a.c->name);
418 trace(T_CRYPTO, "crypto: mgf = %s", a.mgf->name);
419 trace(T_CRYPTO, "crypto: hash = %s", a.h->name);
420 trace(T_CRYPTO, "crypto: mac = %s/%lu",
421 a.m->name, (unsigned long)a.tagsz * 8);
425 /* --- Success! --- */
432 /* --- Tidy up --- */
439 if (g) G_DESTROYGROUP(g);
443 /* --- @loadpub@ --- *
445 * Arguments: @dstr *d@ = string to write errors to
447 * Returns: Zero if OK, nonzero on error.
449 * Use: Reloads the public keyring.
452 static int loadpub(dstr *d)
454 key_file *kf = CREATE(key_file);
456 if (key_open(kf, kr_pub, KOPEN_READ, keymoan, 0)) {
457 dstr_putf(d, "error reading public keyring `%s': %s",
458 kr_pub, strerror(errno));
463 T( trace(T_KEYMGMT, "keymgmt: loaded public keyring `%s'", kr_pub); )
467 /* --- @km_reload@ --- *
471 * Returns: Zero if OK, nonzero to force reloading of keys.
473 * Use: Checks the keyrings to see if they need reloading.
482 /* --- Check the private key first --- */
484 if (fwatch_update(&w_priv, kr_priv)) {
485 T( trace(T_KEYMGMT, "keymgmt: private keyring updated: reloading..."); )
488 a_warn("KEYMGMT", "bad-private-key", "%s", d.buf, A_END);
493 /* --- Now check the public keys --- */
495 if (fwatch_update(&w_pub, kr_pub)) {
496 T( trace(T_KEYMGMT, "keymgmt: public keyring updated: reloading..."); )
500 a_warn("KEYMGMT", "bad-public-keyring", "%s", d.buf, A_END);
513 /* --- @km_init@ --- *
515 * Arguments: @const char *priv@ = private keyring file
516 * @const char *pub@ = public keyring file
517 * @const char *tag@ = tag to load
521 * Use: Initializes, and loads the private key.
524 void km_init(const char *priv, const char *pub, const char *tag)
527 const gchash *const *hh;
532 fwatch_init(&w_priv, kr_priv);
533 fwatch_init(&w_pub, kr_pub);
535 for (hh = ghashtab; *hh; hh++) {
536 if ((*hh)->hashsz > MAXHASHSZ) {
537 die(EXIT_FAILURE, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d",
538 (*hh)->name, (unsigned long)(*hh)->hashsz, MAXHASHSZ);
544 die(EXIT_FAILURE, "%s", d.buf);
546 die(EXIT_FAILURE, "%s", d.buf);
549 /* --- @km_getpubkey@ --- *
551 * Arguments: @const char *tag@ = public key tag to load
552 * @ge *kpub@ = where to put the public key
553 * @time_t *t_exp@ = where to put the expiry time
555 * Returns: Zero if OK, nonzero if it failed.
557 * Use: Fetches a public key from the keyring.
560 int km_getpubkey(const char *tag, ge *kpub, time_t *t_exp)
572 /* --- Find the key --- */
574 if (key_qtag(kf_pub, tag, &t, &k, &kd)) {
575 a_warn("KEYMGMT", "public-key", "%s", tag, "not-found", A_END);
579 /* --- Look up the key type in the table --- */
581 for (ko = kgtab; *ko; ko++) {
582 if (strcmp((*ko)->ty, k->type) == 0)
586 "public-key", "%s", t.buf,
587 "unknown-type", "%s", k->type,
592 /* --- Load the key --- */
594 if ((e = (*ko)->loadpub(*kd, &g, &p, &t)) != 0) {
595 a_warn("KEYMGMT", "public-key", "%s", t.buf, "bad", "%s", e, A_END);
599 /* --- Ensure that the group is correct --- *
601 * Dodginess! We assume that if this works, our global group is willing to
602 * adopt this public element. Probably reasonable.
605 if (!group_samep(gg, g)) {
606 a_warn("KEYMGMT", "public-key", "%s", t.buf, "incorrect-group", A_END);
610 /* --- Check the public group element --- */
612 if (group_check(gg, p)) {
614 "public-key", "%s", t.buf,
615 "bad-public-group-element",
620 /* --- Check the algorithms --- */
622 if ((e = algs_get(&a, kf_pub, k)) != 0) {
624 "public-key", "%s", t.buf,
625 "bad-algorithm-selection", e,
629 if (!algs_samep(&a, &algs)) {
631 "public-key", "%s", t.buf,
632 "algorithm-mismatch",
637 /* --- Dump the public key --- */
639 IF_TRACING(T_KEYMGMT, {
640 trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", t.buf);
641 trace(T_CRYPTO, "crypto: p = %s", gestr(gg, p));
644 /* --- OK, accept the public key --- */
650 /* --- Tidy up --- */
653 if (p) G_DESTROY(g, p);
654 if (g) G_DESTROYGROUP(g);
659 /*----- That's all, folks -------------------------------------------------*/