Annotation of src/usr.bin/signify/signify.c, Revision 1.36
1.36 ! tedu 1: /* $OpenBSD: signify.c,v 1.35 2014/01/14 17:25:06 tedu Exp $ */
1.1 tedu 2: /*
3: * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17: #include <sys/stat.h>
18:
19: #include <netinet/in.h>
20: #include <resolv.h>
21:
22: #include <stdint.h>
23: #include <fcntl.h>
24: #include <string.h>
25: #include <stdio.h>
1.34 tedu 26: #include <stdlib.h>
1.1 tedu 27: #include <err.h>
28: #include <unistd.h>
29: #include <readpassphrase.h>
30: #include <util.h>
31: #include <sha2.h>
32:
33: #include "crypto_api.h"
34:
35: #define SIGBYTES crypto_sign_ed25519_BYTES
36: #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
37: #define PUBLICBYTES crypto_sign_ed25519_PUBLICKEYBYTES
38:
39: #define PKALG "Ed"
40: #define KDFALG "BK"
1.13 tedu 41: #define FPLEN 8
42:
1.18 tedu 43: #define COMMENTHDR "untrusted comment: "
44: #define COMMENTHDRLEN 19
45: #define COMMENTMAXLEN 1024
1.1 tedu 46:
47: struct enckey {
48: uint8_t pkalg[2];
49: uint8_t kdfalg[2];
50: uint32_t kdfrounds;
51: uint8_t salt[16];
52: uint8_t checksum[8];
1.13 tedu 53: uint8_t fingerprint[FPLEN];
1.1 tedu 54: uint8_t seckey[SECRETBYTES];
55: };
56:
57: struct pubkey {
58: uint8_t pkalg[2];
1.13 tedu 59: uint8_t fingerprint[FPLEN];
1.1 tedu 60: uint8_t pubkey[PUBLICBYTES];
61: };
62:
63: struct sig {
64: uint8_t pkalg[2];
1.13 tedu 65: uint8_t fingerprint[FPLEN];
1.1 tedu 66: uint8_t sig[SIGBYTES];
67: };
68:
69: extern char *__progname;
70:
71: static void
1.31 tedu 72: usage(const char *error)
1.1 tedu 73: {
1.31 tedu 74: if (error)
75: fprintf(stderr, "%s\n", error);
1.9 espie 76: fprintf(stderr, "usage:"
1.15 espie 77: #ifndef VERIFYONLY
1.31 tedu 78: "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
79: "\t%1$s -I [-p pubkey] [-s seckey] [-x sigfile]\n"
80: "\t%1$s -S [-e] [-x sigfile] -s seckey -m message\n"
1.15 espie 81: #endif
1.31 tedu 82: "\t%1$s -V [-e] [-x sigfile] -p pubkey -m message\n",
1.15 espie 83: __progname);
1.1 tedu 84: exit(1);
85: }
86:
87: static int
88: xopen(const char *fname, int flags, mode_t mode)
89: {
90: int fd;
91:
1.31 tedu 92: if (strcmp(fname, "-") == 0) {
93: if ((flags & O_WRONLY))
94: fd = dup(STDOUT_FILENO);
95: else
96: fd = dup(STDIN_FILENO);
97: if (fd == -1)
98: err(1, "dup failed");
99: } else {
100: fd = open(fname, flags, mode);
101: if (fd == -1)
102: err(1, "can't open %s for %s", fname,
103: (flags & O_WRONLY) ? "writing" : "reading");
104: }
1.1 tedu 105: return fd;
106: }
107:
108: static void *
109: xmalloc(size_t len)
110: {
111: void *p;
112:
113: p = malloc(len);
114: if (!p)
115: err(1, "malloc %zu", len);
116: return p;
117: }
118:
119: static void
1.7 espie 120: readall(int fd, void *buf, size_t len, const char *filename)
1.1 tedu 121: {
1.11 tedu 122: ssize_t x;
1.33 espie 123:
124: x = read(fd, buf, len);
125: if (x == -1) {
126: err(1, "read from %s", filename);
127: } else if (x != len) {
128: errx(1, "short read from %s", filename);
1.7 espie 129: }
1.1 tedu 130: }
131:
1.16 tedu 132: static size_t
1.18 tedu 133: parseb64file(const char *filename, char *b64, void *buf, size_t len,
134: char *comment)
1.16 tedu 135: {
136: int rv;
137: char *commentend, *b64end;
138:
139: commentend = strchr(b64, '\n');
