Annotation of src/usr.bin/signify/signify.c, Revision 1.41
1.41 ! tedu 1: /* $OpenBSD: signify.c,v 1.40 2014/01/19 23:20:30 deraadt Exp $ */
1.1 tedu 2: /*
3: * Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
4: *
5: * Permission to use, copy, modify, and distribute this software for any
6: * purpose with or without fee is hereby granted, provided that the above
7: * copyright notice and this permission notice appear in all copies.
8: *
9: * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10: * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11: * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12: * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13: * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14: * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15: * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16: */
17: #include <sys/stat.h>
18:
19: #include <netinet/in.h>
20: #include <resolv.h>
21:
22: #include <stdint.h>
23: #include <fcntl.h>
24: #include <string.h>
25: #include <stdio.h>
1.34 tedu 26: #include <stdlib.h>
1.1 tedu 27: #include <err.h>
28: #include <unistd.h>
29: #include <readpassphrase.h>
30: #include <util.h>
31: #include <sha2.h>
32:
33: #include "crypto_api.h"
34:
35: #define SIGBYTES crypto_sign_ed25519_BYTES
36: #define SECRETBYTES crypto_sign_ed25519_SECRETKEYBYTES
37: #define PUBLICBYTES crypto_sign_ed25519_PUBLICKEYBYTES
38:
39: #define PKALG "Ed"
40: #define KDFALG "BK"
1.13 tedu 41: #define FPLEN 8
42:
1.18 tedu 43: #define COMMENTHDR "untrusted comment: "
44: #define COMMENTHDRLEN 19
45: #define COMMENTMAXLEN 1024
1.1 tedu 46:
47: struct enckey {
48: uint8_t pkalg[2];
49: uint8_t kdfalg[2];
50: uint32_t kdfrounds;
51: uint8_t salt[16];
52: uint8_t checksum[8];
1.13 tedu 53: uint8_t fingerprint[FPLEN];
1.1 tedu 54: uint8_t seckey[SECRETBYTES];
55: };
56:
57: struct pubkey {
58: uint8_t pkalg[2];
1.13 tedu 59: uint8_t fingerprint[FPLEN];
1.1 tedu 60: uint8_t pubkey[PUBLICBYTES];
61: };
62:
63: struct sig {
64: uint8_t pkalg[2];
1.13 tedu 65: uint8_t fingerprint[FPLEN];
1.1 tedu 66: uint8_t sig[SIGBYTES];
67: };
68:
69: extern char *__progname;
70:
71: static void
1.31 tedu 72: usage(const char *error)
1.1 tedu 73: {
1.31 tedu 74: if (error)
75: fprintf(stderr, "%s\n", error);
1.9 espie 76: fprintf(stderr, "usage:"
1.15 espie 77: #ifndef VERIFYONLY
1.31 tedu 78: "\t%1$s -G [-n] [-c comment] -p pubkey -s seckey\n"
79: "\t%1$s -I [-p pubkey] [-s seckey] [-x sigfile]\n"
80: "\t%1$s -S [-e] [-x sigfile] -s seckey -m message\n"
1.15 espie 81: #endif
1.31 tedu 82: "\t%1$s -V [-e] [-x sigfile] -p pubkey -m message\n",
1.15 espie 83: __progname);
1.1 tedu 84: exit(1);
85: }
86:
87: static int
88: xopen(const char *fname, int flags, mode_t mode)
89: {
90: int fd;
91:
1.31 tedu 92: if (strcmp(fname, "-") == 0) {
93: if ((flags & O_WRONLY))
94: fd = dup(STDOUT_FILENO);
95: else
96: fd = dup(STDIN_FILENO);
97: if (fd == -1)
98: err(1, "dup failed");
