+++ /dev/null
-/* -*-c-*-
- *
- * $Id$
- *
- * Key loading and storing
- *
- * (c) 2001 Straylight/Edgeware
- */
-
-/*----- Licensing notice --------------------------------------------------*
- *
- * This file is part of Trivial IP Encryption (TrIPE).
- *
- * TrIPE is free software; you can redistribute it and/or modify
- * it under the terms of the GNU General Public License as published by
- * the Free Software Foundation; either version 2 of the License, or
- * (at your option) any later version.
- *
- * TrIPE is distributed in the hope that it will be useful,
- * but WITHOUT ANY WARRANTY; without even the implied warranty of
- * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
- * GNU General Public License for more details.
- *
- * You should have received a copy of the GNU General Public License
- * along with TrIPE; if not, write to the Free Software Foundation,
- * Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
- */
-
-/*----- Header files ------------------------------------------------------*/
-
-#include "tripe.h"
-
-/*----- Global variables --------------------------------------------------*/
-
-group *gg;
-mp *kpriv;
-ge *kpub;
-algswitch algs;
-size_t indexsz;
-
-/*----- Static variables --------------------------------------------------*/
-
-static key_file *kf_pub;
-static const char *kr_priv, *kr_pub, *tag_priv;
-static fwatch w_priv, w_pub;
-
-/*----- Key groups --------------------------------------------------------*/
-
-typedef struct kgops {
- const char *ty;
- const char *(*loadpriv)(key_data *, group **, mp **, dstr *);
- const char *(*loadpub)(key_data *, group **, ge **, dstr *);
-} kgops;
-
-/* --- Diffie-Hellman --- */
-
-static const char *kgdh_priv(key_data *kd, group **g, mp **x, dstr *t)
-{
- key_packstruct kps[DH_PRIVFETCHSZ];
- key_packdef *kp;
- dh_priv dp;
- const char *e;
- int rc;
-
- kp = key_fetchinit(dh_privfetch, kps, &dp);
- if ((rc = key_unpack(kp, kd, t)) != 0) {
- e = key_strerror(rc);
- goto done;
- }
- *g = group_prime(&dp.dp);
- *x = MP_COPY(dp.x);
- e = 0;
-done:
- key_fetchdone(kp);
- return (e);
-}
-
-static const char *kgdh_pub(key_data *kd, group **g, ge **p, dstr *t)
-{
- key_packstruct kps[DH_PUBFETCHSZ];
- key_packdef *kp;
- dh_pub dp;
- const char *e;
- int rc;
-
- kp = key_fetchinit(dh_pubfetch, kps, &dp);
- if ((rc = key_unpack(kp, kd, t)) != 0) {
- e = key_strerror(rc);
- goto done;
- }
- *g = group_prime(&dp.dp);
- *p = G_CREATE(*g);
- if (G_FROMINT(*g, *p, dp.y)) {
- e = "bad public value";
- goto done;
- }
- e = 0;
-done:
- key_fetchdone(kp);
- return (e);
-}
-
-static const kgops kgdh_ops = { "tripe-dh", kgdh_priv, kgdh_pub };
-
-/* --- Elliptic curve --- */
-
-static const char *kgec_priv(key_data *kd, group **g, mp **x, dstr *t)
-{
- key_packstruct kps[EC_PRIVFETCHSZ];
- key_packdef *kp;
- ec_priv ep;
- ec_info ei;
- const char *e;
- int rc;
-
- kp = key_fetchinit(ec_privfetch, kps, &ep);
- if ((rc = key_unpack(kp, kd, t)) != 0) {
- e = key_strerror(rc);
- goto done;
- }
- if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
- goto done;
- *g = group_ec(&ei);
- *x = MP_COPY(ep.x);
- e = 0;
-done:
- key_fetchdone(kp);
- return (e);
-}
-
-static const char *kgec_pub(key_data *kd, group **g, ge **p, dstr *t)
-{
- key_packstruct kps[EC_PUBFETCHSZ];
- key_packdef *kp;
- ec_pub ep;
- ec_info ei;
- const char *e;
- int rc;
-
- kp = key_fetchinit(ec_pubfetch, kps, &ep);
- if ((rc = key_unpack(kp, kd, t)) != 0) {
- e = key_strerror(rc);
- goto done;
- }
- if ((e = ec_getinfo(&ei, ep.cstr)) != 0)
- goto done;
- *g = group_ec(&ei);
- *p = G_CREATE(*g);
- if (G_FROMEC(*g, *p, &ep.p)) {
- e = "bad public point";
- goto done;
- }
- e = 0;
-done:
- key_fetchdone(kp);
- return (e);
-}
-
-static const kgops kgec_ops = { "tripe-ec", kgec_priv, kgec_pub };
-
-/* --- Table of supported key types --- */
-
-static const kgops *kgtab[] = { &kgdh_ops, &kgec_ops, 0 };
-
-/*----- Algswitch stuff ---------------------------------------------------*/
-
-/* --- @algs_get@ --- *
- *
- * Arguments: @algswitch *a@ = where to put the algorithms
- * @key_file *kf@ = key file (for some stupid reason)
- * @key *k@ = key to inspect
- *
- * Returns: Null if OK, or an error message.
