mirrors
/
enchive
mirror of https://github.com/skeeto/enchive.git
1
0
Fork 0
Code Issues Releases Wiki Activity
enchive/src/enchive.c

1615 lines
42 KiB
C
Raw Blame History

#include "../config.h"
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <stdarg.h>
#include <errno.h>
#include "docs.h"
#include "sha256.h"
#include "chacha.h"
#include "optparse.h"
int curve25519_donna(uint8_t *p, const uint8_t *s, const uint8_t *b);
/* Global options. */
static char *global_pubkey = 0;
static char *global_seckey = 0;
#if ENCHIVE_AGENT_DEFAULT_ENABLED
static int global_agent_timeout = ENCHIVE_AGENT_TIMEOUT;
#else
static int global_agent_timeout = 0;
#endif
#if ENCHIVE_PINENTRY_DEFAULT_ENABLED
static char *pinentry_path = STR(ENCHIVE_PINENTRY_DEFAULT);
#else
static char *pinentry_path = 0;
#endif
static const char enchive_suffix[] = STR(ENCHIVE_FILE_EXTENSION);
static struct {
char *name;
FILE *file;
} cleanup[2];
/**
* Register a file for deletion should fatal() be called.
*/
static void
cleanup_register(FILE *file, char *name)
{
if (file) {
unsigned i;
for (i = 0; i < sizeof(cleanup) / sizeof(*cleanup); i++) {
if (!cleanup[i].name) {
cleanup[i].name = name;
cleanup[i].file = file;
return;
}
}
}
abort();
}
/**
* Update cleanup registry to indicate FILE has been closed.
*/
static void
cleanup_closed(FILE *file)
{
unsigned i;
for (i = 0; i < sizeof(cleanup) / sizeof(*cleanup); i++) {
if (file == cleanup[i].file) {
cleanup[i].file = 0;
return;
}
}
abort();
}
/**
* Free resources held by the cleanup registry.
*/
static void
cleanup_free(void)
{
size_t i;
for (i = 0; i < sizeof(cleanup) / sizeof(*cleanup); i++)
free(cleanup[i].name);
}
/**
* Print a message, cleanup, and exit the program with a failure code.
*/
static void
fatal(const char *fmt, ...)
{
unsigned i;
va_list ap;
va_start(ap, fmt);
fprintf(stderr, "enchive: ");
vfprintf(stderr, fmt, ap);
fputc('\n', stderr);
for (i = 0; i < sizeof(cleanup) / sizeof(*cleanup); i++) {
if (cleanup[i].file)
fclose(cleanup[i].file);
if (cleanup[i].name)
remove(cleanup[i].name);
}
va_end(ap);
exit(EXIT_FAILURE);
}
/**
* Print a non-fatal warning message.
*/
static void
warning(const char *fmt, ...)
{
va_list ap;
va_start(ap, fmt);
fprintf(stderr, "warning: ");
vfprintf(stderr, fmt, ap);
fputc('\n', stderr);
va_end(ap);
}
/**
* Return a copy of S, which may be NULL.
* Abort the program if out of memory.
*/
static char *
dupstr(const char *s)
{
char *copy = 0;
if (s) {
size_t len = strlen(s) + 1;
copy = malloc(len);
if (!copy)
fatal("out of memory");
memcpy(copy, s, len);
}
return copy;
}
/**
* Concatenate N strings as a new string.
* Abort the program if out of memory.
*/
static char *
joinstr(int n, ...)
{
int i;
va_list ap;
char *p, *str;
size_t len = 1;
va_start(ap, n);
for (i = 0; i < n; i++) {
char *s = va_arg(ap, char *);
len += strlen(s);
}
va_end(ap);
p = str = malloc(len);
if (!str)
fatal("out of memory");
va_start(ap, n);
for (i = 0; i < n; i++) {
char *s = va_arg(ap, char *);
size_t slen = strlen(s);
memcpy(p, s, slen);
p += slen;
}
va_end(ap);
*p = 0;
return str;
}
/**
* Read the protection key from a key agent identified by its IV.
*/
static int agent_read(uint8_t *key, const uint8_t *id);
/**
* Serve the protection key on a key agent identified by its IV.
*/
static int agent_run(const uint8_t *key, const uint8_t *id);
#if ENCHIVE_OPTION_AGENT
#include <poll.h>
#include <unistd.h>
#include <sys/un.h>
#include <sys/stat.h>
#include <sys/socket.h>
/**
* Fill ADDR with a unix domain socket name for the agent.
