[catacomb-python] / pwsafe

#! /usr/bin/python2.2
# -*-python-*-

import catacomb as C
import gdbm, struct
from sys import argv, exit, stdin, stdout, stderr
from getopt import getopt, GetoptError
from os import environ
from fnmatch import fnmatch

if 'PWSAFE' in environ:
  file = environ['PWSAFE']
else:
  file = '%s/.pwsafe' % environ['HOME']

class DecryptError (Exception):
  pass

class Crypto (object):
  def __init__(me, c, h, m, ck, mk):
    me.c = c(ck)
    me.m = m(mk)
    me.h = h
  def encrypt(me, pt):
    if me.c.__class__.blksz:
      iv = C.rand.block(me.c.__class__.blksz)
      me.c.setiv(iv)
    else:
      iv = ''
    y = iv + me.c.encrypt(pt)
    t = me.m().hash(y).done()
    return t + y
  def decrypt(me, ct):
    t = ct[:me.m.__class__.tagsz]
    y = ct[me.m.__class__.tagsz:]
    if t != me.m().hash(y).done():
      raise DecryptError
    iv = y[:me.c.__class__.blksz]
    if me.c.__class__.blksz: me.c.setiv(iv)
    return me.c.decrypt(y[me.c.__class__.blksz:])
  
class PPK (Crypto):
  def __init__(me, pp, c, h, m, salt = None):
    if not salt: salt = C.rand.block(h.hashsz)
    tag = '%s\0%s' % (pp, salt)
    Crypto.__init__(me, c, h, m,
                  h().hash('cipher:' + tag).done(),
                  h().hash('mac:' + tag).done())
    me.salt = salt

class Buffer (object):
  def __init__(me, s):
    me.str = s
    me.i = 0
  def get(me, n):
    i = me.i
    if n + i > len(me.str):
      raise IndexError, 'buffer underflow'
    me.i += n
    return me.str[i:i + n]
  def getbyte(me):
    return ord(me.get(1))
  def unpack(me, fmt):
    return struct.unpack(fmt, me.get(struct.calcsize(fmt)))
  def getstring(me):
    return me.get(me.unpack('>H')[0])
  def checkend(me):
    if me.i != len(me.str):
      raise ValueError, 'junk at end of buffer'

def wrapstr(s):
  return struct.pack('>H', len(s)) + s

class PWIter (object):
  def __init__(me, pw):
    me.pw = pw
    me.k = me.pw.db.firstkey()
  def next(me):
    k = me.k
    while True:
      if k is None:
        raise StopIteration
      if k[0] == '$':
        break
      k = me.pw.db.nextkey(k)
    me.k = me.pw.db.nextkey(k)
    return me.pw.unpack(me.pw.db[k])[0]
class PW (object):
  def __init__(me, file, mode = 'r'):
    me.db = gdbm.open(file, mode)
    c = C.gcciphers[me.db['cipher']]
    h = C.gchashes[me.db['hash']]
    m = C.gcmacs[me.db['mac']]
    tag = me.db['tag']
    ppk = PPK(C.ppread(tag), c, h, m, me.db['salt'])
    try:
      buf = Buffer(ppk.decrypt(me.db['key']))
    except DecryptError:
      C.ppcancel(tag)
      raise
    me.ck = buf.getstring()
    me.mk = buf.getstring()
    buf.checkend()
    me.k = Crypto(c, h, m, me.ck, me.mk)
    me.magic = me.k.decrypt(me.db['magic'])
  def keyxform(me, key):
    return '$' + me.k.h().hash(me.magic).hash(key).done()
  def changepp(me):
    tag = me.db['tag']
    C.ppcancel(tag)
    ppk = PPK(C.ppread(tag, C.PMODE_VERIFY),
              me.k.c.__class__, me.k.h, me.k.m.__class__)
    me.db['key'] = ppk.encrypt(wrapstr(me.ck) + wrapstr(me.mk))
    me.db['salt'] = ppk.salt
  def pack(me, key, value):
    w = wrapstr(key) + wrapstr(value)
    pl = (len(w) + 255) & ~255
    w += '\0' * (pl - len(w))
    return me.k.encrypt(w)
  def unpack(me, p):
    buf = Buffer(me.k.decrypt(p))
    key = buf.getstring()
    value = buf.getstring()
    return key, value
  def __getitem__(me, key):
    return me.unpack(me.db[me.keyxform(key)])[1]
  def __setitem__(me, key, value):
    me.db[me.keyxform(key)] = me.pack(key, value)
  def __delitem__(me, key):
    del me.db[me.keyxform(key)]
  def __iter__(me):
    return PWIter(me)

