From 4c2e9bc99e3d371bcc04674a5015cd208d41dda3 Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Sun, 22 Oct 2017 20:37:11 -0700
Subject: [PATCH] Refuse to re-use keys

---
 overonion | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/overonion b/overonion
index cb663fe..5eb26b6 100755
--- a/overonion
+++ b/overonion
@@ -29,14 +29,22 @@ if (( num_layers < 20 ));then
   die "Keyfile doesn't have enough layers to be an onion"
 fi
 
+hash_fields=$(awk '/^openssl-dgst / { print NF }' "$keyfile" | uniq )
+
 if [[ "$mode" == e ]];then
   first_layer=$num_layers
   next_layer=-1
   openssl_decrypt=""
+  if [[ "$hash_fields" != 4 ]];then
+    die "Refusing to encrypt with already-used key"
+  fi
 else
   first_layer=1
   next_layer=1
   openssl_decrypt="-d"
+  if [[ "$hash_fields" != 5 ]];then
+    die "Key does not appear to have been used for encryption (it has no embedded hashes).  Refusing to decrypt."
+  fi
 fi
 
 function go() {
-- 
2.44.1