*/
static int
agent_addr(struct sockaddr_un *addr, const uint8_t *iv)
{
char *dir = getenv("XDG_RUNTIME_DIR");
if (!dir) {
dir = getenv("TMPDIR");
if (!dir)
dir = "/tmp";
}
addr->sun_family = AF_UNIX;
if (strlen(dir) + 1 + 16 + 1 > sizeof(addr->sun_path)) {
warning("agent socket path too long -- %s", dir);
return 0;
} else {
sprintf(addr->sun_path, "%s/%02x%02x%02x%02x%02x%02x%02x%02x", dir,
iv[0], iv[1], iv[2], iv[3], iv[4], iv[5], iv[6], iv[7]);
return 1;
}
}
static int
agent_read(uint8_t *key, const uint8_t *iv)
{
int success;
struct sockaddr_un addr;
int fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (!agent_addr(&addr, iv)) {
close(fd);
return 0;
}
if (connect(fd, (struct sockaddr *)&addr, sizeof(addr))) {
close(fd);
return 0;
}
success = read(fd, key, 32) == 32;
close(fd);
return success;
}
static int
agent_run(const uint8_t *key, const uint8_t *iv)
{
struct pollfd pfd = {-1, POLLIN, 0};
struct sockaddr_un addr;
pid_t pid;
pfd.fd = socket(AF_UNIX, SOCK_STREAM, 0);
if (pfd.fd == -1) {
warning("could not create agent socket");
return 0;
}
if (!agent_addr(&addr, iv))
return 0;
pid = fork();
if (pid == -1) {
warning("could not fork() agent -- %s", strerror(errno));
return 0;
} else if (pid != 0) {
return 1;
}
close(0);
close(1);
umask(~(S_IRUSR | S_IWUSR));
if (unlink(addr.sun_path))
if (errno != ENOENT)
fatal("failed to remove existing socket -- %s", strerror(errno));
if (bind(pfd.fd, (struct sockaddr *)&addr, sizeof(addr))) {
if (errno != EADDRINUSE)
warning("could not bind agent socket %s -- %s",
addr.sun_path, strerror(errno));
exit(EXIT_FAILURE);
}
if (listen(pfd.fd, SOMAXCONN)) {
if (errno != EADDRINUSE)
fatal("could not listen on agent socket -- %s", strerror(errno));
exit(EXIT_FAILURE);
}
close(2);
for (;;) {
int cfd;
int r = poll(&pfd, 1, global_agent_timeout * 1000);
if (r < 0) {
unlink(addr.sun_path);
fatal("agent poll failed -- %s", strerror(errno));
}
if (r == 0) {
unlink(addr.sun_path);
fputs("info: agent timeout\n", stderr);
close(pfd.fd);
break;
}
cfd = accept(pfd.fd, 0, 0);
if (cfd != -1) {
if (write(cfd, key, 32) != 32)
warning("agent write failed");
close(cfd);
}
}
exit(EXIT_SUCCESS);
}
#else
static int
agent_read(uint8_t *key, const uint8_t *id)
{
(void)key;
(void)id;
return 0;
}
static int
agent_run(const uint8_t *key, const uint8_t *id)
{
(void)key;
(void)id;
return 0;
}
#endif
/**
* Prepend the system user config directory to a filename, creating
* the directory if necessary. Calls fatal() on any error.
*/
static char *storage_directory(char *file);
#if defined(__unix__) || defined(__APPLE__)
#include <dirent.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/types.h>
/**
* Return non-zero if path exists and is a directory.
*/
static int
dir_exists(const char *path)
{
struct stat info;
return !stat(path, &info) && S_ISDIR(info.st_mode);
}
/* Use $XDG_CONFIG_HOME/enchive, or $HOME/.config/enchive. */
static char *
storage_directory(char *file)
{
static const char enchive[] = "/enchive/";
static const char config[] = "/.config";
char *xdg_config_home = getenv("XDG_CONFIG_HOME");
char *path, *s;
if (!xdg_config_home) {
char *home = getenv("HOME");
if (!home)
fatal("no $HOME or $XDG_CONFIG_HOME, giving up");
if (home[0] != '/')
fatal("$HOME is not absolute");
path = joinstr(4, home, config, enchive, file);
} else {
if (xdg_config_home[0] != '/')
fatal("$XDG_CONFIG_HOME is not absolute");
path = joinstr(3, xdg_config_home, enchive, file);
}
s = strchr(path + 1, '/');
while (s) {
*s = 0;
if (dir_exists(path) || !mkdir(path, 0700)) {
DIR *dir = opendir(path);
if (dir)
closedir(dir);
else
fatal("opendir(%s) -- %s", path, strerror(errno));
} else {
fatal("mkdir(%s) -- %s", path, strerror(errno));
}
*s = '/';
s = strchr(s + 1, '/');
}
return path;
}
#elif defined(_WIN32)
#include <windows.h>
/* Use %APPDATA% */
static char *
storage_directory(char *file)
{
char *parent;
static const char enchive[] = "\\enchive\\";
char *appdata = getenv("APPDATA");
if (!appdata)
fatal("$APPDATA is unset");
parent = joinstr(2, appdata, enchive);
if (!CreateDirectory(parent, 0)) {
if (GetLastError() == ERROR_PATH_NOT_FOUND) {
fatal("$APPDATA directory doesn't exist");
} else { /* ERROR_ALREADY_EXISTS */
DWORD attr = GetFileAttributes(parent);
if ((attr == INVALID_FILE_ATTRIBUTES) ||
!(attr & FILE_ATTRIBUTE_DIRECTORY))
fatal("%s is not a directory", parent);
}
}
free(parent);
return joinstr(3, appdata, enchive, file);
}
#endif /* _WIN32 */
/**
* Read a passphrase directly from the keyboard without echo.
*/
static void get_passphrase(char *buf, size_t len, char *prompt);
/**
* Read a passphrase without any fanfare (fallback).
