Annotation of src/usr.bin/signify/signify.c, Revision 1.26
1.26 ! tedu 1: /* $OpenBSD: signify.c,v 1.25 2014/01/10 04:36:58 tedu Exp $ */
1.1 tedu 2: /*
3: * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17: #include <sys/stat.h>
18:
19: #include <netinet/in.h>
20: #include <resolv.h>
21:
22: #include <stdint.h>
23: #include <fcntl.h>
24: #include <string.h>
25: #include <stdio.h>
26: #include <err.h>
27: #include <unistd.h>
28: #include <readpassphrase.h>
29: #include <util.h>
30: #include <sha2.h>
31:
32: #include "crypto_api.h"
33:
34: #define SIGBYTES crypto_sign_ed25519_BYTES
35: #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
36: #define PUBLICBYTES crypto_sign_ed25519_PUBLICKEYBYTES
37:
38: #define PKALG "Ed"
39: #define KDFALG "BK"
1.13 tedu 40: #define FPLEN 8
41:
1.18 tedu 42: #define COMMENTHDR "untrusted comment: "
43: #define COMMENTHDRLEN 19
44: #define COMMENTMAXLEN 1024
1.1 tedu 45:
46: struct enckey {
47: uint8_t pkalg[2];
48: uint8_t kdfalg[2];
49: uint32_t kdfrounds;
50: uint8_t salt[16];
51: uint8_t checksum[8];
1.13 tedu 52: uint8_t fingerprint[FPLEN];
1.1 tedu 53: uint8_t seckey[SECRETBYTES];
54: };
55:
56: struct pubkey {
57: uint8_t pkalg[2];
1.13 tedu 58: uint8_t fingerprint[FPLEN];
1.1 tedu 59: uint8_t pubkey[PUBLICBYTES];
60: };
61:
62: struct sig {
63: uint8_t pkalg[2];
1.13 tedu 64: uint8_t fingerprint[FPLEN];
1.1 tedu 65: uint8_t sig[SIGBYTES];
66: };
67:
68: extern char *__progname;
69:
70: static void
71: usage(void)
72: {
1.9 espie 73: fprintf(stderr, "usage:"
1.15 espie 74: #ifndef VERIFYONLY
1.25 tedu 75: "\t%1$s -G [-n] -p pubkey -s seckey\n"
76: "\t%1$s -I [-o sigfile] [-p pubkey] [-s seckey]\n"
77: "\t%1$s -S [-e] [-o sigfile] -s seckey message\n"
1.15 espie 78: #endif
1.25 tedu 79: "\t%1$s -V [-e] [-o sigfile] -p pubkey message\n",
1.15 espie 80: __progname);
1.1 tedu 81: exit(1);
82: }
83:
84: static int
85: xopen(const char *fname, int flags, mode_t mode)
86: {
87: int fd;
88:
89: fd = open(fname, flags, mode);
90: if (fd == -1)
91: err(1, "open %s", fname);
92: return fd;
93: }
94:
95: static void *
96: xmalloc(size_t len)
97: {
98: void *p;
99:
100: p = malloc(len);
101: if (!p)
102: err(1, "malloc %zu", len);
103: return p;
104: }
105:
106: static void
1.7 espie 107: readall(int fd, void *buf, size_t len, const char *filename)
1.1 tedu 108: {
1.11 tedu 109: ssize_t x;
110:
111: x = read(fd, buf, len);
1.7 espie 112: if (x == -1) {
113: err(1, "read from %s", filename);
114: } else if (x != len) {
115: errx(1, "short read from %s", filename);
116: }
1.1 tedu 117: }
118:
1.16 tedu 119: static size_t
1.18 tedu 120: parseb64file(const char *filename, char *b64, void *buf, size_t len,
121: char *comment)
1.16 tedu 122: {
123: int rv;
124: char *commentend, *b64end;
125:
126: commentend = strchr(b64, '\n');
127: if (!commentend || commentend - b64 <= COMMENTHDRLEN ||
128: memcmp(b64, COMMENTHDR, COMMENTHDRLEN))
129: errx(1, "invalid comment in %s; must start with '%s'",
130: filename, COMMENTHDR);
1.18 tedu 131: *commentend = 0;
