Annotation of src/usr.bin/signify/signify.c, Revision 1.27
1.27 ! tedu 1: /* $OpenBSD: signify.c,v 1.26 2014/01/10 04:49:35 tedu Exp $ */
1.1 tedu 2: /*
3: * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17: #include <sys/stat.h>
18:
19: #include <netinet/in.h>
20: #include <resolv.h>
21:
22: #include <stdint.h>
23: #include <fcntl.h>
24: #include <string.h>
25: #include <stdio.h>
26: #include <err.h>
27: #include <unistd.h>
28: #include <readpassphrase.h>
29: #include <util.h>
30: #include <sha2.h>
31:
32: #include "crypto_api.h"
33:
34: #define SIGBYTES crypto_sign_ed25519_BYTES
35: #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
36: #define PUBLICBYTES crypto_sign_ed25519_PUBLICKEYBYTES
37:
38: #define PKALG "Ed"
39: #define KDFALG "BK"
1.13 tedu 40: #define FPLEN 8
41:
1.18 tedu 42: #define COMMENTHDR "untrusted comment: "
43: #define COMMENTHDRLEN 19
44: #define COMMENTMAXLEN 1024
1.1 tedu 45:
46: struct enckey {
47: uint8_t pkalg[2];
48: uint8_t kdfalg[2];
49: uint32_t kdfrounds;
50: uint8_t salt[16];
51: uint8_t checksum[8];
1.13 tedu 52: uint8_t fingerprint[FPLEN];
1.1 tedu 53: uint8_t seckey[SECRETBYTES];
54: };
55:
56: struct pubkey {
57: uint8_t pkalg[2];
1.13 tedu 58: uint8_t fingerprint[FPLEN];
1.1 tedu 59: uint8_t pubkey[PUBLICBYTES];
60: };
61:
62: struct sig {
63: uint8_t pkalg[2];
1.13 tedu 64: uint8_t fingerprint[FPLEN];
1.1 tedu 65: uint8_t sig[SIGBYTES];
66: };
67:
68: extern char *__progname;
69:
70: static void
71: usage(void)
72: {
1.9 espie 73: fprintf(stderr, "usage:"
1.15 espie 74: #ifndef VERIFYONLY
1.27 ! tedu 75: "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
1.25 tedu 76: "\t%1$s -I [-o sigfile] [-p pubkey] [-s seckey]\n"
77: "\t%1$s -S [-e] [-o sigfile] -s seckey message\n"
1.15 espie 78: #endif
1.25 tedu 79: "\t%1$s -V [-e] [-o sigfile] -p pubkey message\n",
1.15 espie 80: __progname);
1.1 tedu 81: exit(1);
82: }
83:
84: static int
85: xopen(const char *fname, int flags, mode_t mode)
86: {
87: int fd;
88:
89: fd = open(fname, flags, mode);
90: if (fd == -1)
91: err(1, "open %s", fname);
92: return fd;
93: }
94:
95: static void *
96: xmalloc(size_t len)
97: {
98: void *p;
99:
100: p = malloc(len);
101: if (!p)
102: err(1, "malloc %zu", len);
103: return p;
104: }
105:
106: static void
1.7 espie 107: readall(int fd, void *buf, size_t len, const char *filename)
1.1 tedu 108: {
1.11 tedu 109: ssize_t x;
110:
111: x = read(fd, buf, len);
1.7 espie 112: if (x == -1) {
113: err(1, "read from %s", filename);
114: } else if (x != len) {
115: errx(1, "short read from %s", filename);
116: }
1.1 tedu 117: }
118:
1.16 tedu 119: static size_t
1.18 tedu 120: parseb64file(const char *filename, char *b64, void *buf, size_t len,
121: char *comment)
1.16 tedu 122: {
123: int rv;
124: char *commentend, *b64end;
125:
126: commentend = strchr(b64, '\n');
127: if (!commentend || commentend - b64 <= COMMENTHDRLEN ||
128: memcmp(b64, COMMENTHDR, COMMENTHDRLEN))
129: errx(1, "invalid comment in %s; must start with '%s'",
130: filename, COMMENTHDR);
1.18 tedu 131: *commentend = 0;
132: if (comment)
133: strlcpy(comment, b64 + COMMENTHDRLEN, COMMENTMAXLEN);
