/* -*-c-*-
*
- * $Id: keymgmt.c,v 1.1 2001/02/03 20:26:37 mdw Exp $
+ * $Id$
*
* Key loading and storing
*
* Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
*/
-/*----- Revision history --------------------------------------------------*
- *
- * $Log: keymgmt.c,v $
- * Revision 1.1 2001/02/03 20:26:37 mdw
- * Initial checkin.
- *
- */
-
/*----- Header files ------------------------------------------------------*/
#include "tripe.h"
/*----- Global variables --------------------------------------------------*/
-mpmont mg;
-dh_priv kpriv;
+group *gg;
+mp *kpriv;
+algswitch algs;
/*----- Static variables --------------------------------------------------*/
static const char *kr_priv, *kr_pub, *tag_priv;
static fwatch w_priv, w_pub;
+/*----- Key groups --------------------------------------------------------*/
+
+typedef struct kgops {
+ const char *ty;
+ const char *(*loadpriv)(key_data *, group **, mp **, dstr *);
+ const char *(*loadpub)(key_data *, group **, ge **, dstr *);
+} kgops;
+
+/* --- Diffie-Hellman --- */
+
+static const char *kgdh_priv(key_data *kd, group **g, mp **x, dstr *t)
+{
+ key_packstruct kps[DH_PRIVFETCHSZ];
+ key_packdef *kp;
+ dh_priv dp;
+ const char *e;
+ int rc;
+
+ kp = key_fetchinit(dh_privfetch, kps, &dp);
+ if ((rc = key_unpack(kp, kd, t)) != 0) {
+ e = key_strerror(rc);
+ goto done;
+ }
+ *g = group_prime(&dp.dp);
+ *x = MP_COPY(dp.x);
+ e = 0;
+done:
+ key_fetchdone(kp);
+ return (e);
+}
+
+static const char *kgdh_pub(key_data *kd, group **g, ge **p, dstr *t)
+{
+ key_packstruct kps[DH_PUBFETCHSZ];
+ key_packdef *kp;
+ dh_pub dp;
+ const char *e;
+ int rc;
+
+ kp = key_fetchinit(dh_pubfetch, kps, &dp);
+ if ((rc = key_unpack(kp, kd, t)) != 0) {
+ e = key_strerror(rc);
+ goto done;
+ }
+ *g = group_prime(&dp.dp);
+ *p = G_CREATE(*g);
+ if (G_FROMINT(*g, *p, dp.y)) {
+ e = "bad public value";
+ goto done;
+ }
+ e = 0;
+done:
+ key_fetchdone(kp);
+ return (e);
+}
+
+static const kgops kgdh_ops = { "tripe-dh", kgdh_priv, kgdh_pub };
+
+/* --- Elliptic curve --- */
+
+static const char *kgec_priv(key_data *kd, group **g, mp **x, dstr *t)
+{
+ key_packstruct kps[EC_PRIVFETCHSZ];
+ key_packdef *kp;
+ ec_priv ep;
+ ec_info ei;
+ const char *e;
+ int rc;
+
+ kp = key_fetchinit(ec_privfetch, kps, &ep);
+ if ((rc = key_unpack(kp, kd, t)) != 0) {
+ e = key_strerror(rc);
+ goto done;
+ }
+ if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
+ goto done;
+ *g = group_ec(&ei);
+ *x = MP_COPY(ep.x);
+ e = 0;
+done:
+ key_fetchdone(kp);
+ return (e);
+}
+
+static const char *kgec_pub(key_data *kd, group **g, ge **p, dstr *t)
+{
+ key_packstruct kps[EC_PUBFETCHSZ];
+ key_packdef *kp;
+ ec_pub ep;
+ ec_info ei;
+ const char *e;
+ int rc;
+
+ kp = key_fetchinit(ec_pubfetch, kps, &ep);
+ if ((rc = key_unpack(kp, kd, t)) != 0) {
+ e = key_strerror(rc);
+ goto done;
+ }
+ if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
+ goto done;
+ *g = group_ec(&ei);
+ *p = G_CREATE(*g);
+ if (G_FROMEC(*g, *p, &ep.p)) {
+ e = "bad public point";
+ goto done;
+ }
+ e = 0;
+done:
+ key_fetchdone(kp);
+ return (e);
+}
+
+static const kgops kgec_ops = { "tripe-ec", kgec_priv, kgec_pub };
+
+/* --- Table of supported key types --- */
+
+static const kgops *kgtab[] = { &kgdh_ops, &kgec_ops, 0 };
+
+/*----- Algswitch stuff ---------------------------------------------------*/
+
+/* --- @algs_get@ --- *
+ *
+ * Arguments: @algswitch *a@ = where to put the algorithms
+ * @key_file *kf@ = key file (for some stupid reason)
+ * @key *k@ = key to inspect
+ *
+ * Returns: Null if OK, or an error message.