def cmd_create(av):
  cipher = 'blowfish-cbc'
  hash = 'rmd160'
  mac = None
  try:
    opts, args = getopt(av, 'c:h:m:', ['cipher=', 'mac=', 'hash='])
  except GetoptError:
    return 1
  for o, a in opts:
    if o in ('-c', '--cipher'):
      cipher = a
    elif o in ('-m', '--mac'):
      mac = a
    elif o in ('-h', '--hash'):
      hash = a
    else:
      raise 'Barf!'
  if len(args) > 2:
    return 1
  if len(args) >= 1:
    tag = args[0]
  else:
    tag = 'pwsafe'
  db = gdbm.open(file, 'n', 0600)
  pp = C.ppread(tag, C.PMODE_VERIFY)
  if not mac: mac = hash + '-hmac'
  c = C.gcciphers[cipher]
  h = C.gchashes[hash]
  m = C.gcmacs[mac]
  ppk = PPK(pp, c, h, m)
  ck = C.rand.block(c.keysz.default)
  mk = C.rand.block(m.keysz.default)
  k = Crypto(c, h, m, ck, mk)
  db['tag'] = tag
  db['salt'] = ppk.salt
  db['cipher'] = cipher
  db['hash'] = hash
  db['mac'] = mac
  db['key'] = ppk.encrypt(wrapstr(ck) + wrapstr(mk))
  db['magic'] = k.encrypt(C.rand.block(h.hashsz))

def cmd_changepp(av):
  if len(av) != 0:
    return 1
  pw = PW(file, 'w')
  pw.changepp()

def cmd_find(av):
  if len(av) != 1:
    return 1
  pw = PW(file)
  print pw[av[0]]

def cmd_store(av):
  if len(av) < 1 or len(av) > 2:
    return 1
  tag = av[0]
  if len(av) < 2:
    pp = C.getpass("Enter passphrase `%s': " % tag)
    vpp = C.getpass("Confirm passphrase `%s': " % tag)
    if pp != vpp:
      raise ValueError, "passphrases don't match"
  elif av[1] == '-':
    pp = stdin.readline()
  else:
    pp = av[1]
  pw = PW(file, 'w')
  pw[av[0]] = pp

def cmd_copy(av):
  if len(av) < 1 or len(av) > 2:
    return 1
  pw_in = PW(file)
  pw_out = PW(av[0], 'w')
  if len(av) >= 3:
    pat = av[1]
  else:
    pat = None
  for k in pw_in:
    if pat is None or fnmatch(k, pat):
      pw_out[k] = pw_in[k]

def cmd_list(av):
  if len(av) > 1:
    return 1
  pw = PW(file)
  if len(av) >= 1:
    pat = av[0]
  else:
    pat = None
  for k in pw:
    if pat is None or fnmatch(k, pat):
      print k

def cmd_topixie(av):
  if len(av) < 1 or len(av) > 2:
    return 1
  pw = PW(file)
  tag = av[0]
  if len(av) >= 2:
    pptag = av[1]
  else:
    pptag = av[0]
  C.Pixie().set(pptag, pw[tag])

def cmd_del(av):
  if len(av) != 1:
    return 1
  pw = PW(file, 'w')
  tag = av[0]
  del pw[tag]

def asciip(s):
  for ch in s:
    if ch < ' ' or ch > '~': return False
  return True
def present(s):
  if asciip(s): return s
  return C.ByteString(s)
def cmd_dump(av):
  db = gdbm.open(file, 'r')
  k = db.firstkey()
  while True:
    if k is None: break
    print '%r: %r' % (present(k), present(db[k]))
    k = db.nextkey(k)

commands = { 'create': [cmd_create,
                        '[-c CIPHER] [-h HASH] [-m MAC] [PP-TAG]'],
             'find' : [cmd_find, 'LABEL'],
             'store' : [cmd_store, 'LABEL [VALUE]'],
             'list' : [cmd_list, '[GLOB-PATTERN]'],
             'changepp' : [cmd_changepp, ''],
             'copy' : [cmd_copy, 'DEST-FILE [GLOB-PATTERN]'],
             'to-pixie' : [cmd_topixie, 'TAG [PIXIE-TAG]'],
             'delete' : [cmd_del, 'TAG'],
             'dump' : [cmd_dump, '']}

def version():
  print 'pwsafe 1.0.0'
def usage(fp):
  print >>fp, 'Usage: pwsafe COMMAND [ARGS...]'
def help():
  version()
  print
  usage(stdout)  
  print '''
Maintains passwords or other short secrets securely.

