Annotation of src/usr.bin/signify/signify.c, Revision 1.16
1.16 ! tedu 1: /* $OpenBSD: signify.c,v 1.15 2014/01/08 07:04:29 espie Exp $ */
1.1 tedu 2: /*
3: * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17: #include <sys/stat.h>
18:
19: #include <netinet/in.h>
20: #include <resolv.h>
21:
22: #include <stdint.h>
23: #include <fcntl.h>
24: #include <string.h>
25: #include <stdio.h>
26: #include <err.h>
27: #include <unistd.h>
28: #include <readpassphrase.h>
29: #include <util.h>
30: #include <sha2.h>
31:
32: #include "crypto_api.h"
33:
34: #define SIGBYTES crypto_sign_ed25519_BYTES
35: #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
36: #define PUBLICBYTES crypto_sign_ed25519_PUBLICKEYBYTES
37:
38: #define PKALG "Ed"
39: #define KDFALG "BK"
1.13 tedu 40: #define FPLEN 8
41:
42: #define COMMENTHDR "untrusted comment:"
43: #define COMMENTHDRLEN 18
1.1 tedu 44:
45: struct enckey {
46: uint8_t pkalg[2];
47: uint8_t kdfalg[2];
48: uint32_t kdfrounds;
49: uint8_t salt[16];
50: uint8_t checksum[8];
1.13 tedu 51: uint8_t fingerprint[FPLEN];
1.1 tedu 52: uint8_t seckey[SECRETBYTES];
53: };
54:
55: struct pubkey {
56: uint8_t pkalg[2];
1.13 tedu 57: uint8_t fingerprint[FPLEN];
1.1 tedu 58: uint8_t pubkey[PUBLICBYTES];
59: };
60:
61: struct sig {
62: uint8_t pkalg[2];
1.13 tedu 63: uint8_t fingerprint[FPLEN];
1.1 tedu 64: uint8_t sig[SIGBYTES];
65: };
66:
67: extern char *__progname;
68:
69: static void
70: usage(void)
71: {
1.9 espie 72: fprintf(stderr, "usage:"
1.15 espie 73: #ifndef VERIFYONLY
1.9 espie 74: "\t%s [-n] -p pubkey -s seckey -G\n"
1.16 ! tedu 75: "\t%s [-e] [-o output] -s seckey -S input\n"
1.15 espie 76: #endif
1.16 ! tedu 77: "\t%s [-e] [-o output] -p pubkey -V input\n",
1.15 espie 78: #ifndef VERIFYONLY
79: __progname, __progname,
80: #endif
81: __progname);
1.1 tedu 82: exit(1);
83: }
84:
85: static int
86: xopen(const char *fname, int flags, mode_t mode)
87: {
88: int fd;
89:
90: fd = open(fname, flags, mode);
91: if (fd == -1)
92: err(1, "open %s", fname);
93: return fd;
94: }
95:
96: static void *
97: xmalloc(size_t len)
98: {
99: void *p;
100:
101: p = malloc(len);
102: if (!p)
103: err(1, "malloc %zu", len);
104: return p;
105: }
106:
107: static void
1.7 espie 108: readall(int fd, void *buf, size_t len, const char *filename)
1.1 tedu 109: {
1.11 tedu 110: ssize_t x;
111:
112: x = read(fd, buf, len);
1.7 espie 113: if (x == -1) {
114: err(1, "read from %s", filename);
115: } else if (x != len) {
116: errx(1, "short read from %s", filename);
117: }
1.1 tedu 118: }
119:
1.16 ! tedu 120: static size_t
! 121: parseb64file(const char *filename, char *b64, void *buf, size_t len)
! 122: {
! 123: int rv;
! 124: char *commentend, *b64end;
! 125:
! 126: commentend = strchr(b64, '\n');
! 127: if (!commentend || commentend - b64 <= COMMENTHDRLEN ||
! 128: memcmp(b64, COMMENTHDR, COMMENTHDRLEN))
! 129: errx(1, "invalid comment in %s; must start with '%s'",
! 130: filename, COMMENTHDR);
! 131: b64end = strchr(commentend + 1, '\n');
! 132: if (!b64end)
! 133: errx(1, "missing new line after b64 in %s", filename);
! 134: *b64end = 0;
! 135: rv = b64_pton(commentend + 1, buf, len);
! 136: if (rv != len)
! 137: errx(1, "invalid b64 encoding in %s", filename);
! 138: if (memcmp(buf, PKALG, 2))
! 139: errx(1, "unsupported file %s", filename);
! 140: return b64end - b64 + 1;
! 141: }
! 142:
1.1 tedu 143: static void