+ *
+ * Use: Extracts an algorithm choice from a key.
+ */
+
+static const char *algs_get(algswitch *a, key_file *kf, key *k)
+{
+ const char *p;
+ char *q;
+ dstr d = DSTR_INIT;
+ const char *e;
+
+#define FAIL(msg) do { e = msg; goto done; } while (0)
+
+ if ((p = key_getattr(kf, k, "cipher")) == 0)
+ p = "blowfish-cbc";
+ if ((a->c = gcipher_byname(p)) == 0)
+ FAIL("unknown-cipher");
+
+ if ((p = key_getattr(kf, k, "hash")) == 0)
+ p = "rmd160";
+ if ((a->h = ghash_byname(p)) == 0)
+ FAIL("unknown-hash");
+
+ if ((p = key_getattr(kf, k, "mgf")) == 0) {
+ dstr_reset(&d);
+ dstr_putf(&d, "%s-mgf", a->h->name);
+ p = d.buf;
+ }
+ if ((a->mgf = gcipher_byname(p)) == 0)
+ FAIL("unknown-mgf-cipher");
+
+ if ((p = key_getattr(kf, k, "mac")) != 0) {
+ dstr_reset(&d);
+ dstr_puts(&d, p);
+ if ((q = strchr(d.buf, '/')) != 0)
+ *q++ = 0;
+ if ((a->m = gmac_byname(d.buf)) == 0)
+ FAIL("unknown-mac");
+ if (!q)
+ a->tagsz = a->m->hashsz;
+ else {
+ unsigned long n = strtoul(q, &q, 0);
+ if (*q) FAIL("bad-tag-length-string");
+ if (n%8 || n > ~(size_t)0) FAIL("bad-tag-length");
+ a->tagsz = n/8;
+ }
+ } else {
+ dstr_reset(&d);
+ dstr_putf(&d, "%s-hmac", a->h->name);
+ if ((a->m = gmac_byname(d.buf)) == 0)
+ FAIL("no-hmac-for-hash");
+ a->tagsz = a->h->hashsz/2;
+ }
+
+ e = 0;
+done:
+ dstr_destroy(&d);
+ return (e);
+}
+
+/* --- @algs_check@ --- *
+ *
+ * Arguments: @algswitch *a@ = a choice of algorithms
+ * @const group *g@ = the group we're working in
+ *
+ * Returns: Null if OK, or an error message.
+ *
+ * Use: Checks an algorithm choice for sensibleness. This also
+ * derives some useful information from the choices, and you
+ * must call this before committing the algorithm selection
+ * for use by @keyset@ functions.
+ */
+
+static const char *algs_check(algswitch *a, const group *g)
+{
+ /* --- Derive the key sizes --- *
+ *
+ * Must ensure that we have non-empty keys. This isn't ideal, but it
+ * provides a handy sanity check.
+ */
+
+ a->hashsz = a->h->hashsz;
+ if ((a->cksz = keysz(a->hashsz, a->c->keysz)) == 0)
+ return ("no key size found for cipher");
+ if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
+ return ("no key size found for MAC");
+
+ /* --- Ensure that the tag size is sane --- */
+
+ if (a->tagsz > a->m->hashsz) return ("tag length too large");
+
+ /* --- Ensure the MGF accepts hashes as keys --- */
+
+ if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz)
+ return ("MGF not suitable -- restrictive key schedule");
+
+ /* --- All ship-shape and Bristol-fashion --- */
+
+ return (0);
+}
+
+/* --- @algs_samep@ --- *
+ *
+ * Arguments: @const algswitch *a, *aa@ = two algorithm selections
+ *
+ * Returns: Nonzero if the two selections are the same.
+ *
+ * Use: Checks sameness of algorithm selections: used to ensure that
+ * peers are using sensible algorithms.
