X-Git-Url: https://git.distorted.org.uk/u/mdw/catacomb/blobdiff_plain/946c3f725423fb5b822d809f1befb8c361ac2625..7d5a856ef5b3f27ffa8a5c0765f6677313e90ab4:/catcrypt.c

diff --git a/catcrypt.c b/catcrypt.c
index fdb8473..a1e3495 100644
--- a/catcrypt.c
+++ b/catcrypt.c
@@ -7,7 +7,7 @@
  * (c) 2004 Straylight/Edgeware
  */
 
-/*----- Licensing notice --------------------------------------------------* 
+/*----- Licensing notice --------------------------------------------------*
  *
  * This file is part of Catacomb.
  *
@@ -15,12 +15,12 @@
  * it under the terms of the GNU Library General Public License as
  * published by the Free Software Foundation; either version 2 of the
  * License, or (at your option) any later version.
- * 
+ *
  * Catacomb is distributed in the hope that it will be useful,
  * but WITHOUT ANY WARRANTY; without even the implied warranty of
  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  * GNU Library General Public License for more details.
- * 
+ *
  * You should have received a copy of the GNU Library General Public
  * License along with Catacomb; if not, write to the Free
  * Software Foundation, Inc., 59 Temple Place - Suite 330, Boston,
@@ -53,8 +53,6 @@
 #include "ectab.h"
 #include "ptab.h"
 
-/*----- Utilities ---------------------------------------------------------*/
-
 /*----- Static variables --------------------------------------------------*/
 
 static const char *keyring = "keyring";
@@ -75,12 +73,13 @@ static const char *keyring = "keyring";
  * MGF (or similar) to make a symmetric encryption and MAC key.
  *
  * If the message is signed, there comes a signature chunk.  The signature is
- * on the further output of the MGF.  This means that the recipient can
- * modify the message and still have a valid signature, so it's not useful
- * for proving things to other people; but it also means that the recipient
- * knows that the message is from someone who knows the hash, which limits
- * the possiblities to (a) whoever encrypted the message (good!) and (b)
- * whoever knows the recipient's private key.
+ * on the header and key-encapsulation chunks, and further output of the MGF.
+ * This means that the recipient can modify the message and still have a
+ * valid signature, so it's not useful for proving things to other people;
+ * but it also means that the recipient knows that the message is from
+ * someone who knows the hash, which limits the possiblities to (a) whoever
+ * encrypted the message (good!) and (b) whoever knows the recipient's
+ * private key.
  *
  * Then come message chunks.  Each one begins with a MAC over an implicit
  * sequence number and the ciphertext.  The final chunk's ciphertext is
@@ -139,7 +138,7 @@ static int encrypt(int argc, char *argv[])
   octet *tag, *ct;
   buf b;
   size_t seq;
-  char bb[16384];
+  char bb[65536];
   unsigned f = 0;
   key_file kf;
   key *k;
@@ -161,8 +160,8 @@ static int encrypt(int argc, char *argv[])
       { "sign-key",	OPTF_ARGREQ,	0,	's' },
       { "armour",	0,		0,	'a' },
       { "armor",	0,		0,	'a' },
-      { "format", 	OPTF_ARGREQ,	0,	'f' },
-      { "output", 	OPTF_ARGREQ,	0,	'o' },
+      { "format",	OPTF_ARGREQ,	0,	'f' },
+      { "output",	OPTF_ARGREQ,	0,	'o' },
       { "nocheck",	0,		0,	'C' },
       { 0,		0,		0,	0 }
     };
@@ -231,6 +230,7 @@ static int encrypt(int argc, char *argv[])
   buf_putu32(&b, k->id);
   if (sk) buf_putu32(&b, sk->id);
   assert(BOK(&b));
+  if (s) GH_HASHBUF16(s->h, BBASE(&b), BLEN(&b));
   chunk_write(e, &b);
 
   /* --- Build the KEM chunk --- */
@@ -240,6 +240,7 @@ static int encrypt(int argc, char *argv[])
     die(EXIT_FAILURE, "failed to encapsulate key");
   buf_init(&b, d.buf, d.len);
   BSTEP(&b, d.len);
+  if (s) GH_HASHBUF16(s->h, BBASE(&b), BLEN(&b));
   chunk_write(e, &b);
 
   /* --- Write the signature chunk --- */
@@ -253,7 +254,7 @@ static int encrypt(int argc, char *argv[])
     buf_init(&b, d.buf, d.len);
     BSTEP(&b, d.len);
     chunk_write(e, &b);
-  }  
+  }
 
   /* --- Now do the main crypto --- */
 
@@ -351,8 +352,8 @@ static int decrypt(int argc, char *argv[])
       { "verbose",	0,		0,	'v' },
       { "quiet",	0,		0,	'q' },
       { "nocheck",	0,		0,	'C' },
-      { "format", 	OPTF_ARGREQ,	0,	'f' },
-      { "output", 	OPTF_ARGREQ,	0,	'o' },
+      { "format",	OPTF_ARGREQ,	0,	'f' },
+      { "output",	OPTF_ARGREQ,	0,	'o' },
       { 0,		0,		0,	0 }
     };
     i = mdwopt(argc, argv, "abf:o:qvC", opt, 0, 0, 0);
@@ -415,6 +416,15 @@ static int decrypt(int argc, char *argv[])
     if (verb) printf("FAIL malformed header: junk at end\n");
     exit(EXIT_FAILURE);
   }
+  if (sk) {
+    s = getsig(sk, "ccsig", 0);
+    if (!(f & f_nocheck) && verb && (err = s->ops->check(s)) != 0) {
+      dstr_reset(&d);
+      key_fulltag(sk, &d);
+      printf("WARN verification key %s fails check: %s\n", d.buf, err);
+    }
+    GH_HASHBUF16(s->h, BBASE(&b), BSZ(&b));
+  }
 
   /* --- Find the key --- */
 
@@ -427,15 +437,11 @@ static int decrypt(int argc, char *argv[])
     if (verb) printf("FAIL failed to decapsulate key\n");
     exit(EXIT_FAILURE);
   }
+  if (s) GH_HASHBUF16(s->h, d.buf, d.len);
 
   /* --- Verify the signature, if there is one --- */
 
   if (sk) {
-    s = getsig(sk, "ccsig", 0);
-    dstr_reset(&d);
-    key_fulltag(sk, &d);
-    if (!(f & f_nocheck) && verb && (err = s->ops->check(s)) != 0)
-      printf("WARN verification key %s fails check: %s\n", d.buf, err);
     dstr_reset(&d);
     dstr_ensure(&d, 1024);
     GC_ENCRYPT(cx, 0, d.buf, 1024);
@@ -524,7 +530,7 @@ static int decrypt(int argc, char *argv[])
       die(EXIT_FAILURE, "error unbuffering output: %s", strerror(errno));
   }
   if (ofp && (fflush(ofp) || ferror(ofp) || fclose(ofp)))
-      die(EXIT_FAILURE, "error writing output: %s", strerror(errno));    
+      die(EXIT_FAILURE, "error writing output: %s", strerror(errno));
 
   e->ops->decdone(e);
   if (verb && ofp != stdout)