144: readb64file(const char *filename, void *buf, size_t len)
145: {
146: char b64[2048];
1.10 tedu 147: int rv, fd;
1.1 tedu 148:
149: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
150: memset(b64, 0, sizeof(b64));
151: rv = read(fd, b64, sizeof(b64) - 1);
152: if (rv == -1)
1.7 espie 153: err(1, "read from %s", filename);
1.16 ! tedu 154: parseb64file(filename, b64, buf, len);
1.1 tedu 155: memset(b64, 0, sizeof(b64));
156: close(fd);
157: }
158:
159: uint8_t *
160: readmsg(const char *filename, unsigned long long *msglenp)
161: {
162: unsigned long long msglen;
163: uint8_t *msg;
164: struct stat sb;
165: int fd;
166:
167: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
168: fstat(fd, &sb);
169: msglen = sb.st_size;
170: if (msglen > (1UL << 30))
171: errx(1, "msg too large in %s", filename);
172: msg = xmalloc(msglen);
1.7 espie 173: readall(fd, msg, msglen, filename);
1.1 tedu 174: close(fd);
175:
176: *msglenp = msglen;
177: return msg;
178: }
179:
1.14 tedu 180: #ifndef VERIFYONLY
1.1 tedu 181: static void
1.7 espie 182: writeall(int fd, const void *buf, size_t len, const char *filename)
1.1 tedu 183: {
1.11 tedu 184: ssize_t x;
185:
186: x = write(fd, buf, len);
1.7 espie 187: if (x == -1) {
188: err(1, "write to %s", filename);
189: } else if (x != len) {
190: errx(1, "short write to %s", filename);
191: }
1.1 tedu 192: }
193:
194: static void
1.16 ! tedu 195: appendall(const char *filename, const void *buf, size_t len)
! 196: {
! 197: int fd;
! 198:
! 199: fd = xopen(filename, O_NOFOLLOW | O_RDWR | O_APPEND, 0);
! 200: writeall(fd, buf, len, filename);
! 201: close(fd);
! 202: }
! 203:
! 204: static void
1.1 tedu 205: writeb64file(const char *filename, const char *comment, const void *buf,
206: size_t len, mode_t mode)
207: {
208: char header[1024];
209: char b64[1024];
210: int fd, rv;
211:
212: fd = xopen(filename, O_CREAT|O_EXCL|O_NOFOLLOW|O_RDWR, mode);
1.13 tedu 213: snprintf(header, sizeof(header), "%s signify %s\n", COMMENTHDR,
214: comment);
1.7 espie 215: writeall(fd, header, strlen(header), filename);
1.8 espie 216: if ((rv = b64_ntop(buf, len, b64, sizeof(b64)-1)) == -1)
1.1 tedu 217: errx(1, "b64 encode failed");
1.8 espie 218: b64[rv++] = '\n';
1.7 espie 219: writeall(fd, b64, rv, filename);
1.1 tedu 220: memset(b64, 0, sizeof(b64));
221: close(fd);
222: }
223:
224: static void
225: kdf(uint8_t *salt, size_t saltlen, int rounds, uint8_t *key, size_t keylen)
226: {
227: char pass[1024];
228:
229: if (rounds == 0) {
230: memset(key, 0, keylen);
231: return;
232: }
233:
234: if (!readpassphrase("passphrase: ", pass, sizeof(pass), 0))
235: errx(1, "readpassphrase");
236: if (bcrypt_pbkdf(pass, strlen(pass), salt, saltlen, key,
237: keylen, rounds) == -1)
238: errx(1, "bcrypt pbkdf");
239: memset(pass, 0, sizeof(pass));
240: }
241:
242: static void
243: signmsg(uint8_t *seckey, uint8_t *msg, unsigned long long msglen,
244: uint8_t *sig)
245: {
246: unsigned long long siglen;
247: uint8_t *sigbuf;
248:
249: sigbuf = xmalloc(msglen + SIGBYTES);
250: crypto_sign_ed25519(sigbuf, &siglen, msg, msglen, seckey);
251: memcpy(sig, sigbuf, SIGBYTES);
252: free(sigbuf);
253: }
254:
255: static void
256: generate(const char *pubkeyfile, const char *seckeyfile, int rounds)
257: {
258: uint8_t digest[SHA512_DIGEST_LENGTH];
259: struct pubkey pubkey;
260: struct enckey enckey;
261: uint8_t xorkey[sizeof(enckey.seckey)];