1.16 tedu 134: b64end = strchr(commentend + 1, '\n');
135: if (!b64end)
136: errx(1, "missing new line after b64 in %s", filename);
137: *b64end = 0;
138: rv = b64_pton(commentend + 1, buf, len);
139: if (rv != len)
140: errx(1, "invalid b64 encoding in %s", filename);
141: if (memcmp(buf, PKALG, 2))
142: errx(1, "unsupported file %s", filename);
143: return b64end - b64 + 1;
144: }
145:
1.1 tedu 146: static void
1.18 tedu 147: readb64file(const char *filename, void *buf, size_t len, char *comment)
1.1 tedu 148: {
149: char b64[2048];
1.10 tedu 150: int rv, fd;
1.1 tedu 151:
152: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
153: memset(b64, 0, sizeof(b64));
154: rv = read(fd, b64, sizeof(b64) - 1);
155: if (rv == -1)
1.7 espie 156: err(1, "read from %s", filename);
1.18 tedu 157: parseb64file(filename, b64, buf, len, comment);
1.1 tedu 158: memset(b64, 0, sizeof(b64));
159: close(fd);
160: }
161:
162: uint8_t *
163: readmsg(const char *filename, unsigned long long *msglenp)
164: {
165: unsigned long long msglen;
166: uint8_t *msg;
167: struct stat sb;
168: int fd;
169:
170: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
171: fstat(fd, &sb);
172: msglen = sb.st_size;
173: if (msglen > (1UL << 30))
174: errx(1, "msg too large in %s", filename);
175: msg = xmalloc(msglen);
1.7 espie 176: readall(fd, msg, msglen, filename);
1.1 tedu 177: close(fd);
178:
179: *msglenp = msglen;
180: return msg;
181: }
182:
183: static void
1.7 espie 184: writeall(int fd, const void *buf, size_t len, const char *filename)
1.1 tedu 185: {
1.11 tedu 186: ssize_t x;
187:
188: x = write(fd, buf, len);
1.7 espie 189: if (x == -1) {
190: err(1, "write to %s", filename);
191: } else if (x != len) {
192: errx(1, "short write to %s", filename);
193: }
1.1 tedu 194: }
195:
1.17 deraadt 196: #ifndef VERIFYONLY
1.1 tedu 197: static void
1.16 tedu 198: appendall(const char *filename, const void *buf, size_t len)
199: {
200: int fd;
201:
202: fd = xopen(filename, O_NOFOLLOW | O_RDWR | O_APPEND, 0);
203: writeall(fd, buf, len, filename);
204: close(fd);
205: }
206:
207: static void
1.1 tedu 208: writeb64file(const char *filename, const char *comment, const void *buf,
1.20 espie 209: size_t len, int flags, mode_t mode)
1.1 tedu 210: {
211: char header[1024];
212: char b64[1024];
213: int fd, rv;
214:
1.20 espie 215: fd = xopen(filename, O_CREAT|flags|O_NOFOLLOW|O_RDWR, mode);
1.27 ! tedu 216: snprintf(header, sizeof(header), "%s%s\n", COMMENTHDR,
1.13 tedu 217: comment);
1.7 espie 218: writeall(fd, header, strlen(header), filename);
1.8 espie 219: if ((rv = b64_ntop(buf, len, b64, sizeof(b64)-1)) == -1)
1.1 tedu 220: errx(1, "b64 encode failed");
1.8 espie 221: b64[rv++] = '\n';
1.7 espie 222: writeall(fd, b64, rv, filename);
1.1 tedu 223: memset(b64, 0, sizeof(b64));
224: close(fd);
225: }
226:
227: static void
228: kdf(uint8_t *salt, size_t saltlen, int rounds, uint8_t *key, size_t keylen)
229: {
230: char pass[1024];
231:
232: if (rounds == 0) {
233: memset(key, 0, keylen);
234: return;
235: }
236:
237: if (!readpassphrase("passphrase: ", pass, sizeof(pass), 0))