+ */
+
+static int algs_samep(const algswitch *a, const algswitch *aa)
+{
+ return (a->c == aa->c && a->mgf == aa->mgf && a->h == aa->h &&
+ a->m == aa->m && a->tagsz == aa->tagsz);
+}
+
/*----- Main code ---------------------------------------------------------*/
/* --- @keymoan@ --- *
*
- * Arguments: @@const char *file@ = name of the file
+ * Arguments: @const char *file@ = name of the file
* @int line@ = line number in file
* @const char *msg@ = error message
* @void *p@ = argument pointer
*/
static void keymoan(const char *file, int line, const char *msg, void *p)
-{
- a_warn("%s:%i: error: %s", file, line, msg);
-}
+ { a_warn("KEYMGMT key-file-error %s:%i -- %s", file, line, msg); }
/* --- @loadpriv@ --- *
*
* Arguments: @dstr *d@ = string to write errors in
- * @dh_priv *dh@ = where to store the key
*
* Returns: Zero if OK, nonzero on error.
*
* Use: Loads the private key from its keyfile.
*/
-static int loadpriv(dstr *d, dh_priv *dh)
+static int loadpriv(dstr *d)
{
key_file kf;
- key_packstruct kps[DH_PRIVFETCHSZ];
- key_packdef *kp;
- dh_priv mydh;
- int rc = 0;
- int e;
+ key *k;
+ key_data *kd;
+ dstr t = DSTR_INIT;
+ group *g = 0;
+ mp *x = 0;
+ int rc = -1;
+ const kgops **ko;
+ const char *e;
+ algswitch a;
+
+ /* --- Open the private key file --- */
if (key_open(&kf, kr_priv, KOPEN_READ, keymoan, 0)) {
dstr_putf(d, "error reading private keyring `%s': %s",
kr_priv, strerror(errno));
- rc = -1;
- } else {
- T( trace(T_KEYMGMT, "keymgmt: loaded private keyring `%s'", kr_priv); )
- kp = key_fetchinit(dh_privfetch, kps, &mydh);
- if ((e = key_fetchbyname(kp, &kf, tag_priv)) != 0) {
- dstr_putf(d, "error loading private key `%s': %s",
- tag_priv, key_strerror(e));
- rc = -1;
- } else {
- dh->dp.p = MP_COPY(mydh.dp.p);
- dh->dp.q = MP_COPY(mydh.dp.q);
- dh->dp.g = MP_COPY(mydh.dp.g);
- dh->x = MP_COPY(mydh.x);
- dh->y = MP_COPY(mydh.y);
- IF_TRACING(T_KEYMGMT, {
- trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", tag_priv);
- IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: p = %s", mpstr(kpriv.dp.p));
- trace(T_CRYPTO, "crypto: q = %s", mpstr(kpriv.dp.q));
- trace(T_CRYPTO, "crypto: g = %s", mpstr(kpriv.dp.g));
- trace(T_CRYPTO, "crypto: x = %s", mpstr(kpriv.x));
- trace(T_CRYPTO, "crypto: g^x = %s", mpstr(kpriv.y));
- })
- })
+ goto done_0;
+ }
+
+ /* --- Find the private key --- */
+
+ if (key_qtag(&kf, tag_priv, &t, &k, &kd)) {
+ dstr_putf(d, "private key `%s' not found in keyring `%s'",
+ tag_priv, kr_priv);
+ goto done_1;
+ }
+
+ /* --- Look up the key type in the table --- */
+
+ for (ko = kgtab; *ko; ko++) {
+ if (strcmp((*ko)->ty, k->type) == 0)
+ goto tymatch;
+ }
+ dstr_putf(d, "private key `%s' has unknown type `%s'", t.buf, k->type);
+ goto done_1;
+tymatch:;
+
+ /* --- Load the key --- */
+
+ if ((e = (*ko)->loadpriv(kd, &g, &x, &t)) != 0) {
+ dstr_putf(d, "error reading private key `%s': %s", t.buf, e);
+ goto done_1;
+ }
+
+ /* --- Check that the key is sensible --- */
+
+ if ((e = G_CHECK(g, &rand_global)) != 0) {
+ dstr_putf(d, "bad group in private key `%s': %s", t.buf, e);
+ goto done_1;
+ }
+
+ /* --- Collect the algorithms --- */
+
+ if ((e = algs_get(&a, &kf, k)) != 0 ||
+ (e = algs_check(&a, g)) != 0) {
+ dstr_putf(d, "bad symmetric algorithm selection in private key `%s': %s",
+ t.buf, e);
+ goto done_1;
+ }
+
+ /* --- Good, we're happy --- *
+ *
+ * Dodginess! We change the group over here, but don't free any old group
+ * elements. This assumes that the new group is basically the same as the
+ * old one, and will happily adopt the existing elements. If it isn't,
+ * then we lose badly. Check this, then.