132: if (comment)
133: strlcpy(comment, b64 + COMMENTHDRLEN, COMMENTMAXLEN);
1.16 tedu 134: b64end = strchr(commentend + 1, '\n');
135: if (!b64end)
136: errx(1, "missing new line after b64 in %s", filename);
137: *b64end = 0;
138: rv = b64_pton(commentend + 1, buf, len);
139: if (rv != len)
140: errx(1, "invalid b64 encoding in %s", filename);
141: if (memcmp(buf, PKALG, 2))
142: errx(1, "unsupported file %s", filename);
143: return b64end - b64 + 1;
144: }
145:
1.1 tedu 146: static void
1.18 tedu 147: readb64file(const char *filename, void *buf, size_t len, char *comment)
1.1 tedu 148: {
149: char b64[2048];
1.10 tedu 150: int rv, fd;
1.1 tedu 151:
152: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
153: memset(b64, 0, sizeof(b64));
154: rv = read(fd, b64, sizeof(b64) - 1);
155: if (rv == -1)
1.7 espie 156: err(1, "read from %s", filename);
1.18 tedu 157: parseb64file(filename, b64, buf, len, comment);
1.1 tedu 158: memset(b64, 0, sizeof(b64));
159: close(fd);
160: }
161:
162: uint8_t *
163: readmsg(const char *filename, unsigned long long *msglenp)
164: {
165: unsigned long long msglen;
166: uint8_t *msg;
167: struct stat sb;
168: int fd;
169:
170: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
171: fstat(fd, &sb);
172: msglen = sb.st_size;
173: if (msglen > (1UL << 30))
174: errx(1, "msg too large in %s", filename);
175: msg = xmalloc(msglen);
1.7 espie 176: readall(fd, msg, msglen, filename);
1.1 tedu 177: close(fd);
178:
179: *msglenp = msglen;
180: return msg;
181: }
182:
183: static void
1.7 espie 184: writeall(int fd, const void *buf, size_t len, const char *filename)
1.1 tedu 185: {
1.11 tedu 186: ssize_t x;
187:
188: x = write(fd, buf, len);
1.7 espie 189: if (x == -1) {
190: err(1, "write to %s", filename);
191: } else if (x != len) {
192: errx(1, "short write to %s", filename);
193: }
1.1 tedu 194: }
195:
1.17 deraadt 196: #ifndef VERIFYONLY
1.1 tedu 197: static void
1.16 tedu 198: appendall(const char *filename, const void *buf, size_t len)
199: {
200: int fd;
201:
202: fd = xopen(filename, O_NOFOLLOW | O_RDWR | O_APPEND, 0);
203: writeall(fd, buf, len, filename);
204: close(fd);
205: }
206:
207: static void
1.1 tedu 208: writeb64file(const char *filename, const char *comment, const void *buf,
1.20 espie 209: size_t len, int flags, mode_t mode)
1.1 tedu 210: {
211: char header[1024];
212: char b64[1024];
213: int fd, rv;
214:
1.20 espie 215: fd = xopen(filename, O_CREAT|flags|O_NOFOLLOW|O_RDWR, mode);
1.18 tedu 216: snprintf(header, sizeof(header), "%ssignify %s\n", COMMENTHDR,
1.13 tedu 217: comment);
1.7 espie 218: writeall(fd, header, strlen(header), filename);
1.8 espie 219: if ((rv = b64_ntop(buf, len, b64, sizeof(b64)-1)) == -1)
1.1 tedu 220: errx(1, "b64 encode failed");
1.8 espie 221: b64[rv++] = '\n';
1.7 espie 222: writeall(fd, b64, rv, filename);
1.1 tedu 223: memset(b64, 0, sizeof(b64));
224: close(fd);
225: }
226:
227: static void
228: kdf(uint8_t *salt, size_t saltlen, int rounds, uint8_t *key, size_t keylen)
229: {
230: char pass[1024];