- *
- * Use: Extracts an algorithm choice from a key.
- */
-
-static const char *algs_get(algswitch *a, key_file *kf, key *k)
-{
- const char *p;
- char *q;
- dstr d = DSTR_INIT;
- const char *e;
-
-#define FAIL(msg) do { e = msg; goto done; } while (0)
-
- if ((p = key_getattr(kf, k, "cipher")) == 0)
- p = "blowfish-cbc";
- if ((a->c = gcipher_byname(p)) == 0)
- FAIL("unknown-cipher");
-
- if ((p = key_getattr(kf, k, "hash")) == 0)
- p = "rmd160";
- if ((a->h = ghash_byname(p)) == 0)
- FAIL("unknown-hash");
-
- if ((p = key_getattr(kf, k, "mgf")) == 0) {
- dstr_reset(&d);
- dstr_putf(&d, "%s-mgf", a->h->name);
- p = d.buf;
- }
- if ((a->mgf = gcipher_byname(p)) == 0)
- FAIL("unknown-mgf-cipher");
-
- if ((p = key_getattr(kf, k, "mac")) != 0) {
- dstr_reset(&d);
- dstr_puts(&d, p);
- if ((q = strchr(d.buf, '/')) != 0)
- *q++ = 0;
- if ((a->m = gmac_byname(d.buf)) == 0)
- FAIL("unknown-mac");
- if (!q)
- a->tagsz = a->m->hashsz;
- else {
- unsigned long n = strtoul(q, &q, 0);
- if (*q) FAIL("bad-tag-length-string");
- if (n%8 || n > ~(size_t)0) FAIL("bad-tag-length");
- a->tagsz = n/8;
- }
- } else {
- dstr_reset(&d);
- dstr_putf(&d, "%s-hmac", a->h->name);
- if ((a->m = gmac_byname(d.buf)) == 0)
- FAIL("no-hmac-for-hash");
- a->tagsz = a->h->hashsz/2;
- }
-
- e = 0;
-done:
- dstr_destroy(&d);
- return (e);
-}
-
-/* --- @algs_check@ --- *
- *
- * Arguments: @algswitch *a@ = a choice of algorithms
- * @const group *g@ = the group we're working in
- *
- * Returns: Null if OK, or an error message.
- *
- * Use: Checks an algorithm choice for sensibleness. This also
- * derives some useful information from the choices, and you
- * must call this before committing the algorithm selection
- * for use by @keyset@ functions.
- */
-
-static const char *algs_check(algswitch *a, const group *g)
-{
- /* --- Derive the key sizes --- *
- *
- * Must ensure that we have non-empty keys. This isn't ideal, but it
- * provides a handy sanity check.
