util: Check-in [218f1d20c2]

Overview

Comment:	FUCK THIS SHIT
Downloads:	Tarball \| ZIP archive \| SQL archive
Timelines:	family \| ancestors \| descendants \| both \| trunk
Files:	files \| file ages \| folders
SHA3-256:	218f1d20c2db9fe7af57802555e16f8eefe813d879e0acbd734ef2b9bf682cab
User & Date:	lexi on 2019-08-15 11:24:16
Other Links:	manifest \| tags

Context

2019-08-15
12:31		my monster liiiiives check-in: 5089ec59d3 user: lexi tags: trunk
11:24		FUCK THIS SHIT check-in: 218f1d20c2 user: lexi tags: trunk
08:34		updates check-in: c2ffe127f3 user: lexi tags: trunk

Changes

Hide Diffs Side-by-Side Diffs Ignore Whitespace Patch

Modified kpw.d/db.md from [f52a921e08] to [5982f7fb3c].

     8      8    4. encrypt(private key, password salt) [for pw verification]
     9      9    5. record *
    10     10   
    11     11   each record takes the form of
    12     12   
    13     13    1. account name length (1 byte)
    14     14    2. account name
    15         - 3. password length (4 bytes)
           15  + 3. password length (1 byte)
    16     16    4. password
    17     17   
    18     18   records are added simply by encrypting them with the public key and appending them to the end of the file. thus, adding a new password does not require the decryption password.