99: } else {
100: fd = open(fname, flags, mode);
101: if (fd == -1)
102: err(1, "can't open %s for %s", fname,
103: (flags & O_WRONLY) ? "writing" : "reading");
104: }
1.1 tedu 105: return fd;
106: }
107:
108: static void *
109: xmalloc(size_t len)
110: {
111: void *p;
112:
113: p = malloc(len);
114: if (!p)
115: err(1, "malloc %zu", len);
116: return p;
117: }
118:
119: static void
1.7 espie 120: readall(int fd, void *buf, size_t len, const char *filename)
1.1 tedu 121: {
1.11 tedu 122: ssize_t x;
1.38 espie 123:
124: while (len != 0) {
125: x = read(fd, buf, len);
126: if (x == -1)
127: err(1, "read from %s", filename);
128: else {
129: len -= x;
130: buf = (char*)buf + x;
131: }
1.7 espie 132: }
1.1 tedu 133: }
134:
1.16 tedu 135: static size_t
1.18 tedu 136: parseb64file(const char *filename, char *b64, void *buf, size_t len,
137: char *comment)
1.16 tedu 138: {
139: int rv;
140: char *commentend, *b64end;
141:
142: commentend = strchr(b64, '\n');
143: if (!commentend || commentend - b64 <= COMMENTHDRLEN ||
144: memcmp(b64, COMMENTHDR, COMMENTHDRLEN))
145: errx(1, "invalid comment in %s; must start with '%s'",
146: filename, COMMENTHDR);
1.18 tedu 147: *commentend = 0;
1.40 deraadt 148: if (comment) {
149: if (strlcpy(comment, b64 + COMMENTHDRLEN,
150: COMMENTMAXLEN) >= COMMENTMAXLEN)
151: err(1, "comment too long");
152: }
1.16 tedu 153: b64end = strchr(commentend + 1, '\n');
154: if (!b64end)
155: errx(1, "missing new line after b64 in %s", filename);
156: *b64end = 0;
157: rv = b64_pton(commentend + 1, buf, len);
158: if (rv != len)
159: errx(1, "invalid b64 encoding in %s", filename);
160: if (memcmp(buf, PKALG, 2))
161: errx(1, "unsupported file %s", filename);
162: return b64end - b64 + 1;
163: }
164:
1.1 tedu 165: static void
1.18 tedu 166: readb64file(const char *filename, void *buf, size_t len, char *comment)
1.1 tedu 167: {
168: char b64[2048];
1.10 tedu 169: int rv, fd;
1.1 tedu 170:
171: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
172: memset(b64, 0, sizeof(b64));
173: rv = read(fd, b64, sizeof(b64) - 1);
174: if (rv == -1)
1.7 espie 175: err(1, "read from %s", filename);
1.18 tedu 176: parseb64file(filename, b64, buf, len, comment);
1.41 ! tedu 177: explicit_bzero(b64, sizeof(b64));
1.1 tedu 178: close(fd);
179: }
180:
1.35 tedu 181: static uint8_t *
1.1 tedu 182: readmsg(const char *filename, unsigned long long *msglenp)
183: {
184: unsigned long long msglen;
185: uint8_t *msg;
186: struct stat sb;
187: int fd;
188:
189: fd = xopen(filename, O_RDONLY | O_NOFOLLOW, 0);
1.29 lteo 190: if (fstat(fd, &sb) == -1)
191: err(1, "fstat on %s", filename);
1.30 tedu 192: if (!S_ISREG(sb.st_mode))
193: errx(1, "%s must be a regular file", filename);
1.1 tedu 194: msglen = sb.st_size;
195: if (msglen > (1UL << 30))
196: errx(1, "msg too large in %s", filename);
197: msg = xmalloc(msglen);
1.7 espie 198: readall(fd, msg, msglen, filename);
1.1 tedu 199: close(fd);
