git.scottworley.com Git - overonion/blob - overonion

   1 #!/bin/bash
   2
   3 umask 077
   4
   5 hash_dir=$(mktemp -d)
   6
   7 function die() {
   8   echo "$*" >&2
   9   exit 1
  10 }
  11
  12 if (( $# != 2));then
  13   die "usage: overonion e|d keyfile"
  14 fi
  15 mode=$1
  16 if [[ "$mode" != e && "$mode" != d ]];then
  17   die "Use 'e' for encrypt or 'd' for decrypt"
  18 fi
  19 keyfile=$2
  20 if [[ ! -e "$keyfile" ]];then
  21   die "Keyfile not found"
  22 fi
  23 if [[ ! -r "$keyfile" ]];then
  24   die "Cannot read keyfile"
  25 fi
  26
  27 num_layers=$(wc -l < "$keyfile")
  28 if (( num_layers < 20 ));then
  29   die "Keyfile doesn't have enough layers to be an onion"
  30 fi
  31
  32 if [[ "$mode" == e ]];then
  33   first_layer=$num_layers
  34   next_layer=-1
  35   openssl_decrypt=""
  36 else
  37   first_layer=1
  38   next_layer=1
  39   openssl_decrypt="-d"
  40 fi
  41
  42 function go() {
  43   layer=$1
  44   if (( layer == 0 || layer > num_layers ));then
  45     cat
  46   else
  47     operation=$(sed -n "${layer}{;s/ .*//;p;}" "$keyfile")
  48     if [[ "$operation" == openssl-enc ]];then
  49       openssl enc $openssl_decrypt "-$(sed -rn "${layer}s/[^ ]+ ([^ ]+) .*/\\1/p" "$keyfile")" \
  50               -pass fd:37 37< <(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile")
  51     elif [[ "$operation" == reverse ]];then
  52       reverse
  53     elif [[ "$operation" == openssl-dgst ]];then
  54       tee >(echo "$(sed -n "${layer}p" "$keyfile") $(
  55             {
  56               awk -vlayer="$layer" 'NR == layer { print $3 }' "$keyfile" | base64 -d
  57               cat
  58               awk -vlayer="$layer" 'NR == layer { print $4 }' "$keyfile" | base64 -d
  59             } |
  60               openssl dgst -binary "-$(sed -rn "${layer}s/^[^ ]+ ([^ ]+).*/\\1/p" "$keyfile")" |
  61               base64 --wrap=0)" > "$hash_dir/$layer")
  62     else
  63       die "Unknown operation"
  64     fi |
  65       go $(( layer + next_layer ))
  66   fi
  67 }
  68
  69 go "$first_layer"
  70
  71 for hash_result in "$hash_dir"/*;do
  72   layer=$(basename "$hash_result")
  73   if [[ "$mode" == e ]];then
  74     # Add the hashes to keyfile
  75     key_aside_dir=$(mktemp -d "$keyfile.XXXXXXXXXX")
  76     key_aside="$key_aside_dir/key.orig"
  77     mv "$keyfile" "$key_aside"
  78     sed "${layer}s,.*,$(< "$hash_result")," "$key_aside" > "$keyfile"
  79     shred -u "$key_aside"
  80     rmdir "$key_aside_dir"
  81   else
  82     # Verify the hashes
  83     if [[ "$(awk '{ print $5 == $6 ? "hash ok" : "mismatch" }' "$hash_result")" != "hash ok" ]];then
  84       die "Hash check $layer failed"
  85     fi
  86   fi
  87 done
  88
  89 rm -r "$hash_dir"