Add hashing

diff --git a/overonion b/overonion
index c77ea94fbcfc699ca16bf789062a338c13decb21..cd397fa041c7bcfc649bc47cfcda584c70f546c0 100755 (executable)
--- a/overonion
+++ b/overonion
@@ -1,5 +1,10 @@
 #!/bin/bash
 
 #!/bin/bash
 

+umask 077
+
+hashes=(sha sha1 mdc2 ripemd160 sha224 sha256 sha384 sha512 md4 md5 dss1)
+hash_dir=$(mktemp -d)
+

 function die() {
   echo "$*" >&2
   exit 1
 function die() {
   echo "$*" >&2
   exit 1


@@ -35,6 +40,10 @@ else
   openssl_decrypt="-d"
 fi
 
   openssl_decrypt="-d"
 fi
 

+function verify_hash() {
+  (( $(wc -l < "$1") == 2 && $(uniq "$1" | wc -l) == 1 ))
+}
+

 function go() {
   layer=$1
   if (( layer == 0 || layer > num_layers ));then
 function go() {
   layer=$1
   if (( layer == 0 || layer > num_layers ));then


@@ -46,6 +55,12 @@ function go() {
               -pass fd:37 37< <(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile")
     elif [[ "$operation" == reverse ]];then
       reverse
               -pass fd:37 37< <(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile")
     elif [[ "$operation" == reverse ]];then
       reverse

+    elif [[ "$operation" == openssl-dgst ]];then
+      tee >(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile" > "$hash_dir/$layer"
+            openssl dgst -binary "-$(sed -rn "${layer}s/[^ ]+ ([^ ]+) .*/\\1/p" "$keyfile")" |
+              base64 --wrap=0 | sed 's/$/\n/' >> "$hash_dir/$layer"
+            # Dying here doesn't terminate the pipeline.  :(
+            verify_hash "$hash_dir/$layer" || die "Hash check $layer failed" )

     else
       die "Unknown operation"
     fi |
     else
       die "Unknown operation"
     fi |


@@ -53,4 +68,34 @@ function go() {
   fi
 }
 
   fi
 }
 

-go "$first_layer"
+function record_hashes() {
+  if [[ "$mode" == d ]] || (( $# < 2 ));then
+    cat
+  else
+    stage=$1
+    hash=$2
+    shift 2
+    tee >(openssl dgst -binary "-$hash" | base64 --wrap=0 |
+            sed "s/^/openssl-dgst $hash /;s/$/\n/" > "$hash_dir/$stage-$hash") |
+      record_hashes "$stage" "$@"
+  fi
+}
+
+record_hashes inner "${hashes[@]}" | go "$first_layer" | record_hashes outer "${hashes[@]}"
+
+if [[ "$mode" == e ]];then
+  # Add the hashes to keyfile
+  key_aside_dir=$(mktemp -d "$keyfile.XXXXXXXXXX")
+  key_aside="$key_aside_dir/key.orig"
+  mv "$keyfile" "$key_aside"
+  cat "$hash_dir"/outer-* "$key_aside" "$hash_dir"/inner* > "$keyfile"
+  shred -u "$key_aside"
+  rmdir "$key_aside_dir"
+else
+  # Verify the hashes
+  for hash_result in "$hash_dir"/*;do
+    verify_hash "$hash_result" || die "Hash check $(basename "$hash_result") failed"
+  done
+fi
+
+rm -r "$hash_dir"