Annotation of src/usr.bin/signify/signify.c, Revision 1.32
1.32 ! espie 1: /* $OpenBSD: signify.c,v 1.31 2014/01/13 01:40:43 tedu Exp $ */
1.1 tedu 2: /*
3: * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17: #include <sys/stat.h>
18:
19: #include <netinet/in.h>
20: #include <resolv.h>
21:
22: #include <stdint.h>
23: #include <fcntl.h>
24: #include <string.h>
25: #include <stdio.h>
26: #include <err.h>
27: #include <unistd.h>
28: #include <readpassphrase.h>
29: #include <util.h>
30: #include <sha2.h>
31:
32: #include "crypto_api.h"
33:
34: #define SIGBYTES crypto_sign_ed25519_BYTES
35: #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
36: #define PUBLICBYTES crypto_sign_ed25519_PUBLICKEYBYTES
37:
38: #define PKALG "Ed"
39: #define KDFALG "BK"
1.13 tedu 40: #define FPLEN 8
41:
1.18 tedu 42: #define COMMENTHDR "untrusted comment: "
43: #define COMMENTHDRLEN 19
44: #define COMMENTMAXLEN 1024
1.1 tedu 45:
46: struct enckey {
47: uint8_t pkalg[2];
48: uint8_t kdfalg[2];
49: uint32_t kdfrounds;
50: uint8_t salt[16];
51: uint8_t checksum[8];
1.13 tedu 52: uint8_t fingerprint[FPLEN];
1.1 tedu 53: uint8_t seckey[SECRETBYTES];
54: };
55:
56: struct pubkey {
57: uint8_t pkalg[2];
1.13 tedu 58: uint8_t fingerprint[FPLEN];
1.1 tedu 59: uint8_t pubkey[PUBLICBYTES];
60: };
61:
62: struct sig {
63: uint8_t pkalg[2];
1.13 tedu 64: uint8_t fingerprint[FPLEN];
1.1 tedu 65: uint8_t sig[SIGBYTES];
66: };
67:
68: extern char *__progname;
69:
70: static void
1.31 tedu 71: usage(const char *error)
1.1 tedu 72: {
1.31 tedu 73: if (error)
74: fprintf(stderr, "%s\n", error);
1.9 espie 75: fprintf(stderr, "usage:"
1.15 espie 76: #ifndef VERIFYONLY
1.31 tedu 77: "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
78: "\t%1$s -I [-p pubkey] [-s seckey] [-x sigfile]\n"
79: "\t%1$s -S [-e] [-x sigfile] -s seckey -m message\n"
1.15 espie 80: #endif
1.31 tedu 81: "\t%1$s -V [-e] [-x sigfile] -p pubkey -m message\n",
1.15 espie 82: __progname);
1.1 tedu 83: exit(1);
84: }
85:
86: static int
87: xopen(const char *fname, int flags, mode_t mode)
88: {
89: int fd;
90:
1.31 tedu 91: if (strcmp(fname, "-") == 0) {
92: if ((flags & O_WRONLY))
93: fd = dup(STDOUT_FILENO);
94: else
95: fd = dup(STDIN_FILENO);
96: if (fd == -1)
97: err(1, "dup failed");
98: } else {
99: fd = open(fname, flags, mode);
100: if (fd == -1)
101: err(1, "can't open %s for %s", fname,
102: (flags & O_WRONLY) ? "writing" : "reading");
103: }
1.1 tedu 104: return fd;
105: }
106:
107: static void *
108: xmalloc(size_t len)
109: {
110: void *p;
111:
112: p = malloc(len);
113: if (!p)
114: err(1, "malloc %zu", len);
115: return p;
116: }
117:
118: static void
1.7 espie 119: readall(int fd, void *buf, size_t len, const char *filename)
1.1 tedu 120: {
1.11 tedu 121: ssize_t x;
1.32 ! espie 122:
! 123: while (len != 0) {
! 124: x = read(fd, buf, len);
! 125: if (x == -1)
! 126: err(1, "read from %s", filename);
! 127: else {
! 128: len -= x;
! 129: buf += x;
! 130: }
1.7 espie 131: }
1.1 tedu 132: }
133:
1.16 tedu 134: static size_t
1.18 tedu 135: parseb64file(const char *filename, char *b64, void *buf, size_t len,
136: char *comment)
1.16 tedu 137: {
138: int rv;
139: char *commentend, *b64end;
140:
141: commentend = strchr(b64, '\n');
142: if (!commentend || commentend - b64 <= COMMENTHDRLEN ||