*/
static void
get_passphrase_dumb(char *buf, size_t len, char *prompt)
{
size_t passlen;
warning("reading passphrase from stdin with echo");
fputs(prompt, stderr);
fflush(stderr);
if (!fgets(buf, len, stdin))
fatal("could not read passphrase");
passlen = strlen(buf);
if (buf[passlen - 1] < ' ')
buf[passlen - 1] = 0;
}
#if defined(__unix__) || defined(__APPLE__)
#include <fcntl.h>
#include <unistd.h>
#include <termios.h>
static void
pinentry_decode(char *buf, size_t blen, const char *str)
{
size_t i, j;
for (i = 0, j = 0; str[i] && str[i] != '\n' && j < blen - 1; i++) {
int c = str[i];
if (c == '%') {
static const char *hex = "0123456789ABCDEF";
char *nibh, *nibl;
if (!str[i + 1] || !str[i + 2])
fatal("invalid data from pinentry");
nibh = memchr(hex, str[i + 1], 16);
nibl = memchr(hex, str[i + 2], 16);
if (!nibh || !nibl)
fatal("invalid data from pinentry");
buf[j++] = (nibh - hex) * 16 + (nibl - hex);
i += 2;
} else {
buf[j++] = c;
}
}
buf[j] = 0;
}
static void
invoke_pinentry(char *buf, size_t len, char *prompt)
{
int pin[2];
int pout[2];
pid_t pid;
if (pipe(pin) != 0)
fatal("could not start pinentry -- %s", strerror(errno));
if (pipe(pout) != 0)
fatal("could not start pinentry -- %s", strerror(errno));
pid = fork();
if (pid == -1)
fatal("pinentry fork() failed -- %s", strerror(errno));
if (pid) {
FILE *pfi, *pfo;
char line[ENCHIVE_PASSPHRASE_MAX * 3 + 32];
close(pin[0]);
close(pout[1]);
if (!(pfi = fdopen(pin[1], "w")))
fatal("fdopen() input -- %s", strerror(errno));
if (!(pfo = fdopen(pout[0], "r")))
fatal("fdopen() output -- %s", strerror(errno));
if (!fgets(line, sizeof(line), pfo))
/* Likely caused by exec() failure, so exit quietly. */
exit(EXIT_FAILURE);
if (strncmp(line, "OK", 2) != 0)
fatal("pinentry startup failure");
if (fprintf(pfi, "SETPROMPT %s\n", prompt) < 0 || fflush(pfi) < 0)
fatal("pinentry write() -- %s", strerror(errno));
if (!fgets(line, sizeof(line), pfo))
fatal("pinentry read() -- %s", strerror(errno));
if (strncmp(line, "OK", 2) != 0)
fatal("pinentry protocol failure");
if (fprintf(pfi, "GETPIN\n") < 0 || fflush(pfi) < 0)
fatal("pinentry write() -- %s", strerror(errno));
if (!fgets(line, sizeof(line), pfo))
fatal("pinentry read() -- %s", strerror(errno));
if (strncmp(line, "ERR ", 4) == 0)
fatal("passphrase entry canceled");
else if (strncmp(line, "OK", 2) == 0)
buf[0] = 0;
else if (strncmp(line, "D ", 2) == 0)
pinentry_decode(buf, len, line + 2);
else
fatal("pinentry protocol failure");
fclose(pfo);
fclose(pfi);
} else {
close(pin[1]);
close(pout[0]);
dup2(pin[0], STDIN_FILENO);
dup2(pout[1], STDOUT_FILENO);
if (execlp(pinentry_path, pinentry_path, (char *)0))
fatal("exec(\"%s\") failed -- %s",
pinentry_path, strerror(errno));
}
}
static void
get_passphrase(char *buf, size_t len, char *prompt)
{
int tty;
if (pinentry_path) {
invoke_pinentry(buf, len, prompt);
return;
}
tty = open("/dev/tty", O_RDWR);
if (tty == -1) {
get_passphrase_dumb(buf, len, prompt);
} else {
char newline = '\n';
size_t i = 0;
struct termios old, new;
if (write(tty, prompt, strlen(prompt)) == -1)
fatal("error asking for passphrase");
tcgetattr(tty, &old);
new = old;
new.c_lflag &= ~ECHO;
tcsetattr(tty, TCSANOW, &new);
errno = 0;
while (i < len - 1 && read(tty, buf + i, 1) == 1) {
if (buf[i] == '\n' || buf[i] == '\r')
break;
i++;
}
buf[i] = 0;
tcsetattr(tty, TCSANOW, &old);
if (write(tty, &newline, 1) == -1)
fatal("error asking for passphrase");
close(tty);
if (errno)
fatal("could not read passphrase from /dev/tty");
}
}
#elif defined(_WIN32)
#include <windows.h>
static void
get_passphrase(char *buf, size_t len, char *prompt)
{
DWORD orig;
HANDLE in = GetStdHandle(STD_INPUT_HANDLE);
if (!GetConsoleMode(in, &orig)) {
get_passphrase_dumb(buf, len, prompt);
} else {
size_t passlen;
SetConsoleMode(in, orig & ~ENABLE_ECHO_INPUT);
fputs(prompt, stderr);
if (!fgets(buf, len, stdin))
fatal("could not read passphrase");
fputc('\n', stderr);
passlen = strlen(buf);
if (buf[passlen - 1] < ' ')
buf[passlen - 1] = 0;
}
}
#else
static void
get_passphrase(char *buf, size_t len, char *prompt)
{
get_passphrase_dumb(buf, len, prompt);
}
#endif
/**
* Create/truncate a file with paranoid permissions using OS calls.
*/
static FILE *secure_creat(const char *file);
#if defined(__unix__) || defined(__APPLE__)
#include <unistd.h>
static FILE *
secure_creat(const char *file)
{
int fd = open(file, O_CREAT | O_WRONLY, 00600);
if (fd == -1)
return 0;
return fdopen(fd, "wb");
}
#else
static FILE *
secure_creat(const char *file)
{
return fopen(file, "wb");
}
#endif
/**
* Initialize a SHA-256 context for HMAC-SHA256.
* All message data will go into the resulting context.