238: errx(1, "readpassphrase");
239: if (bcrypt_pbkdf(pass, strlen(pass), salt, saltlen, key,
240: keylen, rounds) == -1)
241: errx(1, "bcrypt pbkdf");
242: memset(pass, 0, sizeof(pass));
243: }
244:
245: static void
246: signmsg(uint8_t *seckey, uint8_t *msg, unsigned long long msglen,
247: uint8_t *sig)
248: {
249: unsigned long long siglen;
250: uint8_t *sigbuf;
251:
252: sigbuf = xmalloc(msglen + SIGBYTES);
253: crypto_sign_ed25519(sigbuf, &siglen, msg, msglen, seckey);
254: memcpy(sig, sigbuf, SIGBYTES);
255: free(sigbuf);
256: }
257:
258: static void
1.27 ! tedu 259: generate(const char *pubkeyfile, const char *seckeyfile, int rounds,
! 260: const char *comment)
1.1 tedu 261: {
262: uint8_t digest[SHA512_DIGEST_LENGTH];
263: struct pubkey pubkey;
264: struct enckey enckey;
265: uint8_t xorkey[sizeof(enckey.seckey)];
1.13 tedu 266: uint8_t fingerprint[FPLEN];
1.27 ! tedu 267: char commentbuf[COMMENTMAXLEN];
1.1 tedu 268: SHA2_CTX ctx;
269: int i;
270:
271: crypto_sign_ed25519_keypair(pubkey.pubkey, enckey.seckey);
1.13 tedu 272: arc4random_buf(fingerprint, sizeof(fingerprint));
1.1 tedu 273:
274: SHA512Init(&ctx);
275: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
276: SHA512Final(digest, &ctx);
277:
278: memcpy(enckey.pkalg, PKALG, 2);
279: memcpy(enckey.kdfalg, KDFALG, 2);
280: enckey.kdfrounds = htonl(rounds);
1.13 tedu 281: memcpy(enckey.fingerprint, fingerprint, FPLEN);
1.1 tedu 282: arc4random_buf(enckey.salt, sizeof(enckey.salt));
283: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
284: memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
285: for (i = 0; i < sizeof(enckey.seckey); i++)
286: enckey.seckey[i] ^= xorkey[i];
287: memset(digest, 0, sizeof(digest));
288: memset(xorkey, 0, sizeof(xorkey));
289:
1.27 ! tedu 290: snprintf(commentbuf, sizeof(commentbuf), "%s secret key", comment);
! 291: writeb64file(seckeyfile, commentbuf, &enckey,
1.20 espie 292: sizeof(enckey), O_EXCL, 0600);
1.1 tedu 293: memset(&enckey, 0, sizeof(enckey));
294:
295: memcpy(pubkey.pkalg, PKALG, 2);
1.13 tedu 296: memcpy(pubkey.fingerprint, fingerprint, FPLEN);
1.27 ! tedu 297: snprintf(commentbuf, sizeof(commentbuf), "%s public key", comment);
! 298: writeb64file(pubkeyfile, commentbuf, &pubkey,
1.20 espie 299: sizeof(pubkey), O_EXCL, 0666);
1.1 tedu 300: }
301:
302: static void
1.16 tedu 303: sign(const char *seckeyfile, const char *msgfile, const char *sigfile,
304: int embedded)
1.1 tedu 305: {
306: struct sig sig;
307: uint8_t digest[SHA512_DIGEST_LENGTH];
308: struct enckey enckey;
309: uint8_t xorkey[sizeof(enckey.seckey)];
310: uint8_t *msg;
1.18 tedu 311: char comment[COMMENTMAXLEN], sigcomment[1024];
1.1 tedu 312: unsigned long long msglen;
313: int i, rounds;
314: SHA2_CTX ctx;
315:
1.18 tedu 316: readb64file(seckeyfile, &enckey, sizeof(enckey), comment);
1.1 tedu 317:
318: if (memcmp(enckey.kdfalg, KDFALG, 2))
319: errx(1, "unsupported KDF");
320: rounds = ntohl(enckey.kdfrounds);
321: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
322: for (i = 0; i < sizeof(enckey.seckey); i++)
323: enckey.seckey[i] ^= xorkey[i];
324: memset(xorkey, 0, sizeof(xorkey));