143: memcmp(b64, COMMENTHDR, COMMENTHDRLEN))
144: errx(1, "invalid comment in %s; must start with '%s'",
145: filename, COMMENTHDR);
1.18 tedu 146: *commentend = 0;
147: if (comment)
148: strlcpy(comment, b64 + COMMENTHDRLEN, COMMENTMAXLEN);
1.16 tedu 149: b64end = strchr(commentend + 1, '\n');
150: if (!b64end)
151: errx(1, "missing new line after b64 in %s", filename);
152: *b64end = 0;
153: rv = b64_pton(commentend + 1, buf, len);
154: if (rv != len)
155: errx(1, "invalid b64 encoding in %s", filename);
156: if (memcmp(buf, PKALG, 2))
157: errx(1, "unsupported file %s", filename);
158: return b64end - b64 + 1;
159: }
160:
1.1 tedu 161: static void
1.18 tedu 162: readb64file(const char *filename, void *buf, size_t len, char *comment)
1.1 tedu 163: {
164: char b64[2048];
1.10 tedu 165: int rv, fd;
1.1 tedu 166:
167: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
168: memset(b64, 0, sizeof(b64));
169: rv = read(fd, b64, sizeof(b64) - 1);
170: if (rv == -1)
1.7 espie 171: err(1, "read from %s", filename);
1.18 tedu 172: parseb64file(filename, b64, buf, len, comment);
1.1 tedu 173: memset(b64, 0, sizeof(b64));
174: close(fd);
175: }
176:
177: uint8_t *
178: readmsg(const char *filename, unsigned long long *msglenp)
179: {
180: unsigned long long msglen;
181: uint8_t *msg;
182: struct stat sb;
183: int fd;
184:
185: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
1.29 lteo 186: if (fstat(fd, &sb) == -1)
187: err(1, "fstat on %s", filename);
1.30 tedu 188: if (!S_ISREG(sb.st_mode))
189: errx(1, "%s must be a regular file", filename);
1.1 tedu 190: msglen = sb.st_size;
191: if (msglen > (1UL << 30))
192: errx(1, "msg too large in %s", filename);
193: msg = xmalloc(msglen);
1.7 espie 194: readall(fd, msg, msglen, filename);
1.1 tedu 195: close(fd);
196:
197: *msglenp = msglen;
198: return msg;
199: }
200:
201: static void
1.7 espie 202: writeall(int fd, const void *buf, size_t len, const char *filename)
1.1 tedu 203: {
1.11 tedu 204: ssize_t x;
1.32 ! espie 205:
! 206: while (len != 0) {
! 207: x = write(fd, buf, len);
! 208: if (x == -1)
! 209: err(1, "write to %s", filename);
! 210: else {
! 211: len -= x;
! 212: buf += x;
! 213: }
1.7 espie 214: }
1.1 tedu 215: }
216:
1.17 deraadt 217: #ifndef VERIFYONLY
1.1 tedu 218: static void
1.16 tedu 219: appendall(const char *filename, const void *buf, size_t len)
220: {
221: int fd;
222:
1.30 tedu 223: fd = xopen(filename, O_NOFOLLOW | O_WRONLY | O_APPEND, 0);
1.16 tedu 224: writeall(fd, buf, len, filename);
225: close(fd);
226: }
227:
228: static void
1.1 tedu 229: writeb64file(const char *filename, const char *comment, const void *buf,
1.20 espie 230: size_t len, int flags, mode_t mode)
1.1 tedu 231: {
232: char header[1024];
233: char b64[1024];
234: int fd, rv;
235:
1.30 tedu 236: fd = xopen(filename, O_CREAT|flags|O_NOFOLLOW|O_WRONLY, mode);
1.31 tedu 237: snprintf(header, sizeof(header), "%s%s\n", COMMENTHDR, comment);
1.7 espie 238: writeall(fd, header, strlen(header), filename);
1.8 espie 239: if ((rv = b64_ntop(buf, len, b64, sizeof(b64)-1)) == -1)
1.1 tedu 240: errx(1, "b64 encode failed");
1.8 espie 241: b64[rv++] = '\n';
1.7 espie 242: writeall(fd, b64, rv, filename);
1.1 tedu 243: memset(b64, 0, sizeof(b64));
244: close(fd);
245: }
246:
247: static void
248: kdf(uint8_t *salt, size_t saltlen, int rounds, uint8_t *key, size_t keylen)
249: {
250: char pass[1024];
251:
252: if (rounds == 0) {
253: memset(key, 0, keylen);
254: return;
255: }
256:
257: if (!readpassphrase("passphrase: ", pass, sizeof(pass), 0))
258: errx(1, "readpassphrase");
259: if (bcrypt_pbkdf(pass, strlen(pass), salt, saltlen, key,
260: keylen, rounds) == -1)
261: errx(1, "bcrypt pbkdf");
262: memset(pass, 0, sizeof(pass));
263: }
264:
265: static void
266: signmsg(uint8_t *seckey, uint8_t *msg, unsigned long long msglen,
267: uint8_t *sig)
268: {
269: unsigned long long siglen;
270: uint8_t *sigbuf;
271:
272: sigbuf = xmalloc(msglen + SIGBYTES);
273: crypto_sign_ed25519(sigbuf, &siglen, msg, msglen, seckey);
274: memcpy(sig, sigbuf, SIGBYTES);
275: free(sigbuf);
276: }
277:
278: static void
1.27 tedu 279: generate(const char *pubkeyfile, const char *seckeyfile, int rounds,
280: const char *comment)
1.1 tedu 281: {
282: uint8_t digest[SHA512_DIGEST_LENGTH];
283: struct pubkey pubkey;
284: struct enckey enckey;
285: uint8_t xorkey[sizeof(enckey.seckey)];
1.13 tedu 286: uint8_t fingerprint[FPLEN];
1.27 tedu 287: char commentbuf[COMMENTMAXLEN];
1.1 tedu 288: SHA2_CTX ctx;
289: int i;
290:
291: crypto_sign_ed25519_keypair(pubkey.pubkey, enckey.seckey);
1.13 tedu 292: arc4random_buf(fingerprint, sizeof(fingerprint));
1.1 tedu 293:
294: SHA512Init(&ctx);
295: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
296: SHA512Final(digest, &ctx);
297:
298: memcpy(enckey.pkalg, PKALG, 2);
299: memcpy(enckey.kdfalg, KDFALG, 2);
300: enckey.kdfrounds = htonl(rounds);
1.13 tedu 301: memcpy(enckey.fingerprint, fingerprint, FPLEN);
1.1 tedu 302: arc4random_buf(enckey.salt, sizeof(enckey.salt));
303: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
304: memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
305: for (i = 0; i < sizeof(enckey.seckey); i++)
306: enckey.seckey[i] ^= xorkey[i];
307: memset(digest, 0, sizeof(digest));
308: memset(xorkey, 0, sizeof(xorkey));
309:
1.27 tedu 310: snprintf(commentbuf, sizeof(commentbuf), "%s secret key", comment);
311: writeb64file(seckeyfile, commentbuf, &enckey,
1.20 espie 312: sizeof(enckey), O_EXCL, 0600);
1.1 tedu 313: memset(&enckey, 0, sizeof(enckey));
314:
315: memcpy(pubkey.pkalg, PKALG, 2);
1.13 tedu 316: memcpy(pubkey.fingerprint, fingerprint, FPLEN);
1.27 tedu 317: snprintf(commentbuf, sizeof(commentbuf), "%s public key", comment);
318: writeb64file(pubkeyfile, commentbuf, &pubkey,
1.20 espie 319: sizeof(pubkey), O_EXCL, 0666);
1.1 tedu 320: }
321:
322: static void
1.16 tedu 323: sign(const char *seckeyfile, const char *msgfile, const char *sigfile,
324: int embedded)
1.1 tedu 325: {
326: struct sig sig;
327: uint8_t digest[SHA512_DIGEST_LENGTH];
328: struct enckey enckey;
329: uint8_t xorkey[sizeof(enckey.seckey)];
330: uint8_t *msg;
1.18 tedu 331: char comment[COMMENTMAXLEN], sigcomment[1024];
1.1 tedu 332: unsigned long long msglen;
333: int i, rounds;
334: SHA2_CTX ctx;
335:
1.18 tedu 336: readb64file(seckeyfile, &enckey, sizeof(enckey), comment);
1.1 tedu 337:
338: if (memcmp(enckey.kdfalg, KDFALG, 2))
339: errx(1, "unsupported KDF");
340: rounds = ntohl(enckey.kdfrounds);
341: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
