2 encr.c -- everything that deals with encryption
3 Copyright (C) 1998,1999,2000 Ivo Timmermans <itimmermans@bigfoot.com>
4 2000 Guus Sliepen <guus@sliepen.warande.net>
6 This program is free software; you can redistribute it and/or modify
7 it under the terms of the GNU General Public License as published by
8 the Free Software Foundation; either version 2 of the License, or
9 (at your option) any later version.
11 This program is distributed in the hope that it will be useful,
12 but WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 GNU General Public License for more details.
16 You should have received a copy of the GNU General Public License
17 along with this program; if not, write to the Free Software
18 Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
20 $Id: encr.c,v 1.12 2000/05/31 18:23:06 zarq Exp $
25 #include <sys/types.h>
32 #include <sys/socket.h>
38 # ifdef HAVE_GMP2_GMP_H
39 # include <gmp2/gmp.h>
55 #define ENCR_GENERATOR "0xd"
56 #define ENCR_PRIME "0x7fffffffffffffffffffffffffffffff" /* Mersenne :) */
59 char *my_public_key_base36;
60 int key_inited = 0, encryption_keylen;
61 mpz_t my_private_key, my_public_key, generator, shared_prime;
62 int my_key_expiry = (time_t)(-1);
64 static char* mypassphrase;
65 static int mypassphraselen;
67 int char_hex_to_bin(int c)
72 return tolower(c) - 'a' + 10;
75 int str_hex_to_bin(unsigned char *bin, unsigned char *hex)
77 int i = 0, j = 0, l = strlen(hex);
82 bin[0] = char_hex_to_bin(hex[0]);
84 for(; i < l; i+=2, j++)
85 bin[j] = (char_hex_to_bin(hex[i]) << 4) + char_hex_to_bin(hex[i+1]);
90 int read_passphrase(char *which, char **out)
96 extern char *confbase;
99 if((cfg = get_config_val(passphrasesdir)) == NULL)
101 filename = xmalloc(strlen(confbase)+13+strlen(which));
102 sprintf(filename, "%spassphrases/%s", confbase, which);
106 filename = xmalloc(strlen(cfg->data.ptr)+2+strlen(which));
107 sprintf(filename, "%s/%s", (char*)cfg->data.ptr, which);
110 if((f = fopen(filename, "rb")) == NULL)
112 syslog(LOG_ERR, _("Could not open %s: %m"), filename);
116 fscanf(f, "%d ", &size);
117 if(size < 1 || size > (1<<15))
119 syslog(LOG_ERR, _("Illegal passphrase in %s; size would be %d"), filename, size);
122 size >>= 2; /* bits->nibbles */
123 pp = xmalloc(size+2);
124 fgets(pp, size+1, f);
127 *out = xmalloc(size);
129 return str_hex_to_bin(*out, pp);
132 int read_my_passphrase(void)
135 if((mypassphraselen = read_passphrase("local", &mypassphrase)) < 0)
141 int generate_private_key(void)
148 if((cfg = get_config_val(keyexpire)) == NULL)
149 my_key_expiry = (time_t)(time(NULL) + 3600);
151 my_key_expiry = (time_t)(time(NULL) + cfg->data.val);
153 syslog(LOG_NOTICE, _("Generating %d bits keys."), PRIVATE_KEY_BITS);
155 if((f = fopen("/dev/urandom", "r")) == NULL)
157 syslog(LOG_ERR, _("Opening /dev/urandom failed: %m"));
161 s = xmalloc((2 * PRIVATE_KEY_LENGTH) + 1);
163 for(i = 0; i < PRIVATE_KEY_LENGTH; i++)
164 sprintf(&s[i << 1], "%02x", fgetc(f));
166 s[2 * PRIVATE_KEY_LENGTH] = '\0';
168 mpz_set_str(my_private_key, s, 16);
173 void calculate_public_key(void)
176 mpz_powm(my_public_key, generator, my_private_key, shared_prime);