1.13 tedu 262: uint8_t fingerprint[FPLEN];
1.1 tedu 263: SHA2_CTX ctx;
264: int i;
265:
266: crypto_sign_ed25519_keypair(pubkey.pubkey, enckey.seckey);
1.13 tedu 267: arc4random_buf(fingerprint, sizeof(fingerprint));
1.1 tedu 268:
269: SHA512Init(&ctx);
270: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
271: SHA512Final(digest, &ctx);
272:
273: memcpy(enckey.pkalg, PKALG, 2);
274: memcpy(enckey.kdfalg, KDFALG, 2);
275: enckey.kdfrounds = htonl(rounds);
1.13 tedu 276: memcpy(enckey.fingerprint, fingerprint, FPLEN);
1.1 tedu 277: arc4random_buf(enckey.salt, sizeof(enckey.salt));
278: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
279: memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
280: for (i = 0; i < sizeof(enckey.seckey); i++)
281: enckey.seckey[i] ^= xorkey[i];
282: memset(digest, 0, sizeof(digest));
283: memset(xorkey, 0, sizeof(xorkey));
284:
285: writeb64file(seckeyfile, "secret key", &enckey,
286: sizeof(enckey), 0600);
287: memset(&enckey, 0, sizeof(enckey));
288:
289: memcpy(pubkey.pkalg, PKALG, 2);
1.13 tedu 290: memcpy(pubkey.fingerprint, fingerprint, FPLEN);
1.1 tedu 291: writeb64file(pubkeyfile, "public key", &pubkey,
292: sizeof(pubkey), 0666);
293: }
294:
295: static void
1.16 ! tedu 296: sign(const char *seckeyfile, const char *msgfile, const char *sigfile,
! 297: int embedded)
1.1 tedu 298: {
299: struct sig sig;
300: uint8_t digest[SHA512_DIGEST_LENGTH];
301: struct enckey enckey;
302: uint8_t xorkey[sizeof(enckey.seckey)];
303: uint8_t *msg;
304: unsigned long long msglen;
305: int i, rounds;
306: SHA2_CTX ctx;
307:
308: readb64file(seckeyfile, &enckey, sizeof(enckey));
309:
310: if (memcmp(enckey.kdfalg, KDFALG, 2))
311: errx(1, "unsupported KDF");
312: rounds = ntohl(enckey.kdfrounds);
313: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
314: for (i = 0; i < sizeof(enckey.seckey); i++)
315: enckey.seckey[i] ^= xorkey[i];
316: memset(xorkey, 0, sizeof(xorkey));
317: SHA512Init(&ctx);
318: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
319: SHA512Final(digest, &ctx);
320: if (memcmp(enckey.checksum, digest, sizeof(enckey.checksum)))
321: errx(1, "incorrect passphrase");
322: memset(digest, 0, sizeof(digest));
323:
1.16 ! tedu 324: msg = readmsg(msgfile, &msglen);
1.1 tedu 325:
326: signmsg(enckey.seckey, msg, msglen, sig.sig);
1.13 tedu 327: memcpy(sig.fingerprint, enckey.fingerprint, FPLEN);
1.1 tedu 328: memset(&enckey, 0, sizeof(enckey));
329:
330: memcpy(sig.pkalg, PKALG, 2);
331: writeb64file(sigfile, "signature", &sig, sizeof(sig), 0666);
1.16 ! tedu 332: if (embedded)
! 333: appendall(sigfile, msg, msglen);
1.1 tedu 334:
335: free(msg);
336: }
1.14 tedu 337: #endif
1.1 tedu 338:
339: static void
1.13 tedu 340: verifymsg(uint8_t *pubkey, uint8_t *msg, unsigned long long msglen,
341: uint8_t *sig)
342: {
343: uint8_t *sigbuf, *dummybuf;
344: unsigned long long siglen, dummylen;
345:
346: siglen = SIGBYTES + msglen;
347: sigbuf = xmalloc(siglen);
348: dummybuf = xmalloc(siglen);
349: memcpy(sigbuf, sig, SIGBYTES);
350: memcpy(sigbuf + SIGBYTES, msg, msglen);
351: if (crypto_sign_ed25519_open(dummybuf, &dummylen, sigbuf, siglen,
352: pubkey) == -1)
353: errx(1, "signature verification failed");
354: free(sigbuf);
355: free(dummybuf);
356: }
357:
358:
359: static void
1.16 ! tedu 360: verify(const char *pubkeyfile, const char *msgfile, const char *sigfile,
! 361: int embedded)