- */
-
- a->hashsz = a->h->hashsz;
- if ((a->cksz = keysz(a->hashsz, a->c->keysz)) == 0)
- return ("no key size found for cipher");
- if ((a->mksz = keysz(a->hashsz, a->m->keysz)) == 0)
- return ("no key size found for MAC");
-
- /* --- Ensure that the tag size is sane --- */
-
- if (a->tagsz > a->m->hashsz) return ("tag length too large");
-
- /* --- Ensure the MGF accepts hashes as keys --- */
-
- if (keysz(a->hashsz, a->mgf->keysz) != a->hashsz)
- return ("MGF not suitable -- restrictive key schedule");
-
- /* --- All ship-shape and Bristol-fashion --- */
-
- return (0);
-}
-
-/* --- @algs_samep@ --- *
- *
- * Arguments: @const algswitch *a, *aa@ = two algorithm selections
- *
- * Returns: Nonzero if the two selections are the same.
- *
- * Use: Checks sameness of algorithm selections: used to ensure that
- * peers are using sensible algorithms.
- */
-
-static int algs_samep(const algswitch *a, const algswitch *aa)
-{
- return (a->c == aa->c && a->mgf == aa->mgf && a->h == aa->h &&
- a->m == aa->m && a->tagsz == aa->tagsz);
-}
-
-/*----- Main code ---------------------------------------------------------*/
-
-/* --- @keymoan@ --- *
- *
- * Arguments: @const char *file@ = name of the file
- * @int line@ = line number in file
- * @const char *msg@ = error message
- * @void *p@ = argument pointer
- *
- * Returns: ---
- *
- * Use: Reports an error message about loading a key file.
- */
-
-static void keymoan(const char *file, int line, const char *msg, void *p)
-{
- a_warn("KEYMGMT",
- "key-file-error",
- "%s:%i", file, line,
- "%s", msg,
- A_END);
-}
-
-/* --- @loadpriv@ --- *
- *
- * Arguments: @dstr *d@ = string to write errors in
- *
- * Returns: Zero if OK, nonzero on error.
- *
- * Use: Loads the private key from its keyfile.
- */
-
-static int loadpriv(dstr *d)
-{
- key_file kf;
- key *k;
- key_data **kd;
- dstr t = DSTR_INIT;
- group *g = 0;
- mp *x = 0;
- int rc = -1;
- const kgops **ko;
- const char *e;
- algswitch a;
-
- /* --- Open the private key file --- */
-
- if (key_open(&kf, kr_priv, KOPEN_READ, keymoan, 0)) {
- dstr_putf(d, "error reading private keyring `%s': %s",
- kr_priv, strerror(errno));
- goto done_0;
- }
-
- /* --- Find the private key --- */
-
- if (key_qtag(&kf, tag_priv, &t, &k, &kd)) {
- dstr_putf(d, "private key `%s' not found in keyring `%s'",
- tag_priv, kr_priv);
- goto done_1;
- }
-
- /* --- Look up the key type in the table --- */
-
- for (ko = kgtab; *ko; ko++) {
- if (strcmp((*ko)->ty, k->type) == 0)
- goto tymatch;
- }
- dstr_putf(d, "private key `%s' has unknown type `%s'", t.buf, k->type);
- goto done_1;
-tymatch:;
-
- /* --- Load the key --- */
-
- if ((e = (*ko)->loadpriv(*kd, &g, &x, &t)) != 0) {
- dstr_putf(d, "error reading private key `%s': %s", t.buf, e);
- goto done_1;
- }
-
- /* --- Check that the key is sensible --- */
-
- if ((e = G_CHECK(g, &rand_global)) != 0) {
- dstr_putf(d, "bad group in private key `%s': %s", t.buf, e);
- goto done_1;
- }
-
- /* --- Collect the algorithms --- */
-
- if ((e = algs_get(&a, &kf, k)) != 0 ||
- (e = algs_check(&a, g)) != 0) {
- dstr_putf(d, "bad symmetric algorithm selection in private key `%s': %s",
- t.buf, e);
- goto done_1;
- }
-
- /* --- Good, we're happy --- *
- *
- * Dodginess! We change the group over here, but don't free any old group
- * elements. This assumes that the new group is basically the same as the
- * old one, and will happily adopt the existing elements. If it isn't,
- * then we lose badly. Check this, then.