*/
static void
hmac_init(SHA256_CTX *ctx, const uint8_t *key)
{
int i;
uint8_t pad[SHA256_BLOCK_SIZE];
sha256_init(ctx);
for (i = 0; i < SHA256_BLOCK_SIZE; i++)
pad[i] = key[i] ^ 0x36U;
sha256_update(ctx, pad, sizeof(pad));
}
/**
* Compute the final HMAC-SHA256 MAC.
* The key must be the same as used for initialization.
*/
static void
hmac_final(SHA256_CTX *ctx, const uint8_t *key, uint8_t *hash)
{
int i;
uint8_t pad[SHA256_BLOCK_SIZE];
sha256_final(ctx, hash);
sha256_init(ctx);
for (i = 0; i < SHA256_BLOCK_SIZE; i++)
pad[i] = key[i] ^ 0x5cU;
sha256_update(ctx, pad, sizeof(pad));
sha256_update(ctx, hash, SHA256_BLOCK_SIZE);
sha256_final(ctx, hash);
}
/**
* Derive a 32-byte key from null-terminated passphrase into buf.
* Optionally provide an 8-byte salt.
*/
static void
key_derive(const char *passphrase, uint8_t *buf, int iexp, const uint8_t *salt)
{
uint8_t salt32[SHA256_BLOCK_SIZE] = {0};
SHA256_CTX ctx[1];
unsigned long i;
unsigned long memlen = 1UL << iexp;
unsigned long mask = memlen - 1;
unsigned long iterations = 1UL << (iexp - 5);
uint8_t *memory, *memptr, *p;
memory = malloc(memlen + SHA256_BLOCK_SIZE);
if (!memory)
fatal("not enough memory for key derivation");
if (salt)
memcpy(salt32, salt, 8);
hmac_init(ctx, salt32);
sha256_update(ctx, (uint8_t *)passphrase, strlen(passphrase));
hmac_final(ctx, salt32, memory);
for (p = memory + SHA256_BLOCK_SIZE;
p < memory + memlen + SHA256_BLOCK_SIZE;
p += SHA256_BLOCK_SIZE) {
sha256_init(ctx);
sha256_update(ctx, p - SHA256_BLOCK_SIZE, SHA256_BLOCK_SIZE);
sha256_final(ctx, p);
}
memptr = memory + memlen - SHA256_BLOCK_SIZE;
for (i = 0; i < iterations; i++) {
unsigned long offset;
sha256_init(ctx);
sha256_update(ctx, memptr, SHA256_BLOCK_SIZE);
sha256_final(ctx, memptr);
offset = ((unsigned long)memptr[3] << 24 |
(unsigned long)memptr[2] << 16 |
(unsigned long)memptr[1] << 8 |
(unsigned long)memptr[0] << 0);
memptr = memory + (offset & mask);
}
memcpy(buf, memptr, SHA256_BLOCK_SIZE);
free(memory);
}
/**
* Get secure entropy suitable for key generation from OS.
* Abort the program if the entropy could not be retrieved.
*/
static void secure_entropy(void *buf, size_t len);
#if defined(__unix__) || defined(__APPLE__)
static void
secure_entropy(void *buf, size_t len)
{
FILE *r = fopen("/dev/urandom", "rb");
if (!r)
fatal("failed to open %s", "/dev/urandom");
if (!fread(buf, len, 1, r))
fatal("failed to gather entropy");
fclose(r);
}
#elif defined(_WIN32)
#include <windows.h>
static void
secure_entropy(void *buf, size_t len)
{
HCRYPTPROV h = 0;
DWORD type = PROV_RSA_FULL;
DWORD flags = CRYPT_VERIFYCONTEXT | CRYPT_SILENT;
if (!CryptAcquireContext(&h, 0, 0, type, flags) ||
!CryptGenRandom(h, len, buf))
fatal("failed to gather entropy");
CryptReleaseContext(h, 0);
}
#endif
/**
* Generate a brand new Curve25519 secret key from system entropy.
*/
static void
generate_secret(uint8_t *s)
{
secure_entropy(s, 32);
s[0] &= 248;
s[31] &= 127;
s[31] |= 64;
}
/**
* Generate a Curve25519 public key from a secret key.
*/
static void
compute_public(uint8_t *p, const uint8_t *s)
{
static const uint8_t b[32] = {9};
curve25519_donna(p, s, b);
}
/**
* Compute a shared secret from our secret key and their public key.
*/
static void
compute_shared(uint8_t *sh, const uint8_t *s, const uint8_t *p)
{
curve25519_donna(sh, s, p);
}
/**
* Encrypt from file to file using key/iv, aborting on any error.
*/
static void
symmetric_encrypt(FILE *in, FILE *out, const uint8_t *key, const uint8_t *iv)
{
static uint8_t buffer[2][CHACHA_BLOCKLENGTH * 1024];
uint8_t mac[SHA256_BLOCK_SIZE];
SHA256_CTX hmac[1];
chacha_ctx ctx[1];
chacha_keysetup(ctx, key, 256);
chacha_ivsetup(ctx, iv);
hmac_init(hmac, key);
for (;;) {
size_t z = fread(buffer[0], 1, sizeof(buffer[0]), in);
if (!z) {
if (ferror(in))
fatal("error reading plaintext file");
break;
}
sha256_update(hmac, buffer[0], z);
chacha_encrypt(ctx, buffer[0], buffer[1], z);
if (!fwrite(buffer[1], z, 1, out))
fatal("error writing ciphertext file");
if (z < sizeof(buffer[0]))
break;
}
hmac_final(hmac, key, mac);
if (!fwrite(mac, sizeof(mac), 1, out))
fatal("error writing checksum to ciphertext file");
if (fflush(out))
fatal("error flushing to ciphertext file -- %s", strerror(errno));
}
/**
* Decrypt from file to file using key/iv, aborting on any error.