200:
201: *msglenp = msglen;
202: return msg;
203: }
204:
205: static void
1.7 espie 206: writeall(int fd, const void *buf, size_t len, const char *filename)
1.1 tedu 207: {
1.11 tedu 208: ssize_t x;
1.38 espie 209:
210: while (len != 0) {
211: x = write(fd, buf, len);
212: if (x == -1)
213: err(1, "write to %s", filename);
214: else {
215: len -= x;
216: buf = (char*)buf + x;
217: }
1.7 espie 218: }
1.1 tedu 219: }
220:
1.17 deraadt 221: #ifndef VERIFYONLY
1.1 tedu 222: static void
1.16 tedu 223: appendall(const char *filename, const void *buf, size_t len)
224: {
225: int fd;
226:
1.30 tedu 227: fd = xopen(filename, O_NOFOLLOW | O_WRONLY | O_APPEND, 0);
1.16 tedu 228: writeall(fd, buf, len, filename);
229: close(fd);
230: }
231:
232: static void
1.1 tedu 233: writeb64file(const char *filename, const char *comment, const void *buf,
1.20 espie 234: size_t len, int flags, mode_t mode)
1.1 tedu 235: {
236: char header[1024];
237: char b64[1024];
238: int fd, rv;
239:
1.30 tedu 240: fd = xopen(filename, O_CREAT|flags|O_NOFOLLOW|O_WRONLY, mode);
1.40 deraadt 241: if (snprintf(header, sizeof(header), "%s%s\n",
242: COMMENTHDR, comment) >= sizeof(header))
243: err(1, "comment too long");
1.7 espie 244: writeall(fd, header, strlen(header), filename);
1.8 espie 245: if ((rv = b64_ntop(buf, len, b64, sizeof(b64)-1)) == -1)
1.1 tedu 246: errx(1, "b64 encode failed");
1.8 espie 247: b64[rv++] = '\n';
1.7 espie 248: writeall(fd, b64, rv, filename);
1.41 ! tedu 249: explicit_bzero(b64, sizeof(b64));
1.1 tedu 250: close(fd);
251: }
252:
253: static void
254: kdf(uint8_t *salt, size_t saltlen, int rounds, uint8_t *key, size_t keylen)
255: {
256: char pass[1024];
257:
258: if (rounds == 0) {
259: memset(key, 0, keylen);
260: return;
261: }
262:
1.39 tedu 263: if (!readpassphrase("passphrase: ", pass, sizeof(pass), RPP_ECHO_OFF))
264: errx(1, "unable to read passphrase");
1.37 tedu 265: if (strlen(pass) == 0)
266: errx(1, "please provide a password");
1.1 tedu 267: if (bcrypt_pbkdf(pass, strlen(pass), salt, saltlen, key,
268: keylen, rounds) == -1)
269: errx(1, "bcrypt pbkdf");
1.41 ! tedu 270: explicit_bzero(pass, sizeof(pass));
1.1 tedu 271: }
272:
273: static void
274: signmsg(uint8_t *seckey, uint8_t *msg, unsigned long long msglen,
275: uint8_t *sig)
276: {
277: unsigned long long siglen;
278: uint8_t *sigbuf;
279:
280: sigbuf = xmalloc(msglen + SIGBYTES);
281: crypto_sign_ed25519(sigbuf, &siglen, msg, msglen, seckey);
282: memcpy(sig, sigbuf, SIGBYTES);
283: free(sigbuf);
284: }
285:
286: static void
1.27 tedu 287: generate(const char *pubkeyfile, const char *seckeyfile, int rounds,
288: const char *comment)
1.1 tedu 289: {
290: uint8_t digest[SHA512_DIGEST_LENGTH];
291: struct pubkey pubkey;
292: struct enckey enckey;
293: uint8_t xorkey[sizeof(enckey.seckey)];
1.13 tedu 294: uint8_t fingerprint[FPLEN];
1.27 tedu 295: char commentbuf[COMMENTMAXLEN];
1.1 tedu 296: SHA2_CTX ctx;
297: int i;
298:
299: crypto_sign_ed25519_keypair(pubkey.pubkey, enckey.seckey);
1.13 tedu 300: arc4random_buf(fingerprint, sizeof(fingerprint));
1.1 tedu 301:
302: SHA512Init(&ctx);
303: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
304: SHA512Final(digest, &ctx);
305:
306: memcpy(enckey.pkalg, PKALG, 2);
307: memcpy(enckey.kdfalg, KDFALG, 2);
308: enckey.kdfrounds = htonl(rounds);
1.13 tedu 309: memcpy(enckey.fingerprint, fingerprint, FPLEN);
1.1 tedu 310: arc4random_buf(enckey.salt, sizeof(enckey.salt));
311: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
312: memcpy(enckey.checksum, digest, sizeof(enckey.checksum));
313: for (i = 0; i < sizeof(enckey.seckey); i++)
314: enckey.seckey[i] ^= xorkey[i];
1.41 ! tedu 315: explicit_bzero(digest, sizeof(digest));
! 316: explicit_bzero(xorkey, sizeof(xorkey));
1.1 tedu 317:
1.40 deraadt 318: if (snprintf(commentbuf, sizeof(commentbuf), "%s secret key",
319: comment) >= sizeof(commentbuf))
320: err(1, "comment too long");
1.27 tedu 321: writeb64file(seckeyfile, commentbuf, &enckey,
1.20 espie 322: sizeof(enckey), O_EXCL, 0600);
1.41 ! tedu 323: explicit_bzero(&enckey, sizeof(enckey));
1.1 tedu 324:
325: memcpy(pubkey.pkalg, PKALG, 2);
1.13 tedu 326: memcpy(pubkey.fingerprint, fingerprint, FPLEN);
1.40 deraadt 327: if (snprintf(commentbuf, sizeof(commentbuf), "%s public key",
328: comment) >= sizeof(commentbuf))
329: err(1, "comment too long");
1.27 tedu 330: writeb64file(pubkeyfile, commentbuf, &pubkey,
1.20 espie 331: sizeof(pubkey), O_EXCL, 0666);
1.1 tedu 332: }
333:
334: static void
1.16 tedu 335: sign(const char *seckeyfile, const char *msgfile, const char *sigfile,
336: int embedded)
1.1 tedu 337: {
338: struct sig sig;
339: uint8_t digest[SHA512_DIGEST_LENGTH];
340: struct enckey enckey;
341: uint8_t xorkey[sizeof(enckey.seckey)];
342: uint8_t *msg;
1.18 tedu 343: char comment[COMMENTMAXLEN], sigcomment[1024];
1.1 tedu 344: unsigned long long msglen;
345: int i, rounds;
346: SHA2_CTX ctx;
347:
1.18 tedu 348: readb64file(seckeyfile, &enckey, sizeof(enckey), comment);
1.1 tedu 349:
350: if (memcmp(enckey.kdfalg, KDFALG, 2))
351: errx(1, "unsupported KDF");
352: rounds = ntohl(enckey.kdfrounds);
353: kdf(enckey.salt, sizeof(enckey.salt), rounds, xorkey, sizeof(xorkey));
354: for (i = 0; i < sizeof(enckey.seckey); i++)
355: enckey.seckey[i] ^= xorkey[i];
1.41 ! tedu 356: explicit_bzero(xorkey, sizeof(xorkey));
1.1 tedu 357: SHA512Init(&ctx);
358: SHA512Update(&ctx, enckey.seckey, sizeof(enckey.seckey));
359: SHA512Final(digest, &ctx);
360: if (memcmp(enckey.checksum, digest, sizeof(enckey.checksum)))
361: errx(1, "incorrect passphrase");
1.41 ! tedu 362: explicit_bzero(digest, sizeof(digest));
1.1 tedu 363:
1.16 tedu 364: msg = readmsg(msgfile, &msglen);
1.1 tedu 365:
366: signmsg(enckey.seckey, msg, msglen, sig.sig);
1.13 tedu 367: memcpy(sig.fingerprint, enckey.fingerprint, FPLEN);
1.41 ! tedu 368: explicit_bzero(&enckey, sizeof(enckey));