140: if (!commentend || commentend - b64 <= COMMENTHDRLEN ||
141: memcmp(b64, COMMENTHDR, COMMENTHDRLEN))
142: errx(1, "invalid comment in %s; must start with '%s'",
143: filename, COMMENTHDR);
1.18 tedu 144: *commentend = 0;
145: if (comment)
146: strlcpy(comment, b64 + COMMENTHDRLEN, COMMENTMAXLEN);
1.16 tedu 147: b64end = strchr(commentend + 1, '\n');
148: if (!b64end)
149: errx(1, "missing new line after b64 in %s", filename);
150: *b64end = 0;
151: rv = b64_pton(commentend + 1, buf, len);
152: if (rv != len)
153: errx(1, "invalid b64 encoding in %s", filename);
154: if (memcmp(buf, PKALG, 2))
155: errx(1, "unsupported file %s", filename);
156: return b64end - b64 + 1;
157: }
158:
1.1 tedu 159: static void
1.18 tedu 160: readb64file(const char *filename, void *buf, size_t len, char *comment)
1.1 tedu 161: {
162: char b64[2048];
1.10 tedu 163: int rv, fd;
1.1 tedu 164:
165: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
166: memset(b64, 0, sizeof(b64));
167: rv = read(fd, b64, sizeof(b64) - 1);
168: if (rv == -1)
1.7 espie 169: err(1, "read from %s", filename);
1.18 tedu 170: parseb64file(filename, b64, buf, len, comment);
1.1 tedu 171: memset(b64, 0, sizeof(b64));
172: close(fd);
173: }
174:
1.35 tedu 175: static uint8_t *
1.1 tedu 176: readmsg(const char *filename, unsigned long long *msglenp)
177: {
178: unsigned long long msglen;
179: uint8_t *msg;
180: struct stat sb;
181: int fd;
182:
183: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
1.29 lteo 184: if (fstat(fd, &sb) == -1)
185: err(1, "fstat on %s", filename);
1.30 tedu 186: if (!S_ISREG(sb.st_mode))
187: errx(1, "%s must be a regular file", filename);
1.1 tedu 188: msglen = sb.st_size;
189: if (msglen > (1UL << 30))
190: errx(1, "msg too large in %s", filename);
191: msg = xmalloc(msglen);
1.7 espie 192: readall(fd, msg, msglen, filename);
1.1 tedu 193: close(fd);
194:
195: *msglenp = msglen;
196: return msg;
197: }
198:
199: static void
1.7 espie 200: writeall(int fd, const void *buf, size_t len, const char *filename)
1.1 tedu 201: {
1.11 tedu 202: ssize_t x;
1.33 espie 203:
204: x = write(fd, buf, len);
205: if (x == -1) {
206: err(1, "write to %s", filename);
207: } else if (x != len) {
208: errx(1, "short write to %s", filename);
1.7 espie 209: }
1.1 tedu 210: }
211:
1.17 deraadt 212: #ifndef VERIFYONLY
1.1 tedu 213: static void
1.16 tedu 214: appendall(const char *filename, const void *buf, size_t len)
215: {
216: int fd;
217:
1.30 tedu 218: fd = xopen(filename, O_NOFOLLOW | O_WRONLY | O_APPEND, 0);
1.16 tedu 219: writeall(fd, buf, len, filename);
220: close(fd);
221: }
222:
223: static void
1.1 tedu 224: writeb64file(const char *filename, const char *comment, const void *buf,
1.20 espie 225: size_t len, int flags, mode_t mode)
1.1 tedu 226: {
227: char header[1024];
228: char b64[1024];
229: int fd, rv;
230:
1.30 tedu 231: fd = xopen(filename, O_CREAT|flags|O_NOFOLLOW|O_WRONLY, mode);
1.31 tedu 232: snprintf(header, sizeof(header), "%s%s\n", COMMENTHDR, comment);
1.7 espie 233: writeall(fd, header, strlen(header), filename);
1.8 espie 234: if ((rv = b64_ntop(buf, len, b64, sizeof(b64)-1)) == -1)
1.1 tedu 235: errx(1, "b64 encode failed");
1.8 espie 236: b64[rv++] = '\n';
1.7 espie 237: writeall(fd, b64, rv, filename);