*/
static void
symmetric_decrypt(FILE *in, FILE *out, const uint8_t *key, const uint8_t *iv)
{
static uint8_t buffer[2][CHACHA_BLOCKLENGTH * 1024 + SHA256_BLOCK_SIZE];
uint8_t mac[SHA256_BLOCK_SIZE];
SHA256_CTX hmac[1];
chacha_ctx ctx[1];
chacha_keysetup(ctx, key, 256);
chacha_ivsetup(ctx, iv);
hmac_init(hmac, key);
/* Always keep SHA256_BLOCK_SIZE bytes in the buffer. */
if (!(fread(buffer[0], SHA256_BLOCK_SIZE, 1, in))) {
if (ferror(in))
fatal("cannot read ciphertext file");
else
fatal("ciphertext file too short");
}
for (;;) {
uint8_t *p = buffer[0] + SHA256_BLOCK_SIZE;
size_t z = fread(p, 1, sizeof(buffer[0]) - SHA256_BLOCK_SIZE, in);
if (!z) {
if (ferror(in))
fatal("error reading ciphertext file");
break;
}
chacha_encrypt(ctx, buffer[0], buffer[1], z);
sha256_update(hmac, buffer[1], z);
if (!fwrite(buffer[1], z, 1, out))
fatal("error writing plaintext file");
/* Move last SHA256_BLOCK_SIZE bytes to the front. */
memmove(buffer[0], buffer[0] + z, SHA256_BLOCK_SIZE);
if (z < sizeof(buffer[0]) - SHA256_BLOCK_SIZE)
break;
}
hmac_final(hmac, key, mac);
if (memcmp(buffer[0], mac, sizeof(mac)) != 0)
fatal("checksum mismatch!");
if (fflush(out))
fatal("error flushing to plaintext file -- %s", strerror(errno));
}
/**
* Return the default public key file.
*/
static char *
default_pubfile(void)
{
return storage_directory("enchive.pub");
}
/**
* Return the default secret key file.
*/
static char *
default_secfile(void)
{
return storage_directory("enchive.sec");
}
/**
* Dump the public key to a file, aborting on error.
*/
static void
write_pubkey(char *file, uint8_t *key)
{
FILE *f = fopen(file, "wb");
if (!f)
fatal("failed to open key file for writing '%s' -- %s",
file, strerror(errno));
cleanup_register(f, file);
if (!fwrite(key, 32, 1, f))
fatal("failed to write key file '%s'", file);
cleanup_closed(f);
if (fclose(f))
fatal("failed to flush key file '%s' -- %s", file, strerror(errno));
}
/* Layout of secret key file */
#define SECFILE_IV 0
#define SECFILE_ITERATIONS 8
#define SECFILE_VERSION 9
#define SECFILE_PROTECT_HASH 12
#define SECFILE_SECKEY 32
/**
* Write the secret key to a file, encrypting it if necessary.
*/
static void
write_seckey(char *file, const uint8_t *seckey, int iexp)
{
FILE *secfile;
chacha_ctx cha[1];
SHA256_CTX sha[1];
uint8_t buf[8 + 1 + 3 + 20 + 32] = {0}; /* entire file contents */
uint8_t protect[32];
uint8_t *buf_iv = buf + SECFILE_IV;
uint8_t *buf_iterations = buf + SECFILE_ITERATIONS;
uint8_t *buf_version = buf + SECFILE_VERSION;
uint8_t *buf_protect_hash = buf + SECFILE_PROTECT_HASH;
uint8_t *buf_seckey = buf + SECFILE_SECKEY;
buf_version[0] = ENCHIVE_FORMAT_VERSION;
if (iexp) {
/* Prompt for a passphrase. */
char pass[2][ENCHIVE_PASSPHRASE_MAX];
get_passphrase(pass[0], sizeof(pass[0]),
"protection passphrase (empty for none): ");
if (!pass[0][0]) {
/* Nevermind. */
iexp = 0;
} else {
get_passphrase(pass[1], sizeof(pass[0]),
"protection passphrase (repeat): ");
if (strcmp(pass[0], pass[1]) != 0)
fatal("protection passphrases don't match");
/* Generate an IV to double as salt. */
secure_entropy(buf_iv, 8);
key_derive(pass[0], protect, iexp, buf_iv);
buf_iterations[0] = iexp;
sha256_init(sha);
sha256_update(sha, protect, sizeof(protect));
sha256_final(sha, buf_protect_hash);
}
}
if (iexp) {
/* Encrypt using key derived from passphrase. */
chacha_keysetup(cha, protect, 256);
chacha_ivsetup(cha, buf_iv);
chacha_encrypt(cha, seckey, buf_seckey, 32);
} else {
/* Copy key to output buffer. */
memcpy(buf_seckey, seckey, 32);
}
secfile = secure_creat(file);
if (!secfile)
fatal("failed to open key file for writing '%s'", file);
cleanup_register(secfile, file);
if (!fwrite(buf, sizeof(buf), 1, secfile))
fatal("failed to write key file '%s'", file);
cleanup_closed(secfile);
if (fclose(secfile))
fatal("failed to flush key file '%s' -- %s", file, strerror(errno));
}
/**
* Load the public key from the file.
*/
static void
load_pubkey(const char *file, uint8_t *key)
{
FILE *f = fopen(file, "rb");
if (!f)
fatal("failed to open key file for reading '%s' -- %s",
file, strerror(errno));
if (!fread(key, 32, 1, f))
fatal("failed to read key file '%s'", file);
fclose(f);
}
/**
* Attempt to load and decrypt the secret key stored in a file.
