Refuse to re-use keys

author Scott Worley <scottworley@scottworley.com>

Mon, 23 Oct 2017 03:37:11 +0000 (20:37 -0700)

committer Scott Worley <scottworley@scottworley.com>

Mon, 23 Oct 2017 03:41:52 +0000 (20:41 -0700)
author Scott Worley <scottworley@scottworley.com>
Mon, 23 Oct 2017 03:37:11 +0000 (20:37 -0700)
committer Scott Worley <scottworley@scottworley.com>
Mon, 23 Oct 2017 03:41:52 +0000 (20:41 -0700)
diff --git a/overonion b/overonion

index cb663fe62fe6424d76e4896990f9721e55d70e81..5eb26b68f42c23335cb2ef6dfa9690a3452973ff 100755 (executable)
--- a/overonion
+++ b/overonion
@@ -29,14 +29,22 @@ if (( num_layers < 20 ));then
    die "Keyfile doesn't have enough layers to be an onion"
  fi
  
    die "Keyfile doesn't have enough layers to be an onion"
  fi
  
+hash_fields=$(awk '/^openssl-dgst / { print NF }' "$keyfile" | uniq )
+
  if [[ "$mode" == e ]];then
    first_layer=$num_layers
    next_layer=-1
    openssl_decrypt=""
  if [[ "$mode" == e ]];then
    first_layer=$num_layers
    next_layer=-1
    openssl_decrypt=""
+  if [[ "$hash_fields" != 4 ]];then
+    die "Refusing to encrypt with already-used key"
+  fi
  else
    first_layer=1
    next_layer=1
    openssl_decrypt="-d"
  else
    first_layer=1
    next_layer=1
    openssl_decrypt="-d"
+  if [[ "$hash_fields" != 5 ]];then
+    die "Key does not appear to have been used for encryption (it has no embedded hashes).  Refusing to decrypt."
+  fi
  fi
  
  function go() {
  fi
  
  function go() {
author	Scott Worley <scottworley@scottworley.com>
	Mon, 23 Oct 2017 03:37:11 +0000 (20:37 -0700)
committer	Scott Worley <scottworley@scottworley.com>
	Mon, 23 Oct 2017 03:41:52 +0000 (20:41 -0700)