1.1 tedu 369:
370: memcpy(sig.pkalg, PKALG, 2);
1.40 deraadt 371: if (snprintf(sigcomment, sizeof(sigcomment), "signature from %s",
372: comment) >= sizeof(sigcomment))
373: err(1, "comment too long");
1.20 espie 374: writeb64file(sigfile, sigcomment, &sig, sizeof(sig), O_TRUNC, 0666);
1.16 tedu 375: if (embedded)
376: appendall(sigfile, msg, msglen);
1.1 tedu 377:
378: free(msg);
379: }
1.22 tedu 380:
381: static void
382: inspect(const char *seckeyfile, const char *pubkeyfile, const char *sigfile)
383: {
384: struct sig sig;
385: struct enckey enckey;
386: struct pubkey pubkey;
387: char fp[(FPLEN + 2) / 3 * 4 + 1];
388:
389: if (seckeyfile) {
390: readb64file(seckeyfile, &enckey, sizeof(enckey), NULL);
391: b64_ntop(enckey.fingerprint, FPLEN, fp, sizeof(fp));
392: printf("sec fp: %s\n", fp);
393: }
394: if (pubkeyfile) {
395: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
396: b64_ntop(pubkey.fingerprint, FPLEN, fp, sizeof(fp));
397: printf("pub fp: %s\n", fp);
398: }
399: if (sigfile) {
400: readb64file(sigfile, &sig, sizeof(sig), NULL);
401: b64_ntop(sig.fingerprint, FPLEN, fp, sizeof(fp));
402: printf("sig fp: %s\n", fp);
403: }
404: }
1.14 tedu 405: #endif
1.1 tedu 406:
407: static void
1.13 tedu 408: verifymsg(uint8_t *pubkey, uint8_t *msg, unsigned long long msglen,
409: uint8_t *sig)
410: {
411: uint8_t *sigbuf, *dummybuf;
412: unsigned long long siglen, dummylen;
413:
414: siglen = SIGBYTES + msglen;
415: sigbuf = xmalloc(siglen);
416: dummybuf = xmalloc(siglen);
417: memcpy(sigbuf, sig, SIGBYTES);
418: memcpy(sigbuf + SIGBYTES, msg, msglen);
419: if (crypto_sign_ed25519_open(dummybuf, &dummylen, sigbuf, siglen,
420: pubkey) == -1)
421: errx(1, "signature verification failed");
422: free(sigbuf);
423: free(dummybuf);
424: }
425:
426:
427: static void
1.16 tedu 428: verify(const char *pubkeyfile, const char *msgfile, const char *sigfile,
429: int embedded)
1.1 tedu 430: {
431: struct sig sig;
432: struct pubkey pubkey;
1.16 tedu 433: unsigned long long msglen, siglen = 0;
1.1 tedu 434: uint8_t *msg;
1.16 tedu 435: int fd;
436:
437: msg = readmsg(embedded ? sigfile : msgfile, &msglen);
1.1 tedu 438:
1.18 tedu 439: readb64file(pubkeyfile, &pubkey, sizeof(pubkey), NULL);
1.16 tedu 440: if (embedded) {
1.18 tedu 441: siglen = parseb64file(sigfile, msg, &sig, sizeof(sig), NULL);
1.16 tedu 442: msg += siglen;
443: msglen -= siglen;
444: } else {
1.18 tedu 445: readb64file(sigfile, &sig, sizeof(sig), NULL);
1.16 tedu 446: }
1.13 tedu 447:
1.22 tedu 448: if (memcmp(pubkey.fingerprint, sig.fingerprint, FPLEN)) {
449: #ifndef VERIFYONLY
450: inspect(NULL, pubkeyfile, sigfile);
451: #endif
1.13 tedu 452: errx(1, "verification failed: checked against wrong key");
1.22 tedu 453: }
1.1 tedu 454:
1.16 tedu 455: verifymsg(pubkey.pubkey, msg, msglen, sig.sig);
456: if (embedded) {
1.30 tedu 457: fd = xopen(msgfile, O_CREAT|O_TRUNC|O_NOFOLLOW|O_WRONLY, 0666);
1.16 tedu 458: writeall(fd, msg, msglen, msgfile);