*
* If the key is encrypted, attempt to query a key agent. If that
* fails (no agent, bad key) prompt the user for a passphrase. If that
* fails (wrong passphrase), abort the program.
*
* If "global_agent_timeout" is non-zero, start a key agent if
* necessary.
*/
static void
load_seckey(const char *file, uint8_t *seckey)
{
FILE *secfile;
chacha_ctx cha[1];
SHA256_CTX sha[1];
uint8_t buf[8 + 4 + 20 + 32]; /* entire key file contents */
uint8_t protect[32]; /* protection key */
uint8_t protect_hash[SHA256_BLOCK_SIZE]; /* hash of protection key */
int iexp;
int version;
uint8_t *buf_iv = buf + SECFILE_IV;
uint8_t *buf_iterations = buf + SECFILE_ITERATIONS;
uint8_t *buf_version = buf + SECFILE_VERSION;
uint8_t *buf_protect_hash = buf + SECFILE_PROTECT_HASH;
uint8_t *buf_seckey = buf + SECFILE_SECKEY;
/* Read the entire file into buf. */
secfile = fopen(file, "rb");
if (!secfile)
fatal("failed to open key file for reading '%s' -- %s",
file, strerror(errno));
if (!fread(buf, sizeof(buf), 1, secfile))
fatal("failed to read key file -- %s", file);
fclose(secfile);
version = buf_version[0];
if (version != ENCHIVE_FORMAT_VERSION)
fatal("secret key version mismatch -- expected %d, got %d",
ENCHIVE_FORMAT_VERSION, version);
iexp = buf_iterations[0];
if (iexp) {
/* Secret key is encrypted. */
int agent_success = agent_read(protect, buf_iv);
if (agent_success) {
/* Check validity of agent key. */
sha256_init(sha);
sha256_update(sha, protect, 32);
sha256_final(sha, protect_hash);
agent_success = !memcmp(protect_hash, buf_protect_hash, 20);
}
if (!agent_success) {
/* Ask user for passphrase. */
char pass[ENCHIVE_PASSPHRASE_MAX];
get_passphrase(pass, sizeof(pass), "passphrase: ");
key_derive(pass, protect, iexp, buf_iv);
/* Validate passphrase. */
sha256_init(sha);
sha256_update(sha, protect, sizeof(protect));
sha256_final(sha, protect_hash);
if (memcmp(protect_hash, buf_protect_hash, 20) != 0)
fatal("wrong passphrase");
}
/* We have the correct protection key. Start the agent? */
if (!agent_success && global_agent_timeout)
agent_run(protect, buf_iv);
/* Decrypt the key into the output. */
chacha_keysetup(cha, protect, 256);
chacha_ivsetup(cha, buf_iv);
chacha_encrypt(cha, buf_seckey, seckey, 32);
} else {
/* Key is unencrypted, copy into output. */
memcpy(seckey, buf_seckey, 32);
}
}
/**
* Return 1 if file exists, or 0 if it doesn't.
*/
static int
file_exists(char *filename)
{
FILE *f = fopen(filename, "r");
if (f) {
fclose(f);
return 1;
}
return 0;
}
/**
* Print a nice fingerprint of a key.
*/
static void
print_fingerprint(const uint8_t *key)
{
int i;
uint8_t hash[32];
SHA256_CTX sha[1];
sha256_init(sha);
sha256_update(sha, key, 32);
sha256_final(sha, hash);
for (i = 0; i < 16; i += 4) {
unsigned long chunk =
((unsigned long)hash[i + 0] << 24) |
((unsigned long)hash[i + 1] << 16) |
((unsigned long)hash[i + 2] << 8) |
((unsigned long)hash[i + 3] << 0);
printf("%s%08lx", i ? "-" : "", chunk);
}
}
enum command {
COMMAND_UNKNOWN = -2,
COMMAND_AMBIGUOUS = -1,
COMMAND_KEYGEN,
COMMAND_FINGERPRINT,
COMMAND_ARCHIVE,
COMMAND_EXTRACT
};
static const char command_names[][12] = {
"keygen", "fingerprint", "archive", "extract"
};
/**
* Attempt to unambiguously parse the user's command into an enum.