177 my_public_key_base36 = mpz_get_str(NULL, 36, my_public_key);
181 unsigned char static_key[] = { 0x9c, 0xbf, 0x36, 0xa9, 0xce, 0x20, 0x1b, 0x8b, 0x67, 0x56, 0x21, 0x5d, 0x27, 0x1b, 0xd8, 0x7a };
183 int security_init(void)
186 mpz_init(my_private_key);
187 mpz_init(my_public_key);
188 mpz_init_set_str(shared_prime, ENCR_PRIME, 0);
189 mpz_init_set_str(generator, ENCR_GENERATOR, 0);
191 if(read_my_passphrase() < 0)
193 if(generate_private_key() < 0)
196 if(cipher_init(CIPHER_BLOWFISH) < 0)
199 calculate_public_key();
204 void set_shared_key(char *almost_key)
208 mpz_t ak, our_shared_key;
210 mpz_init_set_str(ak, almost_key, 36);
211 mpz_init(our_shared_key);
212 mpz_powm(our_shared_key, ak, my_private_key, shared_prime);
214 tmp = mpz_get_str(NULL, 16, our_shared_key);
215 len = str_hex_to_bin(text_key, tmp);
217 cipher_set_key(&encryption_key, len, text_key);
219 encryption_keylen = len;
222 syslog(LOG_INFO, _("Encryption key set to %s"), tmp);
226 mpz_clear(our_shared_key);
231 void encrypt_passphrase(passphrase_t *pp)
235 unsigned char phrase[1000];
241 mpz_get_str(tmp, 16, my_public_key);
242 keylen = str_hex_to_bin(key, tmp);
244 cipher_set_key(&bf_key, keylen, key);
246 low_crypt_key(mypassphrase, phrase, &bf_key, mypassphraselen, BF_ENCRYPT);
247 pp->len = ((mypassphraselen - 1) | 7) + 1;
248 pp->phrase = xmalloc((pp->len << 1) + 1);
250 for(i = 0; i < pp->len; i++)
251 snprintf(&(pp->phrase)[i << 1], 3, "%02x", (int)phrase[i]);
253 pp->phrase[(pp->len << 1) + 1] = '\0';
256 cipher_set_key(&encryption_key, encryption_keylen, text_key);
260 int verify_passphrase(conn_list_t *cl, unsigned char *his_pubkey)
264 unsigned char phrase[1000];
269 char which[sizeof("123.123.123.123")+1];
272 mpz_init_set_str(pk, his_pubkey, 36);
273 tmp = mpz_get_str(NULL, 16, pk);
274 keylen = str_hex_to_bin(key, tmp);
275 out = xmalloc((cl->pp->len >> 1) + 3);
276 pplen = str_hex_to_bin(phrase, cl->pp->phrase);
278 cipher_set_key(&bf_key, keylen, key);
279 low_crypt_key(phrase, out, &bf_key, pplen, BF_DECRYPT);
281 cipher_set_key(&encryption_key, encryption_keylen, text_key);
283 sprintf(which, IP_ADDR_S, IP_ADDR_V(cl->vpn_ip));
284 if((pplen = read_passphrase(which, &meuk)) < 0)
287 if(memcmp(meuk, out, pplen))
293 char *make_shared_key(char *pk)
298 mpz_init_set_str(tmp, pk, 36);
300 mpz_powm(res, tmp, my_private_key, shared_prime);
302 r = mpz_get_str(NULL, 36, res);
311 free a key after overwriting it
313 void free_key(enc_key_t *k)
320 memset(k->key, (char)(-1), k->length);
327 void recalculate_encryption_keys(void)
332 for(p = conn_list; p != NULL; p = p->next)
334 if(!p->public_key || !p->public_key->key)
335 /* We haven't received a key from this host (yet). */
337 ek = make_shared_key(p->public_key->key);
339 p->key = xmalloc(sizeof(*p->key));
340 p->key->length = strlen(ek);
341 p->key->expiry = p->public_key->expiry;
342 p->key->key = xmalloc(strlen(ek) + 1);
343 strcpy(p->key->key, ek);
348 void regenerate_keys(void)
351 generate_private_key();
352 calculate_public_key();
353 send_key_changed_all();
354 recalculate_encryption_keys();