+ */
+
+ if (gg) {
+ if (!group_samep(g, gg)) {
+ dstr_putf(d, "private key `%s' has different group", t.buf);
+ goto done_1;
}
- key_fetchdone(kp);
- key_close(&kf);
+ G_DESTROYGROUP(gg);
}
+ if (kpriv)
+ mp_drop(kpriv);
+
+ /* --- Dump out the group --- */
+
+ IF_TRACING(T_KEYMGMT, {
+ trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", t.buf);
+ IF_TRACING(T_CRYPTO, {
+ trace(T_CRYPTO, "crypto: r = %s", mpstr(g->r));
+ trace(T_CRYPTO, "crypto: h = %s", mpstr(g->h));
+ trace(T_CRYPTO, "crypto: x = %s", mpstr(x));
+ trace(T_CRYPTO, "crypto: cipher = %s", a.c->name);
+ trace(T_CRYPTO, "crypto: mgf = %s", a.mgf->name);
+ trace(T_CRYPTO, "crypto: hash = %s", a.h->name);
+ trace(T_CRYPTO, "crypto: mac = %s/%lu",
+ a.m->name, (unsigned long)a.tagsz * 8);
+ })
+ })
+
+ /* --- Success! --- */
+
+ gg = g; g = 0;
+ algs = a;
+ kpriv = x; x = 0;
+ rc = 0;
+
+ /* --- Tidy up --- */
+
+done_1:
+ key_close(&kf);
+done_0:
+ dstr_destroy(&t);
+ if (x) mp_drop(x);
+ if (g) G_DESTROYGROUP(g);
return (rc);
}
int km_interval(void)
{
dstr d = DSTR_INIT;
- dh_priv dh;
key_file *kf;
int reload = 0;
if (fwatch_update(&w_priv, kr_priv)) {
T( trace(T_KEYMGMT, "keymgmt: private keyring updated: reloading..."); )
DRESET(&d);
- if (loadpriv(&d, &dh))
- a_warn("%s -- ignoring changes", d.buf);
- else {
+ if (loadpriv(&d))
+ a_warn("KEYMGMT bad-private-key -- %s", d.buf);
+ else
reload = 1;
- mpmont_destroy(&mg);
- dh_privfree(&kpriv);
- kpriv = dh;
- mpmont_create(&mg, kpriv.dp.p);
- }
}
/* --- Now check the public keys --- */
kf = kf_pub;
DRESET(&d);
if (loadpub(&d))
- a_warn("%s -- ignoring changes", d.buf);
+ a_warn("KEYMGMT bad-public-keyring -- %s", d.buf);
else {
reload = 1;
key_close(kf);
void km_init(const char *priv, const char *pub, const char *tag)
{
dstr d = DSTR_INIT;
+ const gchash *const *hh;
kr_priv = priv;
kr_pub = pub;
fwatch_init(&w_priv, kr_priv);
fwatch_init(&w_pub, kr_pub);
+ for (hh = ghashtab; *hh; hh++) {
+ if ((*hh)->hashsz > MAXHASHSZ) {
+ die(EXIT_FAILURE, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d",
+ (*hh)->name, (unsigned long)(*hh)->hashsz, MAXHASHSZ);
+ }
+ }
+
DRESET(&d);
- if (loadpriv(&d, &kpriv))
+ if (loadpriv(&d))
die(EXIT_FAILURE, "%s", d.buf);
- mpmont_create(&mg, kpriv.dp.p);
if (loadpub(&d))
die(EXIT_FAILURE, "%s", d.buf);
}
/* --- @km_getpubkey@ --- *
*
* Arguments: @const char *tag@ = public key tag to load
- * @dh_pub *kpub@ = where to put the public key
+ * @ge *kpub@ = where to put the public key
+ * @time_t *t_exp@ = where to put the expiry time
*
* Returns: Zero if OK, nonzero if it failed.