Options:

-h, --help		Show this help text.
-v, --version		Show program version number.
-u, --usage		Show short usage message.

Commands provided:
'''
  for c in commands:
    print '%s %s' % (c, commands[c][1])

try:
  opts, argv = getopt(argv[1:],
                      'hvuf:',
                      ['help', 'version', 'usage', 'file='])
except GetoptError:
  usage(stderr)
  exit(1)
for o, a in opts:
  if o in ('-h', '--help'):
    help()
    exit(0)
  elif o in ('-v', '--version'):
    version()
    exit(0)
  elif o in ('-u', '--usage'):
    usage(stdout)
    exit(0)
  elif o in ('-f', '--file'):
    file = a
  else:
    raise 'Barf!'
if len(argv) < 1:
  usage(stderr)
  exit(1)

if argv[0] in commands:
  c = argv[0]
  argv = argv[1:]
else:
  c = 'find'
if commands[c][0](argv):
  print >>stderr, 'Usage: pwsafe %s %s' % (c, commands[c][1])
  exit(1)
Commit	Line	Data
d7ab1bab	1	#! /usr/bin/python2.2
3aa33042	2	# --python--
d7ab1bab	3
	4	import catacomb as C
	5	import gdbm, struct
	6	from sys import argv, exit, stdin, stdout, stderr
	7	from getopt import getopt, GetoptError
	8	from os import environ
	9	from fnmatch import fnmatch
	10
3aa33042	11	if 'PWSAFE' in environ:
	12	file = environ['PWSAFE']
	13	else:
	14	file = '%s/.pwsafe' % environ['HOME']
d7ab1bab	15
	16	class DecryptError (Exception):
	17	pass
	18
	19	class Crypto (object):
	20	def __init__(me, c, h, m, ck, mk):
	21	me.c = c(ck)
	22	me.m = m(mk)
	23	me.h = h
	24	def encrypt(me, pt):
	25	if me.c.__class__.blksz:
	26	iv = C.rand.block(me.c.__class__.blksz)
	27	me.c.setiv(iv)
	28	else:
	29	iv = ''
	30	y = iv + me.c.encrypt(pt)
	31	t = me.m().hash(y).done()
	32	return t + y
	33	def decrypt(me, ct):
	34	t = ct[:me.m.__class__.tagsz]
	35	y = ct[me.m.__class__.tagsz:]
	36	if t != me.m().hash(y).done():
	37	raise DecryptError
	38	iv = y[:me.c.__class__.blksz]
	39	if me.c.__class__.blksz: me.c.setiv(iv)
	40	return me.c.decrypt(y[me.c.__class__.blksz:])
	41
	42	class PPK (Crypto):
	43	def __init__(me, pp, c, h, m, salt = None):
	44	if not salt: salt = C.rand.block(h.hashsz)
	45	tag = '%s\0%s' % (pp, salt)
	46	Crypto.__init__(me, c, h, m,
	47	h().hash('cipher:' + tag).done(),
	48	h().hash('mac:' + tag).done())
	49	me.salt = salt
	50
	51	class Buffer (object):
	52	def __init__(me, s):
	53	me.str = s
	54	me.i = 0
	55	def get(me, n):
	56	i = me.i
	57	if n + i > len(me.str):
	58	raise IndexError, 'buffer underflow'
	59	me.i += n
	60	return me.str[i:i + n]
	61	def getbyte(me):
	62	return ord(me.get(1))
	63	def unpack(me, fmt):
	64	return struct.unpack(fmt, me.get(struct.calcsize(fmt)))
	65	def getstring(me):
	66	return me.get(me.unpack('>H')[0])
	67	def checkend(me):
	68	if me.i != len(me.str):
	69	raise ValueError, 'junk at end of buffer'
	70
	71	def wrapstr(s):
	72	return struct.pack('>H', len(s)) + s
	73
	74	class PWIter (object):
	75	def __init__(me, pw):
	76	me.pw = pw
	77	me.k = me.pw.db.firstkey()
	78	def next(me):
79	k = me.k
80	while True:
81	if k is None:
82	raise StopIteration
83	if k[0] == '$':
84	break
