From a4f749134de875d82a0ca5d8251968db429558d3 Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Sun, 22 Oct 2017 20:27:04 -0700
Subject: [PATCH] Use salted hashes

---
 overonion          | 11 +++++++++--
 overonion-make-key |  8 +++++---
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/overonion b/overonion
index c54048a..cb663fe 100755
--- a/overonion
+++ b/overonion
@@ -51,7 +51,14 @@ function go() {
     elif [[ "$operation" == reverse ]];then
       reverse
     elif [[ "$operation" == openssl-dgst ]];then
-      tee >(echo "$(sed -n "${layer}p" "$keyfile") $(openssl dgst -binary "-$(sed -rn "${layer}s/^[^ ]+ ([^ ]+).*/\\1/p" "$keyfile")" | base64 --wrap=0)" > "$hash_dir/$layer")
+      tee >(echo "$(sed -n "${layer}p" "$keyfile") $(
+            {
+              awk -vlayer="$layer" 'NR == layer { print $3 }' "$keyfile" | base64 -d
+              cat
+              awk -vlayer="$layer" 'NR == layer { print $4 }' "$keyfile" | base64 -d
+            } |
+              openssl dgst -binary "-$(sed -rn "${layer}s/^[^ ]+ ([^ ]+).*/\\1/p" "$keyfile")" |
+              base64 --wrap=0)" > "$hash_dir/$layer")
     else
       die "Unknown operation"
     fi |
@@ -73,7 +80,7 @@ for hash_result in "$hash_dir"/*;do
     rmdir "$key_aside_dir"
   else
     # Verify the hashes
-    if [[ "$(awk '{ print $3 == $4 ? "hash ok" : "mismatch" }' "$hash_result")" != "hash ok" ]];then
+    if [[ "$(awk '{ print $5 == $6 ? "hash ok" : "mismatch" }' "$hash_result")" != "hash ok" ]];then
       die "Hash check $layer failed"
     fi
   fi
diff --git a/overonion-make-key b/overonion-make-key
index 0e588b2..0ff9776 100755
--- a/overonion-make-key
+++ b/overonion-make-key
@@ -1,6 +1,7 @@
 #!/bin/bash
 
 key_size=99
+hash_salt_size=63
 
 ciphers=(
   bf-cbc bf-cfb bf-ecb bf-ofb
@@ -38,19 +39,20 @@ if [[ -e "$keyfile" ]];then
   exit 1
 fi
 
-keys_needed=$((${#ciphers[*]} * 2))
+keys_needed=$((${#ciphers[*]} * 2 + ${#hashes[*]} * 4))
 keys_generated=0
 
 function generate_keys() {
   while read -r cipher;do
-    echo -n $'\r'"Generating key $((++keys_generated))/$keys_needed" >&2
+    echo -n $'\r'"Generating key $((++keys_generated))/$keys_needed " >&2
     echo "openssl-enc $cipher $(head -c "$key_size" "$random_source" | base64 --wrap=0 )"
   done < <( IFS=$'\n'; shuf <<< "${ciphers[*]}"; )
 }
 
 function generate_hashes() {
   while read -r hash;do
-    echo "openssl-dgst $hash"
+    echo -n $'\r'"Generating salt $((keys_generated += 2))/$keys_needed" >&2
+    echo "openssl-dgst $hash $(head -c "$hash_salt_size" "$random_source" | base64 --wrap=0 ) $(head -c "$hash_salt_size" "$random_source" | base64 --wrap=0 )"
   done < <( IFS=$'\n'; shuf <<< "${hashes[*]}"; )
 }
 
-- 
2.44.1