342: for (i = 0; i < sizeof(enckey.seckey); i++)
343: enckey.seckey[i] ^= xorkey[i];
344: memset(xorkey, 0, sizeof(xorkey));
345: SHA512Init(&ctx);
346: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
347: SHA512Final(digest, &ctx);
348: if (memcmp(enckey.checksum, digest, sizeof(enckey.checksum)))
349: errx(1, "incorrect passphrase");
350: memset(digest, 0, sizeof(digest));
351:
1.16 tedu 352: msg = readmsg(msgfile, &msglen);
1.1 tedu 353:
354: signmsg(enckey.seckey, msg, msglen, sig.sig);
1.13 tedu 355: memcpy(sig.fingerprint, enckey.fingerprint, FPLEN);
1.1 tedu 356: memset(&enckey, 0, sizeof(enckey));
357:
358: memcpy(sig.pkalg, PKALG, 2);
1.18 tedu 359: snprintf(sigcomment, sizeof(sigcomment), "signature from %s", comment);
1.20 espie 360: writeb64file(sigfile, sigcomment, &sig, sizeof(sig), O_TRUNC, 0666);
1.16 tedu 361: if (embedded)
362: appendall(sigfile, msg, msglen);
1.1 tedu 363:
364: free(msg);
365: }
1.22 tedu 366:
367: static void
368: inspect(const char *seckeyfile, const char *pubkeyfile, const char *sigfile)
369: {
370: struct sig sig;
371: struct enckey enckey;
372: struct pubkey pubkey;
373: char fp[(FPLEN + 2) / 3 * 4 + 1];
374:
375: if (seckeyfile) {
376: readb64file(seckeyfile, &enckey, sizeof(enckey), NULL);
377: b64_ntop(enckey.fingerprint, FPLEN, fp, sizeof(fp));
378: printf("sec fp: %s\n", fp);
379: }
380: if (pubkeyfile) {
381: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
382: b64_ntop(pubkey.fingerprint, FPLEN, fp, sizeof(fp));
383: printf("pub fp: %s\n", fp);
384: }
385: if (sigfile) {
386: readb64file(sigfile, &sig, sizeof(sig), NULL);
387: b64_ntop(sig.fingerprint, FPLEN, fp, sizeof(fp));
388: printf("sig fp: %s\n", fp);
389: }
390: }
1.14 tedu 391: #endif
1.1 tedu 392:
393: static void
1.13 tedu 394: verifymsg(uint8_t *pubkey, uint8_t *msg, unsigned long long msglen,
395: uint8_t *sig)
396: {
397: uint8_t *sigbuf, *dummybuf;
398: unsigned long long siglen, dummylen;
399:
400: siglen = SIGBYTES + msglen;
401: sigbuf = xmalloc(siglen);
402: dummybuf = xmalloc(siglen);
403: memcpy(sigbuf, sig, SIGBYTES);
404: memcpy(sigbuf + SIGBYTES, msg, msglen);
405: if (crypto_sign_ed25519_open(dummybuf, &dummylen, sigbuf, siglen,
406: pubkey) == -1)
407: errx(1, "signature verification failed");
408: free(sigbuf);
409: free(dummybuf);
410: }
411:
412:
413: static void
1.16 tedu 414: verify(const char *pubkeyfile, const char *msgfile, const char *sigfile,
415: int embedded)
1.1 tedu 416: {
417: struct sig sig;
418: struct pubkey pubkey;
1.16 tedu 419: unsigned long long msglen, siglen = 0;
1.1 tedu 420: uint8_t *msg;
1.16 tedu 421: int fd;
422:
423: msg = readmsg(embedded ? sigfile : msgfile, &msglen);
1.1 tedu 424:
1.18 tedu 425: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
1.16 tedu 426: if (embedded) {
1.18 tedu 427: siglen = parseb64file(sigfile, msg, &sig, sizeof(sig), NULL);
1.16 tedu 428: msg += siglen;
429: msglen -= siglen;
430: } else {
1.18 tedu 431: readb64file(sigfile, &sig, sizeof(sig), NULL);
1.16 tedu 432: }
1.13 tedu 433:
1.22 tedu 434: if (memcmp(pubkey.fingerprint, sig.fingerprint, FPLEN)) {
435: #ifndef VERIFYONLY
436: inspect(NULL, pubkeyfile, sigfile);
437: #endif
1.13 tedu 438: errx(1, "verification failed: checked against wrong key");
1.22 tedu 439: }
1.1 tedu 440:
1.16 tedu 441: verifymsg(pubkey.pubkey, msg, msglen, sig.sig);
442: if (embedded) {
1.30 tedu 443: fd = xopen(msgfile, O_CREAT|O_TRUNC|O_NOFOLLOW|O_WRONLY, 0666);
1.16 tedu 444: writeall(fd, msg, msglen, msgfile);
445: close(fd);
446: }
1.1 tedu 447:
1.16 tedu 448: free(msg - siglen);
1.1 tedu 449: }
450:
451: int
452: main(int argc, char **argv)
453: {
1.16 tedu 454: const char *pubkeyfile = NULL, *seckeyfile = NULL, *msgfile = NULL,
1.1 tedu 455: *sigfile = NULL;
456: char sigfilebuf[1024];
1.27 tedu 457: const char *comment = "signify";
1.1 tedu 458: int ch, rounds;
1.16 tedu 459: int embedded = 0;
1.6 tedu 460: enum {
461: NONE,
462: GENERATE,
1.22 tedu 463: INSPECT,
1.6 tedu 464: SIGN,
465: VERIFY
466: } verb = NONE;
467:
1.1 tedu 468:
469: rounds = 42;
470:
1.32 ! espie 471: while ((ch = getopt(argc, argv, "GISVc:em:np:s:x:")) != -1) {
1.1 tedu 472: switch (ch) {
1.14 tedu 473: #ifndef VERIFYONLY
1.6 tedu 474: case 'G':
475: if (verb)
1.31 tedu 476: usage(NULL);
1.6 tedu 477: verb = GENERATE;
478: break;
1.22 tedu 479: case 'I':
480: if (verb)
1.31 tedu 481: usage(NULL);
1.22 tedu 482: verb = INSPECT;
483: break;
1.6 tedu 484: case 'S':
485: if (verb)
1.31 tedu 486: usage(NULL);
1.6 tedu 487: verb = SIGN;
488: break;
1.14 tedu 489: #endif
1.6 tedu 490: case 'V':
491: if (verb)
1.31 tedu 492: usage(NULL);
1.6 tedu 493: verb = VERIFY;
494: break;
1.27 tedu 495: case 'c':
496: comment = optarg;
497: break;
1.16 tedu 498: case 'e':
499: embedded = 1;
500: break;
1.31 tedu 501: case 'm':
502: msgfile = optarg;
503: break;
1.6 tedu 504: case 'n':
1.1 tedu 505: rounds = 0;
506: break;
1.6 tedu 507: case 'p':
1.1 tedu 508: pubkeyfile = optarg;
509: break;
1.6 tedu 510: case 's':
1.1 tedu 511: seckeyfile = optarg;
512: break;
1.31 tedu 513: case 'x':
514: sigfile = optarg;
515: break;
1.1 tedu 516: default:
1.31 tedu 517: usage(NULL);
1.1 tedu 518: break;
519: }
520: }
1.2 tedu 521: argc -= optind;
1.9 espie 522: argv += optind;
523:
1.31 tedu 524: if (argc != 0)
525: usage(NULL);
526:
1.9 espie 527: if (verb == NONE)
1.31 tedu 528: usage(NULL);
1.1 tedu 529:
1.14 tedu 530: #ifndef VERIFYONLY
1.6 tedu 531: if (verb == GENERATE) {
1.31 tedu 532: if (!pubkeyfile || !seckeyfile)
533: usage("need pubkey and seckey");
1.27 tedu 534: generate(pubkeyfile, seckeyfile, rounds, comment);
1.22 tedu 535: } else if (verb == INSPECT) {
536: inspect(seckeyfile, pubkeyfile, sigfile);
1.14 tedu 537: } else
538: #endif
539: {
1.31 tedu 540: if (!msgfile)
541: usage("need message");
1.9 espie 542:
543: if (!sigfile) {
1.31 tedu 544: if (strcmp(msgfile, "-") == 0)
545: errx(1, "must specify sigfile with - message");
1.9 espie 546: if (snprintf(sigfilebuf, sizeof(sigfilebuf), "%s.sig",
1.16 tedu 547: msgfile) >= sizeof(sigfilebuf))
1.9 espie 548: errx(1, "path too long");
549: sigfile = sigfilebuf;
550: }
1.14 tedu 551: #ifndef VERIFYONLY
1.9 espie 552: if (verb == SIGN) {
553: if (!seckeyfile)
1.31 tedu 554: usage("need seckey");
1.16 tedu 555: sign(seckeyfile, msgfile, sigfile, embedded);
1.14 tedu 556: } else
557: #endif
558: if (verb == VERIFY) {
1.9 espie 559: if (!pubkeyfile)
1.31 tedu 560: usage("need pubkey");
1.16 tedu 561: verify(pubkeyfile, msgfile, sigfile, embedded);
1.9 espie 562: }
1.1 tedu 563: }
1.9 espie 564:
1.1 tedu 565: return 0;
566: }