X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/213e565ffaaa420441d7a8d25f995358c5f9f30f..f52f2db067dc1388b16ab00ddb53e26a381a6e3e:/catcrypt.c

diff --git a/catcrypt.c b/catcrypt.c
index bbe4660..6e4f245 100644
--- a/catcrypt.c
+++ b/catcrypt.c
@@ -7,7 +7,7 @@
  * (c) 2004 Straylight/Edgeware
  */
 
-/*----- Licensing notice --------------------------------------------------* 
+/*----- Licensing notice --------------------------------------------------*
  *
  * This file is part of Catacomb.
  *
@@ -15,12 +15,12 @@
  * it under the terms of the GNU Library General Public License as
  * published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ *
  * Catacomb is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Library General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU Library General Public
  * License along with Catacomb; if not, write to the Free
  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
@@ -53,8 +53,6 @@
 #include "ectab.h"
 #include "ptab.h"
 
-/*----- Utilities ---------------------------------------------------------*/
-
 /*----- Static variables --------------------------------------------------*/
 
 static const char *keyring = "keyring";
@@ -75,12 +73,13 @@ static const char *keyring = "keyring";
  * MGF (or similar) to make a symmetric encryption and MAC key.
  *
  * If the message is signed, there comes a signature chunk.  The signature is
- * on the further output of the MGF.  This means that the recipient can
- * modify the message and still have a valid signature, so it's not useful
- * for proving things to other people; but it also means that the recipient
- * knows that the message is from someone who knows the hash, which limits
- * the possiblities to (a) whoever encrypted the message (good!) and (b)
- * whoever knows the recipient's private key.
+ * on the header and key-encapsulation chunks, and further output of the MGF.
+ * This means that the recipient can modify the message and still have a
+ * valid signature, so it's not useful for proving things to other people;
+ * but it also means that the recipient knows that the message is from
+ * someone who knows the hash, which limits the possiblities to (a) whoever
+ * encrypted the message (good!) and (b) whoever knows the recipient's
+ * private key.
  *
  * Then come message chunks.  Each one begins with a MAC over an implicit
  * sequence number and the ciphertext.  The final chunk's ciphertext is
@@ -134,12 +133,12 @@ static int encrypt(int argc, char *argv[])
   const char *err;
   int i;
   int en;
-  size_t n;
+  size_t n, chsz;
   dstr d = DSTR_INIT;
   octet *tag, *ct;
   buf b;
   size_t seq;
-  char bb[16384];
+  char bb[65536];
   unsigned f = 0;
   key_file kf;
   key *k;
@@ -153,6 +152,7 @@ static int encrypt(int argc, char *argv[])
   enc *e;
 
 #define f_bogus 1u
+#define f_nocheck 2u
 
   for (;;) {
     static const struct option opt[] = {
@@ -160,11 +160,12 @@ static int encrypt(int argc, char *argv[])
       { "sign-key",	OPTF_ARGREQ,	0,	's' },
       { "armour",	0,		0,	'a' },
       { "armor",	0,		0,	'a' },
-      { "format", 	OPTF_ARGREQ,	0,	'f' },
-      { "output", 	OPTF_ARGREQ,	0,	'o' },
+      { "format",	OPTF_ARGREQ,	0,	'f' },
+      { "output",	OPTF_ARGREQ,	0,	'o' },
+      { "nocheck",	0,		0,	'C' },
       { 0,		0,		0,	0 }
     };
-    i = mdwopt(argc, argv, "k:s:af:o:", opt, 0, 0, 0);
+    i = mdwopt(argc, argv, "k:s:af:o:C", opt, 0, 0, 0);
     if (i < 0) break;
     switch (i) {
       case 'k': kn = optarg; break;
@@ -172,6 +173,7 @@ static int encrypt(int argc, char *argv[])
       case 'a': ef = "pem"; break;
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
+      case 'C': f |= f_nocheck; break;
       default: f |= f_bogus; break;
     }
   }
@@ -210,7 +212,7 @@ static int encrypt(int argc, char *argv[])
   key_fulltag(k, &d);
   e = initenc(eo, ofp, "CATCRYPT ENCRYPTED MESSAGE");
   km = getkem(k, "cckem", 0);
-  if ((err = km->ops->check(km)) != 0)
+  if (!(f & f_nocheck) && (err = km->ops->check(km)) != 0)
     moan("key %s fails check: %s", d.buf, err);
   if (sk) {
     dstr_reset(&d);
@@ -228,6 +230,7 @@ static int encrypt(int argc, char *argv[])
   buf_putu32(&b, k->id);
   if (sk) buf_putu32(&b, sk->id);
   assert(BOK(&b));
+  if (s) GH_HASHBUF16(s->h, BBASE(&b), BLEN(&b));
   chunk_write(e, &b);
 