231:
232: if (rounds == 0) {
233: memset(key, 0, keylen);
234: return;
235: }
236:
237: if (!readpassphrase("passphrase: ", pass, sizeof(pass), 0))
238: errx(1, "readpassphrase");
239: if (bcrypt_pbkdf(pass, strlen(pass), salt, saltlen, key,
240: keylen, rounds) == -1)
241: errx(1, "bcrypt pbkdf");
242: memset(pass, 0, sizeof(pass));
243: }
244:
245: static void
246: signmsg(uint8_t *seckey, uint8_t *msg, unsigned long long msglen,
247: uint8_t *sig)
248: {
249: unsigned long long siglen;
250: uint8_t *sigbuf;
251:
252: sigbuf = xmalloc(msglen + SIGBYTES);
253: crypto_sign_ed25519(sigbuf, &siglen, msg, msglen, seckey);
254: memcpy(sig, sigbuf, SIGBYTES);
255: free(sigbuf);
256: }
257:
258: static void
259: generate(const char *pubkeyfile, const char *seckeyfile, int rounds)
260: {
261: uint8_t digest[SHA512_DIGEST_LENGTH];
262: struct pubkey pubkey;
263: struct enckey enckey;
264: uint8_t xorkey[sizeof(enckey.seckey)];
1.13 tedu 265: uint8_t fingerprint[FPLEN];
1.1 tedu 266: SHA2_CTX ctx;
267: int i;
268:
269: crypto_sign_ed25519_keypair(pubkey.pubkey, enckey.seckey);
1.13 tedu 270: arc4random_buf(fingerprint, sizeof(fingerprint));
1.1 tedu 271:
272: SHA512Init(&ctx);
273: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
274: SHA512Final(digest, &ctx);
275:
276: memcpy(enckey.pkalg, PKALG, 2);
277: memcpy(enckey.kdfalg, KDFALG, 2);
278: enckey.kdfrounds = htonl(rounds);
1.13 tedu 279: memcpy(enckey.fingerprint, fingerprint, FPLEN);
1.1 tedu 280: arc4random_buf(enckey.salt, sizeof(enckey.salt));
281: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
282: memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
283: for (i = 0; i < sizeof(enckey.seckey); i++)
284: enckey.seckey[i] ^= xorkey[i];
285: memset(digest, 0, sizeof(digest));
286: memset(xorkey, 0, sizeof(xorkey));
287:
288: writeb64file(seckeyfile, "secret key", &enckey,
1.20 espie 289: sizeof(enckey), O_EXCL, 0600);
1.1 tedu 290: memset(&enckey, 0, sizeof(enckey));
291:
292: memcpy(pubkey.pkalg, PKALG, 2);
1.13 tedu 293: memcpy(pubkey.fingerprint, fingerprint, FPLEN);
1.1 tedu 294: writeb64file(pubkeyfile, "public key", &pubkey,
1.20 espie 295: sizeof(pubkey), O_EXCL, 0666);
1.1 tedu 296: }
297:
298: static void
1.16 tedu 299: sign(const char *seckeyfile, const char *msgfile, const char *sigfile,
300: int embedded)
1.1 tedu 301: {
302: struct sig sig;
303: uint8_t digest[SHA512_DIGEST_LENGTH];
304: struct enckey enckey;
305: uint8_t xorkey[sizeof(enckey.seckey)];
306: uint8_t *msg;
1.18 tedu 307: char comment[COMMENTMAXLEN], sigcomment[1024];
1.1 tedu 308: unsigned long long msglen;
309: int i, rounds;
310: SHA2_CTX ctx;
311:
1.18 tedu 312: readb64file(seckeyfile, &enckey, sizeof(enckey), comment);
1.1 tedu 313:
314: if (memcmp(enckey.kdfalg, KDFALG, 2))
315: errx(1, "unsupported KDF");
316: rounds = ntohl(enckey.kdfrounds);
317: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
318: for (i = 0; i < sizeof(enckey.seckey); i++)
319: enckey.seckey[i] ^= xorkey[i];
320: memset(xorkey, 0, sizeof(xorkey));
321: SHA512Init(&ctx);