1.1 tedu 238: memset(b64, 0, sizeof(b64));
239: close(fd);
240: }
241:
242: static void
243: kdf(uint8_t *salt, size_t saltlen, int rounds, uint8_t *key, size_t keylen)
244: {
245: char pass[1024];
246:
247: if (rounds == 0) {
248: memset(key, 0, keylen);
249: return;
250: }
251:
252: if (!readpassphrase("passphrase: ", pass, sizeof(pass), 0))
253: errx(1, "readpassphrase");
254: if (bcrypt_pbkdf(pass, strlen(pass), salt, saltlen, key,
255: keylen, rounds) == -1)
256: errx(1, "bcrypt pbkdf");
257: memset(pass, 0, sizeof(pass));
258: }
259:
260: static void
261: signmsg(uint8_t *seckey, uint8_t *msg, unsigned long long msglen,
262: uint8_t *sig)
263: {
264: unsigned long long siglen;
265: uint8_t *sigbuf;
266:
267: sigbuf = xmalloc(msglen + SIGBYTES);
268: crypto_sign_ed25519(sigbuf, &siglen, msg, msglen, seckey);
269: memcpy(sig, sigbuf, SIGBYTES);
270: free(sigbuf);
271: }
272:
273: static void
1.27 tedu 274: generate(const char *pubkeyfile, const char *seckeyfile, int rounds,
275: const char *comment)
1.1 tedu 276: {
277: uint8_t digest[SHA512_DIGEST_LENGTH];
278: struct pubkey pubkey;
279: struct enckey enckey;
280: uint8_t xorkey[sizeof(enckey.seckey)];
1.13 tedu 281: uint8_t fingerprint[FPLEN];
1.27 tedu 282: char commentbuf[COMMENTMAXLEN];
1.1 tedu 283: SHA2_CTX ctx;
284: int i;
285:
286: crypto_sign_ed25519_keypair(pubkey.pubkey, enckey.seckey);
1.13 tedu 287: arc4random_buf(fingerprint, sizeof(fingerprint));
1.1 tedu 288:
289: SHA512Init(&ctx);
290: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
291: SHA512Final(digest, &ctx);
292:
293: memcpy(enckey.pkalg, PKALG, 2);
294: memcpy(enckey.kdfalg, KDFALG, 2);
295: enckey.kdfrounds = htonl(rounds);
1.13 tedu 296: memcpy(enckey.fingerprint, fingerprint, FPLEN);
1.1 tedu 297: arc4random_buf(enckey.salt, sizeof(enckey.salt));
298: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
299: memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
300: for (i = 0; i < sizeof(enckey.seckey); i++)
301: enckey.seckey[i] ^= xorkey[i];
302: memset(digest, 0, sizeof(digest));
303: memset(xorkey, 0, sizeof(xorkey));
304:
1.27 tedu 305: snprintf(commentbuf, sizeof(commentbuf), "%s secret key", comment);
306: writeb64file(seckeyfile, commentbuf, &enckey,
1.20 espie 307: sizeof(enckey), O_EXCL, 0600);
1.1 tedu 308: memset(&enckey, 0, sizeof(enckey));
309:
310: memcpy(pubkey.pkalg, PKALG, 2);
1.13 tedu 311: memcpy(pubkey.fingerprint, fingerprint, FPLEN);
1.27 tedu 312: snprintf(commentbuf, sizeof(commentbuf), "%s public key", comment);
313: writeb64file(pubkeyfile, commentbuf, &pubkey,
1.20 espie 314: sizeof(pubkey), O_EXCL, 0666);
1.1 tedu 315: }
316:
317: static void
1.16 tedu 318: sign(const char *seckeyfile, const char *msgfile, const char *sigfile,
319: int embedded)
1.1 tedu 320: {
321: struct sig sig;
322: uint8_t digest[SHA512_DIGEST_LENGTH];
323: struct enckey enckey;
324: uint8_t xorkey[sizeof(enckey.seckey)];
325: uint8_t *msg;
1.18 tedu 326: char comment[COMMENTMAXLEN], sigcomment[1024];
1.1 tedu 327: unsigned long long msglen;
328: int i, rounds;
329: SHA2_CTX ctx;
330:
1.18 tedu 331: readb64file(seckeyfile, &enckey, sizeof(enckey), comment);
1.1 tedu 332:
333: if (memcmp(enckey.kdfalg, KDFALG, 2))
334: errx(1, "unsupported KDF");
335: rounds = ntohl(enckey.kdfrounds);