*
* Use: Fetches a public key from the keyring.
*/
-int km_getpubkey(const char *tag, dh_pub *kpub)
+int km_getpubkey(const char *tag, ge *kpub, time_t *t_exp)
{
- key_packstruct kps[DH_PUBFETCHSZ];
- key_packdef *kp;
- dh_pub dp;
- int e;
+ key *k;
+ key_data *kd;
+ dstr t = DSTR_INIT;
+ const kgops **ko;
+ const char *e;
+ group *g = 0;
+ ge *p = 0;
+ algswitch a;
+ int rc = -1;
+
+ /* --- Find the key --- */
+
+ if (key_qtag(kf_pub, tag, &t, &k, &kd)) {
+ a_warn("KEYMGMT public-key %s not-found", tag);
+ goto done;
+ }
- kp = key_fetchinit(dh_pubfetch, kps, &dp);
- e = key_fetchbyname(kp, kf_pub, tag);
- key_fetchdone(kp);
- if (e) {
- a_warn("error loading public key `%s': %s", tag, key_strerror(e));
- return (-1);
+ /* --- Look up the key type in the table --- */
+
+ for (ko = kgtab; *ko; ko++) {
+ if (strcmp((*ko)->ty, k->type) == 0)
+ goto tymatch;
+ }
+ a_warn("KEYMGMT public-key %s unknown-type %s", t.buf, k->type);
+ goto done;
+tymatch:;
+
+ /* --- Load the key --- */
+
+ if ((e = (*ko)->loadpub(kd, &g, &p, &t)) != 0) {
+ a_warn("KEYMGMT public-key %s bad -- %s", t.buf, e);
+ goto done;
+ }
+
+ /* --- Ensure that the group is correct --- *
+ *
+ * Dodginess! We assume that if this works, our global group is willing to
+ * adopt this public element. Probably reasonable.
+ */
+
+ if (!group_samep(gg, g)) {
+ a_warn("KEYMGMT public-key %s incorrect-group", t.buf);
+ goto done;
}
+
+ /* --- Check the public group element --- */
+
+ if (group_check(gg, p)) {
+ a_warn("KEYMGMT public-key %s bad-public-group-element", t.buf);
+ goto done;
+ }
+
+ /* --- Check the algorithms --- */
+
+ if ((e = algs_get(&a, kf_pub, k)) != 0) {
+ a_warn("KEYMGMT public-key %s bad-algorithm-selection %s", t.buf, e);
+ goto done;
+ }
+ if (!algs_samep(&a, &algs)) {
+ a_warn("KEYMGMT public-key %s algorithm-mismatch", t.buf);
+ goto done;
+ }
+
+ /* --- Dump the public key --- */
+
IF_TRACING(T_KEYMGMT, {
- trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", tag);
- IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: p = %s", mpstr(dp.dp.p));
- trace(T_CRYPTO, "crypto: q = %s", mpstr(dp.dp.q));
- trace(T_CRYPTO, "crypto: g = %s", mpstr(dp.dp.g));
- trace(T_CRYPTO, "crypto: g^x = %s", mpstr(dp.y));
- })
+ trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", t.buf);
+ trace(T_CRYPTO, "crypto: p = %s", gestr(gg, p));
})
- if (!mp_eq(dp.dp.p, kpriv.dp.p) ||
- !mp_eq(dp.dp.q, kpriv.dp.q) ||
- !mp_eq(dp.dp.g, kpriv.dp.g)) {
- a_warn("public key `%s' has different group from private key", tag);
- return (-1);
- }
- kpub->dp.p = MP_COPY(dp.dp.p);
- kpub->dp.q = MP_COPY(dp.dp.q);
- kpub->dp.g = MP_COPY(dp.dp.g);
- kpub->y = MP_COPY(dp.y);
- return (0);
+
+ /* --- OK, accept the public key --- */
+
+ *t_exp = k->exp;
+ G_COPY(gg, kpub, p);
+ rc = 0;
+
+ /* --- Tidy up --- */
+
+done:
+ if (p) G_DESTROY(g, p);
+ if (g) G_DESTROYGROUP(g);
+ dstr_destroy(&t);
+ return (rc);
}
/*----- That's all, folks -------------------------------------------------*/