Modified 340 341 342 343 344 345 346 347 348 349 350 351 352 ...... 455 456 457 458 459 460 461 462 463 464 465 466 467 468 469 470 471 472 473 474 475 476 477 478 479 480 481 482 483 484 485 ...... 505 506 507 508 509 510 511 512 513 514 515 516 517 518 ...... 520 521 522 523 524 525 526 527 528 529 530 531 532 533 534 535 536 537 538 539 540 541 542 543 544 545 546 547 548 549 550 551 552 ...... 555 556 557 558 559 560 561 562 563 564 565 566 567 568 569 570 571 572 573 574 575 576 577 578 579 580 581 582 583 584 585 fo?name=kpw.d/kpw.c&m=22f71ce9d069b50b&ci=218f1d20c2db9fe7">kpw.d/kpw.c t/f4297483eaf51125">[f4297483ea] 22f71ce9d069b50b">[22f71ce9d0]. class="diffln"> 339 339 } else { 340 printf("path is %s", dbpath); 341 db = open(dbpath, flags, 0600); 342 } 343 344 return db; 345 } 346 + 347 +void bytedump(uint8_t* bytes, size_t sz) { 348 + for (size_t i = 0; i < sz; ++i) { 349 + char tpl[] ="\x1b[35m \x1b[m"; 350 + char* c = tpl + 5; 351 + *c = bytes[i]; 352 + if (*c < ' ' || *c > '~') *c='.', write(2, tpl, sz(tpl)); 353 + else write(2, c, 1); 354 + } 355 +} 356 +void hexdump(uint8_t* bytes, size_t sz) { 357 + if(!_g_debug_msgs) return; 358 + alert(a_debug, "printing hex dump"); 359 + uint8_t* st = bytes; 360 + for (size_t i = 0; i < sz; ++i) { 361 + char hex[5] = " "; 362 + kitoa(16, bytes[i], hex, hex + 2, NULL, true); 363 + write(2, hex, 4); 364 + if(!((i+1)%8)) { 365 + write(2, _str("│ ")); 366 + bytedump(st, 8); 367 + write(2, "\n", 1); 368 + st += 8; 369 + } else if (i == sz - 1) { 370 + write(2, _str("│ ")); 371 + bytedump(st, (bytes + sz) - st); 372 + write(2, "\n", 1); 373 + } 374 + } 375 +} 376 377 int 378 kpw(int argc, const char** argv) { 379 if (argc == 0) return bad_insane; 380 _g_binary_name = argv[0]; 381 382 enum genmode .......................................................................... class="diffln"> 454 484 alert(a_debug, "converting length parameter to integer"); 485 bad e = katoi(10, prm, &len); 486 if (e != ok) return bad_num; 487 } else alert(a_debug, "using default password length"), 488 len = default_pw_len; 489 490 alert(a_debug, "generating new password"); - mkpw(mode, pw, len); 491 + if (mkpw(mode, pw, len) == bad_entropy) return bad_entropy; 492 if (print || !tty_out) { 493 write(1, pw, len); 494 if(tty_out) write(1, "\n", 1); 495 } 496 pwlen = len; 497 } 498 if (copy_pw) copy(pw, pwlen); - alert(a_debug, "enciphering password"); 499 + alert(a_debug, "encoding database entry"); 500 + uint8_t acctlen = strlen(acct); 501 + uint8_t plaintext[1 + acctlen + 502 + 1 + pwlen]; 503 + plaintext[0] = acctlen; 504 + strncpy(plaintext + 1, acct, acctlen); 505 + plaintext[1 + acctlen] = pwlen; 506 + strncpy(plaintext + acctlen + 2, pw, pwlen); 507 + hexdump(plaintext, sz(plaintext)); 508 509 + alert(a_debug, "enciphering database entry"); 510 + 511 + uint8_t ciphertext[sz(plaintext) + crypto_box_SEALBYTES]; 512 + crypto_box_seal(ciphertext, plaintext, sz(plaintext), key); 513 + hexdump(ciphertext, sz(ciphertext)); 514 + 515 + alert(a_debug, "writing ciphertext to db"); 516 + uint8_t ciphertext_len = sz(ciphertext); 517 + write(db, &ciphertext_len, 1); 518 + write(db, &ciphertext, ciphertext_len); 519 + 520 + close(db); 521 break; 522 } 523 524 case delpw:{ /* kpw -d <acct> */ 525 break; 526 } 527 528 case lspw: { /* kpw -t[p] [<prefix>] */ 529 + alert(a_debug, "opening database for reading"); 530 + int db = dbopen(O_RDONLY); 531 + if (db == -1) return bad_db_load; 532 + password dbpw; size_t pwlen; 533 + bad e = pwread(!print, dbpw, &pwlen,_str("database key: ")); 534 + 535 + uint8_t salt [crypto_pwhash_SALTBYTES], 536 + key [db_privkey_len], 537 + priv_enc [db_privkey_len], 538 + priv [db_privkey_len], 539 + pub [db_pubkey_len]; 540 + uint8_t salt_enc [crypto_box_SEALBYTES + sz(salt)], 541 + salt_dec [sz(salt)]; 542 + bzero(salt_dec, sz(salt_dec)); 543 + 544 + alert(a_debug, "loading public key"); 545 + ssize_t sr = read(db, pub, sz(pub)); 546 + if (sr != sz(pub)) return bad_db_corrupt; 547 + hexdump(pub, sz(pub)); 548 + 549 + alert(a_debug, "loading password salt"); 550 + sr = read(db, salt, sz(salt)); 551 + if (sr != sz(salt)) return bad_db_corrupt; 552 + hexdump(salt, sz(salt)); 553 + 554 + alert(a_debug, "deriving