1.1 tedu 362: {
363: struct sig sig;
364: struct pubkey pubkey;
1.16 ! tedu 365: unsigned long long msglen, siglen = 0;
1.1 tedu 366: uint8_t *msg;
1.16 ! tedu 367: int fd;
! 368:
! 369: msg = readmsg(embedded ? sigfile : msgfile, &msglen);
1.1 tedu 370:
371: readb64file(pubkeyfile, &pubkey, sizeof(pubkey));
1.16 ! tedu 372: if (embedded) {
! 373: siglen = parseb64file(sigfile, msg, &sig, sizeof(sig));
! 374: msg += siglen;
! 375: msglen -= siglen;
! 376: } else {
! 377: readb64file(sigfile, &sig, sizeof(sig));
! 378: }
1.13 tedu 379:
380: if (memcmp(pubkey.fingerprint, sig.fingerprint, FPLEN))
381: errx(1, "verification failed: checked against wrong key");
1.1 tedu 382:
1.16 ! tedu 383: verifymsg(pubkey.pubkey, msg, msglen, sig.sig);
! 384: if (embedded) {
! 385: fd = xopen(msgfile, O_CREAT|O_EXCL|O_NOFOLLOW|O_RDWR, 0666);
! 386: writeall(fd, msg, msglen, msgfile);
! 387: close(fd);
! 388: }
1.1 tedu 389:
390: printf("verified\n");
391:
1.16 ! tedu 392: free(msg - siglen);
1.1 tedu 393: }
394:
395: int
396: main(int argc, char **argv)
397: {
1.16 ! tedu 398: const char *pubkeyfile = NULL, *seckeyfile = NULL, *msgfile = NULL,
1.1 tedu 399: *sigfile = NULL;
400: char sigfilebuf[1024];
401: int ch, rounds;
1.16 ! tedu 402: int embedded = 0;
1.6 tedu 403: enum {
404: NONE,
405: GENERATE,
406: SIGN,
407: VERIFY
408: } verb = NONE;
409:
1.1 tedu 410:
411: rounds = 42;
412:
1.16 ! tedu 413: while ((ch = getopt(argc, argv, "GSVeno:p:s:")) != -1) {
1.1 tedu 414: switch (ch) {
1.14 tedu 415: #ifndef VERIFYONLY
1.6 tedu 416: case 'G':
417: if (verb)
418: usage();
419: verb = GENERATE;
420: break;
421: case 'S':
422: if (verb)
423: usage();
424: verb = SIGN;
425: break;
1.14 tedu 426: #endif
1.6 tedu 427: case 'V':
428: if (verb)
429: usage();
430: verb = VERIFY;
431: break;
1.16 ! tedu 432: case 'e':
! 433: embedded = 1;
! 434: break;
1.6 tedu 435: case 'n':
1.1 tedu 436: rounds = 0;
437: break;
1.6 tedu 438: case 'o':
1.1 tedu 439: sigfile = optarg;
440: break;
1.6 tedu 441: case 'p':
1.1 tedu 442: pubkeyfile = optarg;
443: break;
1.6 tedu 444: case 's':
1.1 tedu 445: seckeyfile = optarg;
446: break;
447: default:
448: usage();
449: break;
450: }
451: }
1.2 tedu 452: argc -= optind;
1.9 espie 453: argv += optind;
454:
1.15 espie 455: #ifdef VERIFYONLY
456: if (verb != VERIFY)
457: #else
1.9 espie 458: if (verb == NONE)
1.15 espie 459: #endif
1.1 tedu 460: usage();
461:
1.14 tedu 462: #ifndef VERIFYONLY
1.6 tedu 463: if (verb == GENERATE) {
1.9 espie 464: if (!pubkeyfile || !seckeyfile || argc != 0)
1.1 tedu 465: usage();
466: generate(pubkeyfile, seckeyfile, rounds);
1.14 tedu 467: } else
468: #endif
469: {
1.9 espie 470: if (argc != 1)
1.1 tedu 471: usage();
1.9 espie 472:
1.16 ! tedu 473: msgfile = argv[0];
1.9 espie 474:
475: if (!sigfile) {
476: if (snprintf(sigfilebuf, sizeof(sigfilebuf), "%s.sig",
1.16 ! tedu 477: msgfile) >= sizeof(sigfilebuf))
1.9 espie 478: errx(1, "path too long");
479: sigfile = sigfilebuf;
480: }
1.14 tedu 481: #ifndef VERIFYONLY
1.9 espie 482: if (verb == SIGN) {
483: if (!seckeyfile)
484: usage();
1.16 ! tedu 485: sign(seckeyfile, msgfile, sigfile, embedded);
1.14 tedu 486: } else
487: #endif
488: if (verb == VERIFY) {
1.9 espie 489: if (!pubkeyfile)
490: usage();
1.16 ! tedu 491: verify(pubkeyfile, msgfile, sigfile, embedded);
1.9 espie 492: }
1.1 tedu 493: }
1.9 espie 494:
1.1 tedu 495: return 0;
496: }