From dc38dd97d82286765b34c6913dacd9eb808f5e0a Mon Sep 17 00:00:00 2001
From: Scott Worley <scottworley@scottworley.com>
Date: Sun, 22 Oct 2017 00:11:31 -0700
Subject: [PATCH] Add hashing

---
 overonion | 47 ++++++++++++++++++++++++++++++++++++++++++++++-
 1 file changed, 46 insertions(+), 1 deletion(-)

diff --git a/overonion b/overonion
index c77ea94..cd397fa 100755
--- a/overonion
+++ b/overonion
@@ -1,5 +1,10 @@
 #!/bin/bash
 
+umask 077
+
+hashes=(sha sha1 mdc2 ripemd160 sha224 sha256 sha384 sha512 md4 md5 dss1)
+hash_dir=$(mktemp -d)
+
 function die() {
   echo "$*" >&2
   exit 1
@@ -35,6 +40,10 @@ else
   openssl_decrypt="-d"
 fi
 
+function verify_hash() {
+  (( $(wc -l < "$1") == 2 && $(uniq "$1" | wc -l) == 1 ))
+}
+
 function go() {
   layer=$1
   if (( layer == 0 || layer > num_layers ));then
@@ -46,6 +55,12 @@ function go() {
               -pass fd:37 37< <(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile")
     elif [[ "$operation" == reverse ]];then
       reverse
+    elif [[ "$operation" == openssl-dgst ]];then
+      tee >(sed -rn "${layer}s/^[^ ]+ [^ ]+ //p" "$keyfile" > "$hash_dir/$layer"
+            openssl dgst -binary "-$(sed -rn "${layer}s/[^ ]+ ([^ ]+) .*/\\1/p" "$keyfile")" |
+              base64 --wrap=0 | sed 's/$/\n/' >> "$hash_dir/$layer"
+            # Dying here doesn't terminate the pipeline.  :(
+            verify_hash "$hash_dir/$layer" || die "Hash check $layer failed" )
     else
       die "Unknown operation"
     fi |
@@ -53,4 +68,34 @@ function go() {
   fi
 }
 
-go "$first_layer"
+function record_hashes() {
+  if [[ "$mode" == d ]] || (( $# < 2 ));then
+    cat
+  else
+    stage=$1
+    hash=$2
+    shift 2
+    tee >(openssl dgst -binary "-$hash" | base64 --wrap=0 |
+            sed "s/^/openssl-dgst $hash /;s/$/\n/" > "$hash_dir/$stage-$hash") |
+      record_hashes "$stage" "$@"
+  fi
+}
+
+record_hashes inner "${hashes[@]}" | go "$first_layer" | record_hashes outer "${hashes[@]}"
+
+if [[ "$mode" == e ]];then
+  # Add the hashes to keyfile
+  key_aside_dir=$(mktemp -d "$keyfile.XXXXXXXXXX")
+  key_aside="$key_aside_dir/key.orig"
+  mv "$keyfile" "$key_aside"
+  cat "$hash_dir"/outer-* "$key_aside" "$hash_dir"/inner* > "$keyfile"
+  shred -u "$key_aside"
+  rmdir "$key_aside_dir"
+else
+  # Verify the hashes
+  for hash_result in "$hash_dir"/*;do
+    verify_hash "$hash_result" || die "Hash check $(basename "$hash_result") failed"
+  done
+fi
+
+rm -r "$hash_dir"
-- 
2.44.1