secret"); 555 + if(crypto_pwhash(key, sz(key), dbpw, pwlen, salt, 556 + crypto_pwhash_OPSLIMIT_INTERACTIVE, 557 + crypto_pwhash_MEMLIMIT_INTERACTIVE, 558 + crypto_pwhash_ALG_DEFAULT) != 0) { 559 + return bad_mem; 560 + } 561 + hexdump(key, sz(key)); 562 + 563 + alert(a_debug, "loading encrypted private key"); 564 + read(db, priv_enc, sz(priv_enc)); 565 + hexdump(priv_enc, sz(priv_enc)); 566 + 567 + alert(a_debug, "decrypting private key"); 568 + for (size_t i = 0; i < sz(key); ++i) { 569 + priv[i] = priv_enc[i] ^ key[i]; 570 + } 571 + hexdump(priv, sz(priv)); 572 + 573 + alert(a_debug, "loading verification hash"); 574 + read(db, salt_enc, sz(salt_enc)); 575 + hexdump(salt_enc, sz(salt_enc)); 576 + 577 + alert(a_debug, "decrypting verification hash"); 578 + hexdump(pub, sz(pub)); 579 + hexdump(priv, sz(priv)); 580 + printf("sz salt_enc = %zu\n / crypto_box bytes = %zu", sz(salt_enc), crypto_box_SEALBYTES); 581 + int r = crypto_box_seal_open(salt_dec, salt_enc, 582 + sz(salt_enc), pub, priv); 583 + printf("result code: %d\n",r); 584 + hexdump(salt_dec, sz(salt_dec)); 585 break; 586 } 587 588 case createdb: { /* kpw -C [<db>] */ 589 alert(a_debug, "creating new database"); 590 if (clobber) 591 alert(a_warn, "will clobber any existing database"); .......................................................................... class="diffln"> 504 610 * prompt the user for a secret passphrase with 611 * which to encrypt the private key with. 612 */ 613 614 alert(a_notice, "database keypair generated, encrypting"); 615 password dbpw; 616 size_t pwlen; - bad e = pwread(!print, dbpw, &pwlen, _str("- database passphrase: ")); 617 + bad e = pwread(!print, dbpw, &pwlen, _str("- new database key: ")); 618 if (e != ok) return e; 619 if (!print && isatty(0)) { 620 password dbpw_conf; 621 e = pwread(!print, dbpw_conf, NULL, _str("- confirm: ")); 622 if (e != ok) return e; 623 624 if(strcmp(dbpw,dbpw_conf) != 0) .......................................................................... class="diffln"> 519 625 return bad_pw_match; 626 } 627 628 uint8_t salt[crypto_pwhash_SALTBYTES], 629 key[db_privkey_len]; 630 uint8_t salt_enc[crypto_box_SEALBYTES + sz(salt)]; 631 632 + alert(a_debug, "generating salt"); 633 if (syscall(SYS_getrandom, salt, sz(salt), 0) == -1) 634 return bad_entropy; 635 + hexdump(salt, sz(salt)); 636 637 + alert(a_debug, "hashing database keyphrase"); 638 if(crypto_pwhash(key, sz(key), dbpw, pwlen, salt, 639 crypto_pwhash_OPSLIMIT_INTERACTIVE, 640 crypto_pwhash_MEMLIMIT_INTERACTIVE, 641 crypto_pwhash_ALG_DEFAULT) != 0) { 642 return bad_mem; 643 } 644 645 + alert(a_debug, "encrypting private key"); 646 + hexdump(priv, sz(priv)); 647 for (size_t i = 0; i < sz(key); ++i) { 648 priv_enc[i] = priv[i] ^ key[i]; 649 } 650 + alert(a_debug, "private key encrypted"); 651 + hexdump(priv_enc, sz(priv_enc)); 652 653 + alert(a_debug, "encrypting salt"); 654 crypto_box_seal(salt_enc, salt, sz(salt), priv); 655 + hexdump(salt_enc, sz(salt_enc)); 656 657 /* we have everything we need. now we create the 658 * file, failing if it already exists so as not 659 * to clobber anyone's passwords. 660 */ 661 + alert(a_debug, "creating new database on disk"); 662 int db; 663 const int flags = O_CREAT | O_WRONLY | 664 (clobber ? O_TRUNC : O_EXCL); 665 if(param == 0) 666 db = dbopen(flags); 667 else if (param == 1) 668 db = open(params[0], flags, 0600); .......................................................................... class="diffln"> 554 670 671 if (db == -1) return bad_db_create; 672 673 /* the file is safely created; all that's left to 674 * do is write out the header and then we can call 675 * it a day. 676 */ 677 + alert(a_debug, "writing public key"); 678 + hexdump(pub, sz(pub)); 679 + 680 write(db, pub, sz(pub)); 681 write(db, salt, sz(salt)); 682 write(db, priv_enc, sz(priv_enc)); 683 write(db, salt_enc, sz(salt_enc)); 684 close(db); 685 686 alert(a_debug, "database created"); 687 break; 688 } 689 } 690 - - - /* char buf[len+1]; */ - /* *buf = 0; */ - /* mkpw(mode,buf,len); */ - /* write(1, buf, len + 1); */ - 691 # ifdef _CLIPBOARD 692 if (copy_pw) { 693 /* copy(buf,len); */ 694 } 695 # endif 696 697 return ok;

util Check-in [218f1d20c2]