336: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
337: for (i = 0; i < sizeof(enckey.seckey); i++)
338: enckey.seckey[i] ^= xorkey[i];
339: memset(xorkey, 0, sizeof(xorkey));
340: SHA512Init(&ctx);
341: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
342: SHA512Final(digest, &ctx);
343: if (memcmp(enckey.checksum, digest, sizeof(enckey.checksum)))
344: errx(1, "incorrect passphrase");
345: memset(digest, 0, sizeof(digest));
346:
1.16 tedu 347: msg = readmsg(msgfile, &msglen);
1.1 tedu 348:
349: signmsg(enckey.seckey, msg, msglen, sig.sig);
1.13 tedu 350: memcpy(sig.fingerprint, enckey.fingerprint, FPLEN);
1.1 tedu 351: memset(&enckey, 0, sizeof(enckey));
352:
353: memcpy(sig.pkalg, PKALG, 2);
1.18 tedu 354: snprintf(sigcomment, sizeof(sigcomment), "signature from %s", comment);
1.20 espie 355: writeb64file(sigfile, sigcomment, &sig, sizeof(sig), O_TRUNC, 0666);
1.16 tedu 356: if (embedded)
357: appendall(sigfile, msg, msglen);
1.1 tedu 358:
359: free(msg);
360: }
1.22 tedu 361:
362: static void
363: inspect(const char *seckeyfile, const char *pubkeyfile, const char *sigfile)
364: {
365: struct sig sig;
366: struct enckey enckey;
367: struct pubkey pubkey;
368: char fp[(FPLEN + 2) / 3 * 4 + 1];
369:
370: if (seckeyfile) {
371: readb64file(seckeyfile, &enckey, sizeof(enckey), NULL);
372: b64_ntop(enckey.fingerprint, FPLEN, fp, sizeof(fp));
373: printf("sec fp: %s\n", fp);
374: }
375: if (pubkeyfile) {
376: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
377: b64_ntop(pubkey.fingerprint, FPLEN, fp, sizeof(fp));
378: printf("pub fp: %s\n", fp);
379: }
380: if (sigfile) {
381: readb64file(sigfile, &sig, sizeof(sig), NULL);
382: b64_ntop(sig.fingerprint, FPLEN, fp, sizeof(fp));
383: printf("sig fp: %s\n", fp);
384: }
385: }
1.14 tedu 386: #endif
1.1 tedu 387:
388: static void
1.13 tedu 389: verifymsg(uint8_t *pubkey, uint8_t *msg, unsigned long long msglen,
390: uint8_t *sig)
391: {
392: uint8_t *sigbuf, *dummybuf;
393: unsigned long long siglen, dummylen;
394:
395: siglen = SIGBYTES + msglen;
396: sigbuf = xmalloc(siglen);
397: dummybuf = xmalloc(siglen);
398: memcpy(sigbuf, sig, SIGBYTES);
399: memcpy(sigbuf + SIGBYTES, msg, msglen);
400: if (crypto_sign_ed25519_open(dummybuf, &dummylen, sigbuf, siglen,
401: pubkey) == -1)
402: errx(1, "signature verification failed");
403: free(sigbuf);
404: free(dummybuf);
405: }
406:
407:
408: static void
1.16 tedu 409: verify(const char *pubkeyfile, const char *msgfile, const char *sigfile,
410: int embedded)
1.1 tedu 411: {
412: struct sig sig;
413: struct pubkey pubkey;
1.16 tedu 414: unsigned long long msglen, siglen = 0;
1.1 tedu 415: uint8_t *msg;
1.16 tedu 416: int fd;
417:
418: msg = readmsg(embedded ? sigfile : msgfile, &msglen);
1.1 tedu 419:
1.18 tedu 420: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
1.16 tedu 421: if (embedded) {
1.18 tedu 422: siglen = parseb64file(sigfile, msg, &sig, sizeof(sig), NULL);
1.16 tedu 423: msg += siglen;
424: msglen -= siglen;
425: } else {
1.18 tedu 426: readb64file(sigfile, &sig, sizeof(sig), NULL);
1.16 tedu 427: }
1.13 tedu 428:
1.22 tedu 429: if (memcmp(pubkey.fingerprint, sig.fingerprint, FPLEN)) {
430: #ifndef VERIFYONLY
431: inspect(NULL, pubkeyfile, sigfile);
432: #endif