- */
-
- if (gg) {
- if (!group_samep(g, gg)) {
- dstr_putf(d, "private key `%s' has different group", t.buf);
- goto done_1;
- }
- G_DESTROYGROUP(gg);
- }
- if (kpriv)
- mp_drop(kpriv);
-
- if (kpub)
- G_DESTROY(g, kpub);
- kpub = G_CREATE(g);
- G_EXP(g, kpub, g->g, x);
- indexsz = mp_octets(g->r);
-
- /* --- Dump out the group --- */
-
- IF_TRACING(T_KEYMGMT, {
- trace(T_KEYMGMT, "keymgmt: extracted private key `%s'", t.buf);
- IF_TRACING(T_CRYPTO, {
- trace(T_CRYPTO, "crypto: r = %s", mpstr(g->r));
- trace(T_CRYPTO, "crypto: h = %s", mpstr(g->h));
- trace(T_CRYPTO, "crypto: x = %s", mpstr(x));
- trace(T_CRYPTO, "crypto: cipher = %s", a.c->name);
- trace(T_CRYPTO, "crypto: mgf = %s", a.mgf->name);
- trace(T_CRYPTO, "crypto: hash = %s", a.h->name);
- trace(T_CRYPTO, "crypto: mac = %s/%lu",
- a.m->name, (unsigned long)a.tagsz * 8);
- })
- })
-
- /* --- Success! --- */
-
- gg = g; g = 0;
- algs = a;
- kpriv = x; x = 0;
- rc = 0;
-
- /* --- Tidy up --- */
-
-done_1:
- key_close(&kf);
-done_0:
- dstr_destroy(&t);
- if (x) mp_drop(x);
- if (g) G_DESTROYGROUP(g);
- return (rc);
-}
-
-/* --- @loadpub@ --- *
- *
- * Arguments: @dstr *d@ = string to write errors to
- *
- * Returns: Zero if OK, nonzero on error.
- *
- * Use: Reloads the public keyring.
- */
-
-static int loadpub(dstr *d)
-{
- key_file *kf = CREATE(key_file);
-
- if (key_open(kf, kr_pub, KOPEN_READ, keymoan, 0)) {
- dstr_putf(d, "error reading public keyring `%s': %s",
- kr_pub, strerror(errno));
- DESTROY(kf);
- return (-1);
- }
- kf_pub = kf;
- T( trace(T_KEYMGMT, "keymgmt: loaded public keyring `%s'", kr_pub); )
- return (0);
-}
-
-/* --- @km_reload@ --- *
- *
- * Arguments: ---
- *
- * Returns: Zero if OK, nonzero to force reloading of keys.
- *
- * Use: Checks the keyrings to see if they need reloading.
- */
-
-int km_reload(void)
-{
- dstr d = DSTR_INIT;
- key_file *kf;
- int reload = 0;
-
- /* --- Check the private key first --- */
-
- if (fwatch_update(&w_priv, kr_priv)) {
- T( trace(T_KEYMGMT, "keymgmt: private keyring updated: reloading..."); )
- DRESET(&d);
- if (loadpriv(&d))
- a_warn("KEYMGMT", "bad-private-key", "%s", d.buf, A_END);
- else
- reload = 1;
- }
-
- /* --- Now check the public keys --- */
-
- if (fwatch_update(&w_pub, kr_pub)) {
- T( trace(T_KEYMGMT, "keymgmt: public keyring updated: reloading..."); )
- kf = kf_pub;
- DRESET(&d);
- if (loadpub(&d))
- a_warn("KEYMGMT", "bad-public-keyring", "%s", d.buf, A_END);
- else {
- reload = 1;
- key_close(kf);
- DESTROY(kf);
- }
- }
-
- /* --- Done --- */
-
- return (reload);
-}
-
-/* --- @km_init@ --- *
- *
- * Arguments: @const char *priv@ = private keyring file
- * @const char *pub@ = public keyring file
- * @const char *tag@ = tag to load
- *
- * Returns: ---
- *
- * Use: Initializes, and loads the private key.