*/
static enum command
parse_command(char *command)
{
int found = COMMAND_UNKNOWN;
size_t len = strlen(command);
int i;
for (i = 0; i < 5; i++) {
if (strncmp(command, command_names[i], len) == 0) {
if (found >= 0)
return COMMAND_AMBIGUOUS;
found = i;
}
}
return found;
}
static void
command_keygen(struct optparse *options)
{
static const struct optparse_long keygen[] = {
{"derive", 'd', OPTPARSE_OPTIONAL},
{"edit" , 'e', OPTPARSE_NONE},
{"force", 'f', OPTPARSE_NONE},
{"fingerprint", 'i', OPTPARSE_NONE},
{"iterations", 'k', OPTPARSE_REQUIRED},
{"plain", 'u', OPTPARSE_NONE},
{"repeats", 'r', OPTPARSE_REQUIRED},
{0, 0, 0}
};
char *pubfile = dupstr(global_pubkey);
char *secfile = dupstr(global_seckey);
int pubfile_exists;
int secfile_exists;
uint8_t public[32];
uint8_t secret[32];
int clobber = 0;
int derive = 0;
int edit = 0;
int protect = 1;
int fingerprint = 0;
int repeats = 1;
int key_derive_iterations = ENCHIVE_KEY_DERIVE_ITERATIONS;
int seckey_derive_iterations = ENCHIVE_SECKEY_DERIVE_ITERATIONS;
int option;
while ((option = optparse_long(options, keygen, 0)) != -1) {
switch (option) {
case 'd': {
char *p;
char *arg = options->optarg;
derive = 1;
if (arg) {
long n;
errno = 0;
n = strtol(arg, &p, 10);
if (errno || *p)
fatal("invalid argument -- %s", arg);
if (n < 5 || n > 31)
fatal("--derive argument must be 5 <= n <= 31 -- %s",
arg);
seckey_derive_iterations = n;
}
} break;
case 'e':
edit = 1;
break;
case 'f':
clobber = 1;
break;
case 'i':
fingerprint = 1;
break;
case 'k': {
char *p;
char *arg = options->optarg;
long n;
errno = 0;
n = strtol(arg, &p, 10);
if (errno || *p)
fatal("invalid argument -- %s", arg);
if (n < 5 || n > 31)
fatal("--iterations argument must be 5 <= n <= 31 -- %s",
arg);
key_derive_iterations = n;
} break;
case 'r': {
char *p;
char *arg = options->optarg;
long n;
errno = 0;
n = strtol(arg, &p, 10);
if (errno || *p || n < 0 || n >= 256)
fatal("invalid --repeats (-r) -- %s", arg);
repeats = n;
} break;
case 'u':
protect = 0;
break;
default:
fatal("%s", options->errmsg);
}
}
if (edit && derive)
fatal("--edit and --derive are mutually exclusive");
if (!pubfile)
pubfile = default_pubfile();
pubfile_exists = file_exists(pubfile);
if (!secfile)
secfile = default_secfile();
secfile_exists = file_exists(secfile);
if (!edit && !clobber) {
if (pubfile_exists)
fatal("operation would clobber %s", pubfile);
if (secfile_exists)
fatal("operation would clobber %s", secfile);
}
if (edit) {
if (!secfile_exists)
fatal("cannot edit non-existing file %s", secfile);
load_seckey(secfile, secret);
} else if (derive) {
/* Generate secret key from passphrase. */
char pass[2][ENCHIVE_PASSPHRASE_MAX];
get_passphrase(pass[0], sizeof(pass[0]),
"secret key passphrase: ");
while (repeats--) {
get_passphrase(pass[1], sizeof(pass[0]),
"secret key passphrase (repeat): ");
if (strcmp(pass[0], pass[1]) != 0)
fatal("secret key passphrases don't match");
}
key_derive(pass[0], secret, seckey_derive_iterations, 0);
secret[0] &= 248;
secret[31] &= 127;
secret[31] |= 64;
} else {
/* Generate secret key from entropy. */
generate_secret(secret);
}
compute_public(public, secret);
if (fingerprint) {
fputs("keyid: ", stdout);
print_fingerprint(public);
putchar('\n');
}
write_seckey(secfile, secret, protect ? key_derive_iterations : 0);
write_pubkey(pubfile, public);
}
static void
command_fingerprint(struct optparse *options)
{
static const struct optparse_long fingerprint[] = {
{0, 0, 0}
};
char *pubfile = dupstr(global_pubkey);
uint8_t public[32];
int option;
while ((option = optparse_long(options, fingerprint, 0)) != -1) {
switch (option) {
default:
fatal("%s", options->errmsg);
}
}
if (!pubfile)
pubfile = default_pubfile();
load_pubkey(pubfile, public);
free(pubfile);
print_fingerprint(public);
putchar('\n');
}
static void
command_archive(struct optparse *options)
{
static const struct optparse_long archive[] = {
{"delete", 'd', OPTPARSE_NONE},
{0, 0, 0}
};
/* Options */
char *infile;
char *outfile;
FILE *in = stdin;
FILE *out = stdout;
char *pubfile = dupstr(global_pubkey);
int delete = 0;
/* Workspace */
uint8_t public[32];
uint8_t esecret[32];
uint8_t epublic[32];
uint8_t shared[32];
uint8_t iv[SHA256_BLOCK_SIZE];
SHA256_CTX sha[1];
int option;
while ((option = optparse_long(options, archive, 0)) != -1) {
switch (option) {
case 'd':
delete = 1;
break;
default:
fatal("%s", options->errmsg);
}
}
if (!pubfile)
pubfile = default_pubfile();
load_pubkey(pubfile, public);
free(pubfile);
infile = optparse_arg(options);
if (infile) {
in = fopen(infile, "rb");
if (!in)
fatal("could not open input file '%s' -- %s",
infile, strerror(errno));
}
outfile = dupstr(optparse_arg(options));
if (!outfile && infile) {
/* Generate an output filename. */
outfile = joinstr(2, infile, enchive_suffix);
}
if (outfile) {
out = fopen(outfile, "wb");
if (!out)
fatal("could not open output file '%s' -- %s",
outfile, strerror(errno));
cleanup_register(out, outfile);
}
/* Generare ephemeral keypair. */