325: SHA512Init(&ctx);
326: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
327: SHA512Final(digest, &ctx);
328: if (memcmp(enckey.checksum, digest, sizeof(enckey.checksum)))
329: errx(1, "incorrect passphrase");
330: memset(digest, 0, sizeof(digest));
331:
1.16 tedu 332: msg = readmsg(msgfile, &msglen);
1.1 tedu 333:
334: signmsg(enckey.seckey, msg, msglen, sig.sig);
1.13 tedu 335: memcpy(sig.fingerprint, enckey.fingerprint, FPLEN);
1.1 tedu 336: memset(&enckey, 0, sizeof(enckey));
337:
338: memcpy(sig.pkalg, PKALG, 2);
1.18 tedu 339: snprintf(sigcomment, sizeof(sigcomment), "signature from %s", comment);
1.20 espie 340: writeb64file(sigfile, sigcomment, &sig, sizeof(sig), O_TRUNC, 0666);
1.16 tedu 341: if (embedded)
342: appendall(sigfile, msg, msglen);
1.1 tedu 343:
344: free(msg);
345: }
1.22 tedu 346:
347: static void
348: inspect(const char *seckeyfile, const char *pubkeyfile, const char *sigfile)
349: {
350: struct sig sig;
351: struct enckey enckey;
352: struct pubkey pubkey;
353: char fp[(FPLEN + 2) / 3 * 4 + 1];
354:
355: if (seckeyfile) {
356: readb64file(seckeyfile, &enckey, sizeof(enckey), NULL);
357: b64_ntop(enckey.fingerprint, FPLEN, fp, sizeof(fp));
358: printf("sec fp: %s\n", fp);
359: }
360: if (pubkeyfile) {
361: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
362: b64_ntop(pubkey.fingerprint, FPLEN, fp, sizeof(fp));
363: printf("pub fp: %s\n", fp);
364: }
365: if (sigfile) {
366: readb64file(sigfile, &sig, sizeof(sig), NULL);
367: b64_ntop(sig.fingerprint, FPLEN, fp, sizeof(fp));
368: printf("sig fp: %s\n", fp);
369: }
370: }
1.14 tedu 371: #endif
1.1 tedu 372:
373: static void
1.13 tedu 374: verifymsg(uint8_t *pubkey, uint8_t *msg, unsigned long long msglen,
375: uint8_t *sig)
376: {
377: uint8_t *sigbuf, *dummybuf;
378: unsigned long long siglen, dummylen;
379:
380: siglen = SIGBYTES + msglen;
381: sigbuf = xmalloc(siglen);
382: dummybuf = xmalloc(siglen);
383: memcpy(sigbuf, sig, SIGBYTES);
384: memcpy(sigbuf + SIGBYTES, msg, msglen);
385: if (crypto_sign_ed25519_open(dummybuf, &dummylen, sigbuf, siglen,
386: pubkey) == -1)
387: errx(1, "signature verification failed");
388: free(sigbuf);
389: free(dummybuf);
390: }
391:
392:
393: static void
1.16 tedu 394: verify(const char *pubkeyfile, const char *msgfile, const char *sigfile,
395: int embedded)
1.1 tedu 396: {
397: struct sig sig;
398: struct pubkey pubkey;
1.16 tedu 399: unsigned long long msglen, siglen = 0;
1.1 tedu 400: uint8_t *msg;
1.16 tedu 401: int fd;
402:
403: msg = readmsg(embedded ? sigfile : msgfile, &msglen);
1.1 tedu 404:
1.18 tedu 405: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
1.16 tedu 406: if (embedded) {
1.18 tedu 407: siglen = parseb64file(sigfile, msg, &sig, sizeof(sig), NULL);
1.16 tedu 408: msg += siglen;
409: msglen -= siglen;
410: } else {
1.18 tedu 411: readb64file(sigfile, &sig, sizeof(sig), NULL);
1.16 tedu 412: }
1.13 tedu 413:
1.22 tedu 414: if (memcmp(pubkey.fingerprint, sig.fingerprint, FPLEN)) {
415: #ifndef VERIFYONLY
416: inspect(NULL, pubkeyfile, sigfile);
417: #endif
1.13 tedu 418: errx(1, "verification failed: checked against wrong key");