85	k = me.pw.db.nextkey(k)
86	me.k = me.pw.db.nextkey(k)
87	return me.pw.unpack(me.pw.db[k])[0]
88	class PW (object):
89	def __init__(me, file, mode = 'r'):
90	me.db = gdbm.open(file, mode)
91	c = C.gcciphers[me.db['cipher']]
92	h = C.gchashes[me.db['hash']]
93	m = C.gcmacs[me.db['mac']]
94	tag = me.db['tag']
95	ppk = PPK(C.ppread(tag), c, h, m, me.db['salt'])
96	try:
97	buf = Buffer(ppk.decrypt(me.db['key']))
98	except DecryptError:
99	C.ppcancel(tag)
100	raise
101	me.ck = buf.getstring()
102	me.mk = buf.getstring()
103	buf.checkend()
104	me.k = Crypto(c, h, m, me.ck, me.mk)
105	me.magic = me.k.decrypt(me.db['magic'])
106	def keyxform(me, key):
107	return '$' + me.k.h().hash(me.magic).hash(key).done()
108	def changepp(me):
109	tag = me.db['tag']
110	C.ppcancel(tag)
111	ppk = PPK(C.ppread(tag, C.PMODE_VERIFY),
112	me.k.c.__class__, me.k.h, me.k.m.__class__)
113	me.db['key'] = ppk.encrypt(wrapstr(me.ck) + wrapstr(me.mk))
114	me.db['salt'] = ppk.salt
115	def pack(me, key, value):
116	w = wrapstr(key) + wrapstr(value)
117	pl = (len(w) + 255) & ~255
118	w += '\0' * (pl - len(w))
119	return me.k.encrypt(w)
120	def unpack(me, p):
121	buf = Buffer(me.k.decrypt(p))
122	key = buf.getstring()
123	value = buf.getstring()
124	return key, value
125	def __getitem__(me, key):
126	return me.unpack(me.db[me.keyxform(key)])[1]
127	def __setitem__(me, key, value):
128	me.db[me.keyxform(key)] = me.pack(key, value)
129	def __delitem__(me, key):
130	del me.db[me.keyxform(key)]
131	def __iter__(me):
132	return PWIter(me)
133
134	def cmd_create(av):
135	cipher = 'blowfish-cbc'
136	hash = 'rmd160'
137	mac = None
138	try:
139	opts, args = getopt(av, 'c:h:m:', ['cipher=', 'mac=', 'hash='])
140	except GetoptError:
141	return 1
142	for o, a in opts:
143	if o in ('-c', '--cipher'):
144	cipher = a
145	elif o in ('-m', '--mac'):
146	mac = a
147	elif o in ('-h', '--hash'):
148	hash = a
149	else:
150	raise 'Barf!'
151	if len(args) > 2:
152	return 1
153	if len(args) >= 1:
154	tag = args[0]
155	else:
156	tag = 'pwsafe'
157	db = gdbm.open(file, 'n', 0600)
158	pp = C.ppread(tag, C.PMODE_VERIFY)
159	if not mac: mac = hash + '-hmac'
160	c = C.gcciphers[cipher]
161	h = C.gchashes[hash]
162	m = C.gcmacs[mac]
163	ppk = PPK(pp, c, h, m)
164	ck = C.rand.block(c.keysz.default)
165	mk = C.rand.block(m.keysz.default)
166	k = Crypto(c, h, m, ck, mk)
167	db['tag'] = tag
168	db['salt'] = ppk.salt
169	db['cipher'] = cipher
170	db['hash'] = hash
171	db['mac'] = mac
172	db['key'] = ppk.encrypt(wrapstr(ck) + wrapstr(mk))
173	db['magic'] = k.encrypt(C.rand.block(h.hashsz))
174
175	def cmd_changepp(av):
176	if len(av) != 0:
177	return 1
178	pw = PW(file, 'w')
179	pw.changepp()
180
181	def cmd_find(av):
182	if len(av) != 1:
183	return 1
184	pw = PW(file)
185	print pw[av[0]]
186
187	def cmd_store(av):
188	if len(av) < 1 or len(av) > 2:
189	return 1
190	tag = av[0]
191	if len(av) < 2:
192	pp = C.getpass("Enter passphrase `%s': " % tag)
193	vpp = C.getpass("Confirm passphrase `%s': " % tag)
194	if pp != vpp:
195	raise ValueError, "passphrases don't match"
196	elif av[1] == '-':
197	pp = stdin.readline()
198	else:
199	pp = av[1]
200	pw = PW(file, 'w')
201	pw[av[0]] = pp
202
203	def cmd_copy(av):
204	if len(av) < 1 or len(av) > 2:
205	return 1
206	pw_in = PW(file)
207	pw_out = PW(av[0], 'w')
208	if len(av) >= 3:
209	pat = av[1]
210	else:
211	pat = None
212	for k in pw_in:
213	if pat is None or fnmatch(k, pat):
214	pw_out[k] = pw_in[k]
215
216	def cmd_list(av):
217	if len(av) > 1:
218	return 1
219	pw = PW(file)
220	if len(av) >= 1:
221	pat = av[0]
222	else:
223	pat = None
224	for k in pw:
225	if pat is None or fnmatch(k, pat):
226	print k
227
228	def cmd_topixie(av):
229	if len(av) < 1 or len(av) > 2:
230	return 1
231	pw = PW(file)
232	tag = av[0]
233	if len(av) >= 2:
234	pptag = av[1]
235	else:
236	pptag = av[0]
237	C.Pixie().set(pptag, pw[tag])
238
3aa33042	239	def cmd_del(av):
	240	if len(av) != 1:
	241	return 1
	242	pw = PW(file, 'w')
	243	tag = av[0]
	244	del pw[tag]
	245
d7ab1bab	246	def asciip(s):
	247	for ch in s:
	248	if ch < ' ' or ch > '~': return False
	249	return True
	250	def present(s):
	251	if asciip(s): return s
	252	return C.ByteString(s)
	253	def cmd_dump(av):
	254	db = gdbm.open(file, 'r')
	255	k = db.firstkey()
	256	while True:
	257	if k is None: break
	258	print '%r: %r' % (present(k), present(db[k]))
	259	k = db.nextkey(k)
	260
	261	commands = { 'create': [cmd_create,
	262	'[-c CIPHER] [-h HASH] [-m MAC] [PP-TAG]'],
	263	'find' : [cmd_find, 'LABEL'],
	264	'store' : [cmd_store, 'LABEL [VALUE]'],
	265	'list' : [cmd_list, '[GLOB-PATTERN]'],
	266	'changepp' : [cmd_changepp, ''],
	267	'copy' : [cmd_copy, 'DEST-FILE [GLOB-PATTERN]'],
	268	'to-pixie' : [cmd_topixie, 'TAG [PIXIE-TAG]'],
3aa33042	269	'delete' : [cmd_del, 'TAG'],
d7ab1bab	270	'dump' : [cmd_dump, '']}
	271
	272	def version():
	273	print 'pwsafe 1.0.0'
	274	def usage(fp):
	275	print >>fp, 'Usage: pwsafe COMMAND [ARGS...]'
	276	def help():
	277	version()
	278	print
	279	usage(stdout)
	280	print '''
	281	Maintains passwords or other short secrets securely.
	282
	283	Options:
	284
	285	-h, --help Show this help text.
	286	-v, --version Show program version number.
	287	-u, --usage Show short usage message.
	288
	289	Commands provided:
	290	'''
	291	for c in commands:
	292	print '%s %s' % (c, commands[c][1])
	293
	294	try:
	295	opts, argv = getopt(argv[1:],
	296	'hvuf:',
	297	['help', 'version', 'usage', 'file='])
	298	except GetoptError:
	299	usage(stderr)
	300	exit(1)
	301	for o, a in opts:
	302	if o in ('-h', '--help'):
	303	help()
	304	exit(0)
	305	elif o in ('-v', '--version'):
	306	version()
	307	exit(0)
	308	elif o in ('-u', '--usage'):
	309	usage(stdout)
	310	exit(0)
	311	elif o in ('-f', '--file'):
	312	file = a
	313	else:
	314	raise 'Barf!'
	315	if len(argv) < 1:
	316	usage(stderr)
	317	exit(1)
	318
	319	if argv[0] in commands:
	320	c = argv[0]
	321	argv = argv[1:]
	322	else:
	323	c = 'find'
	324	if commands[c][0](argv):
	325	print >>stderr, 'Usage: pwsafe %s %s' % (c, commands[c][1])
	326	exit(1)