322: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
323: SHA512Final(digest, &ctx);
324: if (memcmp(enckey.checksum, digest, sizeof(enckey.checksum)))
325: errx(1, "incorrect passphrase");
326: memset(digest, 0, sizeof(digest));
327:
1.16 tedu 328: msg = readmsg(msgfile, &msglen);
1.1 tedu 329:
330: signmsg(enckey.seckey, msg, msglen, sig.sig);
1.13 tedu 331: memcpy(sig.fingerprint, enckey.fingerprint, FPLEN);
1.1 tedu 332: memset(&enckey, 0, sizeof(enckey));
333:
334: memcpy(sig.pkalg, PKALG, 2);
1.18 tedu 335: snprintf(sigcomment, sizeof(sigcomment), "signature from %s", comment);
1.20 espie 336: writeb64file(sigfile, sigcomment, &sig, sizeof(sig), O_TRUNC, 0666);
1.16 tedu 337: if (embedded)
338: appendall(sigfile, msg, msglen);
1.1 tedu 339:
340: free(msg);
341: }
1.22 tedu 342:
343: static void
344: inspect(const char *seckeyfile, const char *pubkeyfile, const char *sigfile)
345: {
346: struct sig sig;
347: struct enckey enckey;
348: struct pubkey pubkey;
349: char fp[(FPLEN + 2) / 3 * 4 + 1];
350:
351: if (seckeyfile) {
352: readb64file(seckeyfile, &enckey, sizeof(enckey), NULL);
353: b64_ntop(enckey.fingerprint, FPLEN, fp, sizeof(fp));
354: printf("sec fp: %s\n", fp);
355: }
356: if (pubkeyfile) {
357: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
358: b64_ntop(pubkey.fingerprint, FPLEN, fp, sizeof(fp));
359: printf("pub fp: %s\n", fp);
360: }
361: if (sigfile) {
362: readb64file(sigfile, &sig, sizeof(sig), NULL);
363: b64_ntop(sig.fingerprint, FPLEN, fp, sizeof(fp));
364: printf("sig fp: %s\n", fp);
365: }
366: }
1.14 tedu 367: #endif
1.1 tedu 368:
369: static void
1.13 tedu 370: verifymsg(uint8_t *pubkey, uint8_t *msg, unsigned long long msglen,
371: uint8_t *sig)
372: {
373: uint8_t *sigbuf, *dummybuf;
374: unsigned long long siglen, dummylen;
375:
376: siglen = SIGBYTES + msglen;
377: sigbuf = xmalloc(siglen);
378: dummybuf = xmalloc(siglen);
379: memcpy(sigbuf, sig, SIGBYTES);
380: memcpy(sigbuf + SIGBYTES, msg, msglen);
381: if (crypto_sign_ed25519_open(dummybuf, &dummylen, sigbuf, siglen,
382: pubkey) == -1)
383: errx(1, "signature verification failed");
384: free(sigbuf);
385: free(dummybuf);
386: }
387:
388:
389: static void
1.16 tedu 390: verify(const char *pubkeyfile, const char *msgfile, const char *sigfile,
391: int embedded)
1.1 tedu 392: {
393: struct sig sig;
394: struct pubkey pubkey;
1.16 tedu 395: unsigned long long msglen, siglen = 0;
1.1 tedu 396: uint8_t *msg;
1.16 tedu 397: int fd;
398:
399: msg = readmsg(embedded ? sigfile : msgfile, &msglen);
1.1 tedu 400:
1.18 tedu 401: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
1.16 tedu 402: if (embedded) {
1.18 tedu 403: siglen = parseb64file(sigfile, msg, &sig, sizeof(sig), NULL);
1.16 tedu 404: msg += siglen;
405: msglen -= siglen;
406: } else {
1.18 tedu 407: readb64file(sigfile, &sig, sizeof(sig), NULL);
1.16 tedu 408: }
1.13 tedu 409:
1.22 tedu 410: if (memcmp(pubkey.fingerprint, sig.fingerprint, FPLEN)) {
411: #ifndef VERIFYONLY
412: inspect(NULL, pubkeyfile, sigfile);