1.13 tedu 433: errx(1, "verification failed: checked against wrong key");
1.22 tedu 434: }
1.1 tedu 435:
1.16 tedu 436: verifymsg(pubkey.pubkey, msg, msglen, sig.sig);
437: if (embedded) {
1.30 tedu 438: fd = xopen(msgfile, O_CREAT|O_TRUNC|O_NOFOLLOW|O_WRONLY, 0666);
1.16 tedu 439: writeall(fd, msg, msglen, msgfile);
440: close(fd);
441: }
1.1 tedu 442:
1.16 tedu 443: free(msg - siglen);
1.1 tedu 444: }
445:
446: int
447: main(int argc, char **argv)
448: {
1.16 tedu 449: const char *pubkeyfile = NULL, *seckeyfile = NULL, *msgfile = NULL,
1.1 tedu 450: *sigfile = NULL;
451: char sigfilebuf[1024];
1.27 tedu 452: const char *comment = "signify";
1.1 tedu 453: int ch, rounds;
1.16 tedu 454: int embedded = 0;
1.6 tedu 455: enum {
456: NONE,
457: GENERATE,
1.22 tedu 458: INSPECT,
1.6 tedu 459: SIGN,
460: VERIFY
461: } verb = NONE;
462:
1.1 tedu 463:
464: rounds = 42;
465:
1.32 espie 466: while ((ch = getopt(argc, argv, "GISVc:em:np:s:x:")) != -1) {
1.1 tedu 467: switch (ch) {
1.14 tedu 468: #ifndef VERIFYONLY
1.6 tedu 469: case 'G':
470: if (verb)
1.31 tedu 471: usage(NULL);
1.6 tedu 472: verb = GENERATE;
473: break;
1.22 tedu 474: case 'I':
475: if (verb)
1.31 tedu 476: usage(NULL);
1.22 tedu 477: verb = INSPECT;
478: break;
1.6 tedu 479: case 'S':
480: if (verb)
1.31 tedu 481: usage(NULL);
1.6 tedu 482: verb = SIGN;
483: break;
1.14 tedu 484: #endif
1.6 tedu 485: case 'V':
486: if (verb)
1.31 tedu 487: usage(NULL);
1.6 tedu 488: verb = VERIFY;
489: break;
1.27 tedu 490: case 'c':
491: comment = optarg;
492: break;
1.16 tedu 493: case 'e':
494: embedded = 1;
495: break;
1.31 tedu 496: case 'm':
497: msgfile = optarg;
498: break;
1.6 tedu 499: case 'n':
1.1 tedu 500: rounds = 0;
501: break;
1.6 tedu 502: case 'p':
1.1 tedu 503: pubkeyfile = optarg;
504: break;
1.6 tedu 505: case 's':
1.1 tedu 506: seckeyfile = optarg;
507: break;
1.31 tedu 508: case 'x':
509: sigfile = optarg;
510: break;
1.1 tedu 511: default:
1.31 tedu 512: usage(NULL);
1.1 tedu 513: break;
514: }
515: }
1.2 tedu 516: argc -= optind;
1.9 espie 517: argv += optind;
518:
1.31 tedu 519: if (argc != 0)
520: usage(NULL);
521:
1.36 ! tedu 522: if (!sigfile && msgfile) {
! 523: if (strcmp(msgfile, "-") == 0)
! 524: errx(1, "must specify sigfile with - message");
! 525: if (snprintf(sigfilebuf, sizeof(sigfilebuf), "%s.sig",
! 526: msgfile) >= sizeof(sigfilebuf))
! 527: errx(1, "path too long");
! 528: sigfile = sigfilebuf;
! 529: }
1.1 tedu 530:
1.36 ! tedu 531: switch (verb) {
1.14 tedu 532: #ifndef VERIFYONLY
1.36 ! tedu 533: case GENERATE:
1.31 tedu 534: if (!pubkeyfile || !seckeyfile)
535: usage("need pubkey and seckey");
1.27 tedu 536: generate(pubkeyfile, seckeyfile, rounds, comment);
1.36 ! tedu 537: break;
! 538: case INSPECT:
1.22 tedu 539: inspect(seckeyfile, pubkeyfile, sigfile);
1.36 ! tedu 540: break;
! 541: case SIGN:
! 542: if (!msgfile || !seckeyfile)
! 543: usage("need message and seckey");
! 544: sign(seckeyfile, msgfile, sigfile, embedded);
! 545: break;
1.14 tedu 546: #endif
1.36 ! tedu 547: case VERIFY:
! 548: if (!msgfile || !pubkeyfile)
! 549: usage("need message and pubkey");
! 550: verify(pubkeyfile, msgfile, sigfile, embedded);
! 551: break;
! 552: default:
! 553: usage(NULL);
! 554: break;
1.1 tedu 555: }
1.9 espie 556:
1.1 tedu 557: return 0;
558: }