459: close(fd);
460: }
1.1 tedu 461:
1.16 tedu 462: free(msg - siglen);
1.1 tedu 463: }
464:
465: int
466: main(int argc, char **argv)
467: {
1.16 tedu 468: const char *pubkeyfile = NULL, *seckeyfile = NULL, *msgfile = NULL,
1.1 tedu 469: *sigfile = NULL;
470: char sigfilebuf[1024];
1.27 tedu 471: const char *comment = "signify";
1.1 tedu 472: int ch, rounds;
1.16 tedu 473: int embedded = 0;
1.6 tedu 474: enum {
475: NONE,
476: GENERATE,
1.22 tedu 477: INSPECT,
1.6 tedu 478: SIGN,
479: VERIFY
480: } verb = NONE;
481:
1.1 tedu 482:
483: rounds = 42;
484:
1.32 espie 485: while ((ch = getopt(argc, argv, "GISVc:em:np:s:x:")) != -1) {
1.1 tedu 486: switch (ch) {
1.14 tedu 487: #ifndef VERIFYONLY
1.6 tedu 488: case 'G':
489: if (verb)
1.31 tedu 490: usage(NULL);
1.6 tedu 491: verb = GENERATE;
492: break;
1.22 tedu 493: case 'I':
494: if (verb)
1.31 tedu 495: usage(NULL);
1.22 tedu 496: verb = INSPECT;
497: break;
1.6 tedu 498: case 'S':
499: if (verb)
1.31 tedu 500: usage(NULL);
1.6 tedu 501: verb = SIGN;
502: break;
1.14 tedu 503: #endif
1.6 tedu 504: case 'V':
505: if (verb)
1.31 tedu 506: usage(NULL);
1.6 tedu 507: verb = VERIFY;
508: break;
1.27 tedu 509: case 'c':
510: comment = optarg;
511: break;
1.16 tedu 512: case 'e':
513: embedded = 1;
514: break;
1.31 tedu 515: case 'm':
516: msgfile = optarg;
517: break;
1.6 tedu 518: case 'n':
1.1 tedu 519: rounds = 0;
520: break;
1.6 tedu 521: case 'p':
1.1 tedu 522: pubkeyfile = optarg;
523: break;
1.6 tedu 524: case 's':
1.1 tedu 525: seckeyfile = optarg;
526: break;
1.31 tedu 527: case 'x':
528: sigfile = optarg;
529: break;
1.1 tedu 530: default:
1.31 tedu 531: usage(NULL);
1.1 tedu 532: break;
533: }
534: }
1.2 tedu 535: argc -= optind;
1.9 espie 536: argv += optind;
537:
1.31 tedu 538: if (argc != 0)
539: usage(NULL);
540:
1.36 tedu 541: if (!sigfile && msgfile) {
542: if (strcmp(msgfile, "-") == 0)
543: errx(1, "must specify sigfile with - message");
544: if (snprintf(sigfilebuf, sizeof(sigfilebuf), "%s.sig",
545: msgfile) >= sizeof(sigfilebuf))
546: errx(1, "path too long");
547: sigfile = sigfilebuf;
548: }
1.1 tedu 549:
1.36 tedu 550: switch (verb) {
1.14 tedu 551: #ifndef VERIFYONLY
1.36 tedu 552: case GENERATE:
1.31 tedu 553: if (!pubkeyfile || !seckeyfile)
554: usage("need pubkey and seckey");
1.27 tedu 555: generate(pubkeyfile, seckeyfile, rounds, comment);
1.36 tedu 556: break;
557: case INSPECT:
1.22 tedu 558: inspect(seckeyfile, pubkeyfile, sigfile);
1.36 tedu 559: break;
560: case SIGN:
561: if (!msgfile || !seckeyfile)
562: usage("need message and seckey");
563: sign(seckeyfile, msgfile, sigfile, embedded);
564: break;
1.14 tedu 565: #endif
1.36 tedu 566: case VERIFY:
567: if (!msgfile || !pubkeyfile)
568: usage("need message and pubkey");
569: verify(pubkeyfile, msgfile, sigfile, embedded);
570: break;
571: default:
572: usage(NULL);
573: break;
1.1 tedu 574: }
1.9 espie 575:
1.1 tedu 576: return 0;
577: }