413: #endif
1.13 tedu 414: errx(1, "verification failed: checked against wrong key");
1.22 tedu 415: }
1.1 tedu 416:
1.16 tedu 417: verifymsg(pubkey.pubkey, msg, msglen, sig.sig);
418: if (embedded) {
1.19 tedu 419: fd = xopen(msgfile, O_CREAT|O_TRUNC|O_NOFOLLOW|O_RDWR, 0666);
1.16 tedu 420: writeall(fd, msg, msglen, msgfile);
421: close(fd);
422: }
1.1 tedu 423:
1.16 tedu 424: free(msg - siglen);
1.1 tedu 425: }
426:
427: int
428: main(int argc, char **argv)
429: {
1.16 tedu 430: const char *pubkeyfile = NULL, *seckeyfile = NULL, *msgfile = NULL,
1.1 tedu 431: *sigfile = NULL;
432: char sigfilebuf[1024];
433: int ch, rounds;
1.16 tedu 434: int embedded = 0;
1.6 tedu 435: enum {
436: NONE,
437: GENERATE,
1.22 tedu 438: INSPECT,
1.6 tedu 439: SIGN,
440: VERIFY
441: } verb = NONE;
442:
1.1 tedu 443:
444: rounds = 42;
445:
1.22 tedu 446: while ((ch = getopt(argc, argv, "GISVeno:p:s:")) != -1) {
1.1 tedu 447: switch (ch) {
1.14 tedu 448: #ifndef VERIFYONLY
1.6 tedu 449: case 'G':
450: if (verb)
451: usage();
452: verb = GENERATE;
453: break;
1.22 tedu 454: case 'I':
455: if (verb)
456: usage();
457: verb = INSPECT;
458: break;
1.6 tedu 459: case 'S':
460: if (verb)
461: usage();
462: verb = SIGN;
463: break;
1.14 tedu 464: #endif
1.6 tedu 465: case 'V':
466: if (verb)
467: usage();
468: verb = VERIFY;
469: break;
1.16 tedu 470: case 'e':
471: embedded = 1;
472: break;
1.6 tedu 473: case 'n':
1.1 tedu 474: rounds = 0;
475: break;
1.6 tedu 476: case 'o':
1.1 tedu 477: sigfile = optarg;
478: break;
1.6 tedu 479: case 'p':
1.1 tedu 480: pubkeyfile = optarg;
481: break;
1.6 tedu 482: case 's':
1.1 tedu 483: seckeyfile = optarg;
484: break;
485: default:
486: usage();
487: break;
488: }
489: }
1.2 tedu 490: argc -= optind;
1.9 espie 491: argv += optind;
492:
1.15 espie 493: #ifdef VERIFYONLY
494: if (verb != VERIFY)
495: #else
1.9 espie 496: if (verb == NONE)
1.15 espie 497: #endif
1.1 tedu 498: usage();
499:
1.14 tedu 500: #ifndef VERIFYONLY
1.6 tedu 501: if (verb == GENERATE) {
1.9 espie 502: if (!pubkeyfile || !seckeyfile || argc != 0)
1.1 tedu 503: usage();
504: generate(pubkeyfile, seckeyfile, rounds);
1.22 tedu 505: } else if (verb == INSPECT) {
506: if (argc != 0)
507: usage();
508: inspect(seckeyfile, pubkeyfile, sigfile);
1.14 tedu 509: } else
510: #endif
511: {
1.9 espie 512: if (argc != 1)
1.1 tedu 513: usage();
1.9 espie 514:
1.16 tedu 515: msgfile = argv[0];
1.9 espie 516:
517: if (!sigfile) {
518: if (snprintf(sigfilebuf, sizeof(sigfilebuf), "%s.sig",
1.16 tedu 519: msgfile) >= sizeof(sigfilebuf))
1.9 espie 520: errx(1, "path too long");
521: sigfile = sigfilebuf;
522: }
1.14 tedu 523: #ifndef VERIFYONLY
1.9 espie 524: if (verb == SIGN) {
525: if (!seckeyfile)
526: usage();
1.16 tedu 527: sign(seckeyfile, msgfile, sigfile, embedded);
1.14 tedu 528: } else
529: #endif
530: if (verb == VERIFY) {
1.9 espie 531: if (!pubkeyfile)
532: usage();
1.16 tedu 533: verify(pubkeyfile, msgfile, sigfile, embedded);
1.9 espie 534: }
1.1 tedu 535: }
1.9 espie 536:
1.1 tedu 537: return 0;
538: }