- */
-
-void km_init(const char *priv, const char *pub, const char *tag)
-{
- dstr d = DSTR_INIT;
- const gchash *const *hh;
-
- kr_priv = priv;
- kr_pub = pub;
- tag_priv = tag;
- fwatch_init(&w_priv, kr_priv);
- fwatch_init(&w_pub, kr_pub);
-
- for (hh = ghashtab; *hh; hh++) {
- if ((*hh)->hashsz > MAXHASHSZ) {
- die(EXIT_FAILURE, "INTERNAL ERROR: %s hash length %lu > MAXHASHSZ %d",
- (*hh)->name, (unsigned long)(*hh)->hashsz, MAXHASHSZ);
- }
- }
-
- DRESET(&d);
- if (loadpriv(&d))
- die(EXIT_FAILURE, "%s", d.buf);
- if (loadpub(&d))
- die(EXIT_FAILURE, "%s", d.buf);
-}
-
-/* --- @km_getpubkey@ --- *
- *
- * Arguments: @const char *tag@ = public key tag to load
- * @ge *kpub@ = where to put the public key
- * @time_t *t_exp@ = where to put the expiry time
- *
- * Returns: Zero if OK, nonzero if it failed.
- *
- * Use: Fetches a public key from the keyring.
- */
-
-int km_getpubkey(const char *tag, ge *kpub, time_t *t_exp)
-{
- key *k;
- key_data **kd;
- dstr t = DSTR_INIT;
- const kgops **ko;
- const char *e;
- group *g = 0;
- ge *p = 0;
- algswitch a;
- int rc = -1;
-
- /* --- Find the key --- */
-
- if (key_qtag(kf_pub, tag, &t, &k, &kd)) {
- a_warn("KEYMGMT", "public-key", "%s", tag, "not-found", A_END);
- goto done;
- }
-
- /* --- Look up the key type in the table --- */
-
- for (ko = kgtab; *ko; ko++) {
- if (strcmp((*ko)->ty, k->type) == 0)
- goto tymatch;
- }
- a_warn("KEYMGMT",
- "public-key", "%s", t.buf,
- "unknown-type", "%s", k->type,
- A_END);
- goto done;
-tymatch:;
-
- /* --- Load the key --- */
-
- if ((e = (*ko)->loadpub(*kd, &g, &p, &t)) != 0) {
- a_warn("KEYMGMT", "public-key", "%s", t.buf, "bad", "%s", e, A_END);
- goto done;
- }
-
- /* --- Ensure that the group is correct --- *
- *
- * Dodginess! We assume that if this works, our global group is willing to
- * adopt this public element. Probably reasonable.
- */
-
- if (!group_samep(gg, g)) {
- a_warn("KEYMGMT", "public-key", "%s", t.buf, "incorrect-group", A_END);
- goto done;
- }
-
- /* --- Check the public group element --- */
-
- if (group_check(gg, p)) {
- a_warn("KEYMGMT",
- "public-key", "%s", t.buf,
- "bad-public-group-element",
- A_END);
- goto done;
- }
-
- /* --- Check the algorithms --- */
-
- if ((e = algs_get(&a, kf_pub, k)) != 0) {
- a_warn("KEYMGMT",
- "public-key", "%s", t.buf,
- "bad-algorithm-selection", e,
- A_END);
- goto done;
- }
- if (!algs_samep(&a, &algs)) {
- a_warn("KEYMGMT",
- "public-key", "%s", t.buf,
- "algorithm-mismatch",
- A_END);
- goto done;
- }
-
- /* --- Dump the public key --- */
-
- IF_TRACING(T_KEYMGMT, {
- trace(T_KEYMGMT, "keymgmt: extracted public key `%s'", t.buf);
- trace(T_CRYPTO, "crypto: p = %s", gestr(gg, p));
- })
-
- /* --- OK, accept the public key --- */
-
- *t_exp = k->exp;
- G_COPY(gg, kpub, p);
- rc = 0;
-
- /* --- Tidy up --- */
-
-done:
- if (p) G_DESTROY(g, p);
- if (g) G_DESTROYGROUP(g);
- dstr_destroy(&t);
- return (rc);
-}
-
-/*----- That's all, folks -------------------------------------------------*/