   /* --- Build the KEM chunk --- */
@@ -237,6 +240,7 @@ static int encrypt(int argc, char *argv[])
     die(EXIT_FAILURE, "failed to encapsulate key");
   buf_init(&b, d.buf, d.len);
   BSTEP(&b, d.len);
+  if (s) GH_HASHBUF16(s->h, BBASE(&b), BLEN(&b));
   chunk_write(e, &b);
 
   /* --- Write the signature chunk --- */
@@ -250,13 +254,14 @@ static int encrypt(int argc, char *argv[])
     buf_init(&b, d.buf, d.len);
     BSTEP(&b, d.len);
     chunk_write(e, &b);
-  }  
+  }
 
   /* --- Now do the main crypto --- */
 
   assert(GC_CLASS(c)->blksz <= sizeof(bb));
   dstr_ensure(&d, sizeof(bb) + GM_CLASS(m)->hashsz);
   seq = 0;
+  chsz = MASK16 - GM_CLASS(m)->hashsz;
   for (;;) {
     h = GM_INIT(m);
     GH_HASHU32(h, seq);
@@ -265,7 +270,7 @@ static int encrypt(int argc, char *argv[])
       GC_ENCRYPT(cx, 0, bb, GC_CLASS(c)->blksz);
       GC_SETIV(c, bb);
     }
-    n = fread(bb, 1, sizeof(bb), fp);
+    n = fread(bb, 1, chsz, fp);
     if (!n) break;
     buf_init(&b, d.buf, d.sz);
     tag = buf_get(&b, GM_CLASS(m)->hashsz);
@@ -303,6 +308,7 @@ static int encrypt(int argc, char *argv[])
   return (0);
 
 #undef f_bogus
+#undef f_nocheck
 }
 
 /*---- Decryption ---------------------------------------------------------*/
@@ -337,6 +343,7 @@ static int decrypt(int argc, char *argv[])
 
 #define f_bogus 1u
 #define f_buffer 2u
+#define f_nocheck 4u
 
   for (;;) {
     static const struct option opt[] = {
@@ -345,17 +352,19 @@ static int decrypt(int argc, char *argv[])
       { "buffer",	0,		0,	'b' },
       { "verbose",	0,		0,	'v' },
       { "quiet",	0,		0,	'q' },
-      { "format", 	OPTF_ARGREQ,	0,	'f' },
-      { "output", 	OPTF_ARGREQ,	0,	'o' },
+      { "nocheck",	0,		0,	'C' },
+      { "format",	OPTF_ARGREQ,	0,	'f' },
+      { "output",	OPTF_ARGREQ,	0,	'o' },
       { 0,		0,		0,	0 }
     };
-    i = mdwopt(argc, argv, "abf:o:qv", opt, 0, 0, 0);
+    i = mdwopt(argc, argv, "abf:o:qvC", opt, 0, 0, 0);
     if (i < 0) break;
     switch (i) {
       case 'a': ef = "pem"; break;
       case 'b': f |= f_buffer; break;
       case 'v': verb++; break;
       case 'q': if (verb) verb--; break;
+      case 'C': f |= f_nocheck; break;
       case 'f': ef = optarg; break;
       case 'o': of = optarg; break;
       default: f |= f_bogus; break;
@@ -408,6 +417,15 @@ static int decrypt(int argc, char *argv[])
     if (verb) printf("FAIL malformed header: junk at end\n");
     exit(EXIT_FAILURE);
   }
+  if (sk) {
+    s = getsig(sk, "ccsig", 0);
+    if (!(f & f_nocheck) && verb && (err = s->ops->check(s)) != 0) {
+      dstr_reset(&d);
+      key_fulltag(sk, &d);
+      printf("WARN verification key %s fails check: %s\n", d.buf, err);
+    }
+    GH_HASHBUF16(s->h, BBASE(&b), BSZ(&b));
+  }
 