generate_secret(esecret);
compute_public(epublic, esecret);
/* Create shared secret between ephemeral key and master key. */
compute_shared(shared, esecret, public);
sha256_init(sha);
sha256_update(sha, shared, sizeof(shared));
sha256_final(sha, iv);
iv[0] += (unsigned)ENCHIVE_FORMAT_VERSION;
if (!fwrite(iv, 8, 1, out))
fatal("failed to write IV to archive");
if (!fwrite(epublic, sizeof(epublic), 1, out))
fatal("failed to write ephemeral key to archive");
symmetric_encrypt(in, out, shared, iv);
if (in != stdin)
fclose(in);
if (out != stdout) {
cleanup_closed(out);
fclose(out); /* already flushed */
}
if (delete && infile)
remove(infile);
}
static void
command_extract(struct optparse *options)
{
static const struct optparse_long extract[] = {
{"delete", 'd', OPTPARSE_NONE},
{0, 0, 0}
};
/* Options */
char *infile;
char *outfile;
FILE *in = stdin;
FILE *out = stdout;
char *secfile = dupstr(global_seckey);
int delete = 0;
/* Workspace */
SHA256_CTX sha[1];
uint8_t secret[32];
uint8_t epublic[32];
uint8_t shared[32];
uint8_t iv[8];
uint8_t check_iv[SHA256_BLOCK_SIZE];
int option;
while ((option = optparse_long(options, extract, 0)) != -1) {
switch (option) {
case 'd':
delete = 1;
break;
default:
fatal("%s", options->errmsg);
}
}
if (!secfile)
secfile = default_secfile();
load_seckey(secfile, secret);
free(secfile);
infile = optparse_arg(options);
if (infile) {
in = fopen(infile, "rb");
if (!in)
fatal("could not open input file '%s' -- %s",
infile, strerror(errno));
}
outfile = dupstr(optparse_arg(options));
if (!outfile && infile) {
/* Generate an output filename. */
size_t slen = sizeof(enchive_suffix) - 1;
size_t len = strlen(infile);
if (len <= slen || strcmp(enchive_suffix, infile + len - slen) != 0)
fatal("could not determine output filename from %s", infile);
outfile = dupstr(infile);
outfile[len - slen] = 0;
}
if (outfile) {
out = fopen(outfile, "wb");
if (!out)
fatal("could not open output file '%s' -- %s",
infile, strerror(errno));
cleanup_register(out, outfile);
}
if (!(fread(iv, sizeof(iv), 1, in)))
fatal("failed to read IV from archive");
if (!(fread(epublic, sizeof(epublic), 1, in)))
fatal("failed to read ephemeral key from archive");
compute_shared(shared, secret, epublic);
/* Validate key before processing the file. */
sha256_init(sha);
sha256_update(sha, shared, sizeof(shared));
sha256_final(sha, check_iv);
check_iv[0] += (unsigned)ENCHIVE_FORMAT_VERSION;
if (memcmp(iv, check_iv, sizeof(iv)) != 0)
fatal("invalid master key or format");
symmetric_decrypt(in, out, shared, iv);
if (in != stdin)
fclose(in);
if (out != stdout) {
cleanup_closed(out);
fclose(out); /* already flushed */
}
if (delete && infile)
remove(infile);
}
/**
* Write a NULL-terminated array of strings with a newline after each.
*/
static void
multiputs(const char **s, FILE *f)
{
while (*s) {
fputs(*s++, f);
fputc('\n', f);
}
}
static void
print_usage(FILE *f)
{
multiputs(docs_usage, f);
}
static void
print_version(void)
{
puts("enchive " STR(ENCHIVE_VERSION));
}
int
main(int argc, char **argv)
{
static const struct optparse_long global[] = {
#if ENCHIVE_OPTION_AGENT
{"agent", 'a', OPTPARSE_OPTIONAL},
{"no-agent", 'A', OPTPARSE_NONE},
#endif
{"pinentry", 'e', OPTPARSE_OPTIONAL},
{"pubkey", 'p', OPTPARSE_REQUIRED},
{"seckey", 's', OPTPARSE_REQUIRED},
{"version", 'V', OPTPARSE_NONE},
{"help", 'h', OPTPARSE_NONE},
{0, 0, 0}
};
int option;
char *command;
struct optparse options[1];
optparse_init(options, argv);
options->permute = 0;
(void)argc;
while ((option = optparse_long(options, global, 0)) != -1) {
switch (option) {
#if ENCHIVE_OPTION_AGENT
case 'a':
if (options->optarg) {
char *arg = options->optarg;
char *endptr;
errno = 0;
global_agent_timeout = strtol(arg, &endptr, 10);
if (*endptr || errno)
fatal("invalid --agent argument -- %s", arg);
} else
global_agent_timeout = ENCHIVE_AGENT_TIMEOUT;
break;
case 'A':
global_agent_timeout = 0;
break;
#endif
case 'e':
if (options->optarg)
pinentry_path = options->optarg;
else
pinentry_path = STR(ENCHIVE_PINENTRY_DEFAULT);
break;
case 'p':
global_pubkey = options->optarg;
break;
case 's':
global_seckey = options->optarg;
break;
case 'h':
print_usage(stdout);
exit(EXIT_SUCCESS);
break;
case 'V':
print_version();
exit(EXIT_SUCCESS);
break;
default:
fatal("%s", options->errmsg);
}
}
command = optparse_arg(options);
options->permute = 1;
if (!command) {
fprintf(stderr, "enchive: missing command\n");
print_usage(stderr);
exit(EXIT_FAILURE);
}
switch (parse_command(command)) {
case COMMAND_UNKNOWN:
case COMMAND_AMBIGUOUS:
fprintf(stderr, "enchive: unknown command, %s\n", command);
print_usage(stderr);
exit(EXIT_FAILURE);
break;
case COMMAND_KEYGEN:
command_keygen(options);
break;
case COMMAND_FINGERPRINT:
command_fingerprint(options);
break;
case COMMAND_ARCHIVE:
command_archive(options);
break;
case COMMAND_EXTRACT:
command_extract(options);
break;
}
cleanup_free();
return 0;
}
Reference in New Issue View Git Blame Copy Permalink