===================================================================
RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/signify/signify.c,v
retrieving revision 1.69
retrieving revision 1.70
diff -c -r1.69 -r1.70
*** src/usr.bin/signify/signify.c	2014/03/17 15:19:06	1.69
--- src/usr.bin/signify/signify.c	2014/04/14 00:35:32	1.70
***************
*** 1,4 ****
! /* $OpenBSD: signify.c,v 1.69 2014/03/17 15:19:06 tedu Exp $ */
  /*
   * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
   *
--- 1,4 ----
! /* $OpenBSD: signify.c,v 1.70 2014/04/14 00:35:32 tedu Exp $ */
  /*
   * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
   *
***************
*** 248,254 ****
  }
  
  static void
! kdf(uint8_t *salt, size_t saltlen, int rounds, int allowstdin,
      uint8_t *key, size_t keylen)
  {
  	char pass[1024];
--- 248,254 ----
  }
  
  static void
! kdf(uint8_t *salt, size_t saltlen, int rounds, int allowstdin, int confirm,
      uint8_t *key, size_t keylen)
  {
  	char pass[1024];
***************
*** 265,270 ****
--- 265,279 ----
  		errx(1, "unable to read passphrase");
  	if (strlen(pass) == 0)
  		errx(1, "please provide a password");
+ 	if (confirm && !(rppflags & RPP_STDIN)) {
+ 		char pass2[1024];
+ 		if (!readpassphrase("confirm passphrase: ", pass2,
+ 		    sizeof(pass2), rppflags))
+ 			errx(1, "unable to read passphrase");
+ 		if (strcmp(pass, pass2) != 0)
+ 			errx(1, "passwords don't match");
+ 		explicit_bzero(pass2, sizeof(pass2));
+ 	}
  	if (bcrypt_pbkdf(pass, strlen(pass), salt, saltlen, key,
  	    keylen, rounds) == -1)
  		errx(1, "bcrypt pbkdf");
***************
*** 309,315 ****
  	enckey.kdfrounds = htonl(rounds);
  	memcpy(enckey.fingerprint, fingerprint, FPLEN);
  	arc4random_buf(enckey.salt, sizeof(enckey.salt));
! 	kdf(enckey.salt, sizeof(enckey.salt), rounds, 1, xorkey, sizeof(xorkey));
  	memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
  	for (i = 0; i < sizeof(enckey.seckey); i++)
  		enckey.seckey[i] ^= xorkey[i];
--- 318,324 ----
  	enckey.kdfrounds = htonl(rounds);
  	memcpy(enckey.fingerprint, fingerprint, FPLEN);
  	arc4random_buf(enckey.salt, sizeof(enckey.salt));
! 	kdf(enckey.salt, sizeof(enckey.salt), rounds, 1, 1, xorkey, sizeof(xorkey));
  	memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
  	for (i = 0; i < sizeof(enckey.seckey); i++)
  		enckey.seckey[i] ^= xorkey[i];
***************
*** 353,359 ****
  		errx(1, "unsupported KDF");
  	rounds = ntohl(enckey.kdfrounds);
  	kdf(enckey.salt, sizeof(enckey.salt), rounds, strcmp(msgfile, "-") != 0,
! 	    xorkey, sizeof(xorkey));
  	for (i = 0; i < sizeof(enckey.seckey); i++)
  		enckey.seckey[i] ^= xorkey[i];
  	explicit_bzero(xorkey, sizeof(xorkey));
--- 362,368 ----
  		errx(1, "unsupported KDF");
  	rounds = ntohl(enckey.kdfrounds);
  	kdf(enckey.salt, sizeof(enckey.salt), rounds, strcmp(msgfile, "-") != 0,
! 	    0, xorkey, sizeof(xorkey));
  	for (i = 0; i < sizeof(enckey.seckey); i++)
  		enckey.seckey[i] ^= xorkey[i];
  	explicit_bzero(xorkey, sizeof(xorkey));