   /* --- Find the key --- */
 
@@ -420,15 +438,11 @@ static int decrypt(int argc, char *argv[])
     if (verb) printf("FAIL failed to decapsulate key\n");
     exit(EXIT_FAILURE);
   }
+  if (s) GH_HASHBUF16(s->h, d.buf, d.len);
 
   /* --- Verify the signature, if there is one --- */
 
   if (sk) {
-    s = getsig(sk, "ccsig", 0);
-    dstr_reset(&d);
-    key_fulltag(sk, &d);
-    if (verb && (err = s->ops->check(s)) != 0)
-      printf("WARN verification key %s fails check: %s\n", d.buf, err);
     dstr_reset(&d);
     dstr_ensure(&d, 1024);
     GC_ENCRYPT(cx, 0, d.buf, 1024);
@@ -517,7 +531,7 @@ static int decrypt(int argc, char *argv[])
       die(EXIT_FAILURE, "error unbuffering output: %s", strerror(errno));
   }
   if (ofp && (fflush(ofp) || ferror(ofp) || fclose(ofp)))
-      die(EXIT_FAILURE, "error writing output: %s", strerror(errno));    
+      die(EXIT_FAILURE, "error writing output: %s", strerror(errno));
 
   e->ops->decdone(e);
   if (verb && ofp != stdout)
@@ -535,6 +549,7 @@ static int decrypt(int argc, char *argv[])
 
 #undef f_bogus
 #undef f_buffer
+#undef f_nocheck
 }
 
 /*----- Main code ---------------------------------------------------------*/
@@ -570,7 +585,7 @@ static cmd cmdtab[] = {
   CMD_ENCODE,
   CMD_DECODE,
   { "encrypt", encrypt,
-    "encrypt [-a] [-k TAG] [-s TAG] [-f FORMAT]\n\t\
+    "encrypt [-aC] [-k TAG] [-s TAG] [-f FORMAT]\n\t\
 [-o OUTPUT] [FILE]", "\
 Options:\n\
 \n\
@@ -579,9 +594,10 @@ Options:\n\
 -k, --key=TAG		Use public encryption key named by TAG.\n\
 -s, --sign-key=TAG	Use private signature key named by TAG.\n\
 -o, --output=FILE	Write output to FILE.\n\
+-C, --nocheck		Don't check the public key.\n\
 " },
   { "decrypt", decrypt,
-    "decrypt [-abqv] [-f FORMAT] [-o OUTPUT] [FILE]", "\
+    "decrypt [-abqvC] [-f FORMAT] [-o OUTPUT] [FILE]", "\
 Options:\n\
 \n\
 -a, --armour		Same as `-f pem'.\n\
@@ -590,6 +606,7 @@ Options:\n\
 -o, --output=FILE	Write output to FILE.\n\
 -q, --quiet		Produce fewer messages.\n\
 -v, --verbose		Produce more verbose messages.\n\
+-C, --nocheck		Don't check the private key.\n\
 " }, /* ' emacs is confused */
   { 0, 0, 0 }
 };