1.22 tedu 419: }
1.1 tedu 420:
1.16 tedu 421: verifymsg(pubkey.pubkey, msg, msglen, sig.sig);
422: if (embedded) {
1.19 tedu 423: fd = xopen(msgfile, O_CREAT|O_TRUNC|O_NOFOLLOW|O_RDWR, 0666);
1.16 tedu 424: writeall(fd, msg, msglen, msgfile);
425: close(fd);
426: }
1.1 tedu 427:
1.16 tedu 428: free(msg - siglen);
1.1 tedu 429: }
430:
431: int
432: main(int argc, char **argv)
433: {
1.16 tedu 434: const char *pubkeyfile = NULL, *seckeyfile = NULL, *msgfile = NULL,
1.1 tedu 435: *sigfile = NULL;
436: char sigfilebuf[1024];
1.27 ! tedu 437: const char *comment = "signify";
1.1 tedu 438: int ch, rounds;
1.16 tedu 439: int embedded = 0;
1.6 tedu 440: enum {
441: NONE,
442: GENERATE,
1.22 tedu 443: INSPECT,
1.6 tedu 444: SIGN,
445: VERIFY
446: } verb = NONE;
447:
1.1 tedu 448:
449: rounds = 42;
450:
1.27 ! tedu 451: while ((ch = getopt(argc, argv, "GISVc:eno:p:s:")) != -1) {
1.1 tedu 452: switch (ch) {
1.14 tedu 453: #ifndef VERIFYONLY
1.6 tedu 454: case 'G':
455: if (verb)
456: usage();
457: verb = GENERATE;
458: break;
1.22 tedu 459: case 'I':
460: if (verb)
461: usage();
462: verb = INSPECT;
463: break;
1.6 tedu 464: case 'S':
465: if (verb)
466: usage();
467: verb = SIGN;
468: break;
1.14 tedu 469: #endif
1.6 tedu 470: case 'V':
471: if (verb)
472: usage();
473: verb = VERIFY;
474: break;
1.27 ! tedu 475: case 'c':
! 476: comment = optarg;
! 477: break;
1.16 tedu 478: case 'e':
479: embedded = 1;
480: break;
1.6 tedu 481: case 'n':
1.1 tedu 482: rounds = 0;
483: break;
1.6 tedu 484: case 'o':
1.1 tedu 485: sigfile = optarg;
486: break;
1.6 tedu 487: case 'p':
1.1 tedu 488: pubkeyfile = optarg;
489: break;
1.6 tedu 490: case 's':
1.1 tedu 491: seckeyfile = optarg;
492: break;
493: default:
494: usage();
495: break;
496: }
497: }
1.2 tedu 498: argc -= optind;
1.9 espie 499: argv += optind;
500:
1.15 espie 501: #ifdef VERIFYONLY
502: if (verb != VERIFY)
503: #else
1.9 espie 504: if (verb == NONE)
1.15 espie 505: #endif
1.1 tedu 506: usage();
507:
1.14 tedu 508: #ifndef VERIFYONLY
1.6 tedu 509: if (verb == GENERATE) {
1.9 espie 510: if (!pubkeyfile || !seckeyfile || argc != 0)
1.1 tedu 511: usage();
1.27 ! tedu 512: generate(pubkeyfile, seckeyfile, rounds, comment);
1.22 tedu 513: } else if (verb == INSPECT) {
514: if (argc != 0)
515: usage();
516: inspect(seckeyfile, pubkeyfile, sigfile);
1.14 tedu 517: } else
518: #endif
519: {
1.9 espie 520: if (argc != 1)
1.1 tedu 521: usage();
1.9 espie 522:
1.16 tedu 523: msgfile = argv[0];
1.9 espie 524:
525: if (!sigfile) {
526: if (snprintf(sigfilebuf, sizeof(sigfilebuf), "%s.sig",
1.16 tedu 527: msgfile) >= sizeof(sigfilebuf))
1.9 espie 528: errx(1, "path too long");
529: sigfile = sigfilebuf;
530: }
1.14 tedu 531: #ifndef VERIFYONLY
1.9 espie 532: if (verb == SIGN) {
533: if (!seckeyfile)
534: usage();
1.16 tedu 535: sign(seckeyfile, msgfile, sigfile, embedded);
1.14 tedu 536: } else
537: #endif
538: if (verb == VERIFY) {
1.9 espie 539: if (!pubkeyfile)
540: usage();
1.16 tedu 541: verify(pubkeyfile, msgfile, sigfile, embedded);
1.9 espie 542: }
1.1 tedu 543: }
1.9 espie 544:
1.1 tedu 545: return 0;
546: }