added support for authenticated hashes

bindings/py/pypcp/raw.py

@@ -417,7 +417,7 @@ size_t pcp_decrypt_stream(PCPCTX *ptx, Pcpstream *in, Pcpstream* out, pcp_key_t
 size_t pcp_decrypt_stream_sym(PCPCTX *ptx, Pcpstream *in, Pcpstream* out, byte *symkey, pcp_rec_t *recverify);
 
 /*** ./gencffi.pl: from ../../include/pcp/crypto.h:351 */
-int pcp_checksum(PCPCTX *ptx, Pcpstream *in, byte *checksum);
+int pcp_checksum(PCPCTX *ptx, Pcpstream *in, byte *checksum, byte *key, size_t keylen);
 
 /*** ./gencffi.pl: from ../../include/pcp/crypto.h:351 */
 pcp_rec_t *pcp_rec_new(byte *cipher, size_t clen, pcp_key_t *secret, pcp_pubkey_t *pub);
@@ -866,34 +866,22 @@ uint8_t *zmq_z85_decode (uint8_t *dest, char *string);
 /*** ./gencffi.pl: from ../../include/pcp/zmq_z85.h:31 */
 char *zmq_z85_encode (char *dest, uint8_t *data, size_t size);'''
 
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+EXP_FORMAT_PBP = 2
+
+
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
 PCP_ASYM_CIPHER = 5
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_BLOCK_SIZE = 32 * 1024
+EXP_SIG_CIPHER = 0x23
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
 EXP_PK_HEADER = "----- BEGIN ED25519-CURVE29915 PUBLIC KEY -----"
 
 
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SK_FOOTER = "----- END ED25519-CURVE29915 PRIVATE KEY -----"
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_ENFILE_HEADER = "----- BEGIN PCP ENCRYPTED FILE -----\r\n"
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_FORMAT_NATIVE = 1
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-PBP_COMPAT_SALT = "qa~t](84z<1t<1oz:ik.@IRNyhG=8q(on9}4#!/_h#a7wqK{Nt$T?W>,mt8NqYq&6U<GB1$,<$j>,rSYI2GRDd:Bcm"
-
-
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
 EXP_HASH_CIPHER = 0x22
 
@@ -902,20 +890,48 @@ EXP_HASH_CIPHER = 0x22
 EXP_HASH_NAME = "BLAKE2"
 
 
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+PCP_CRYPTO_ADD = (32 - 16)
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+PCP_ASYM_CIPHER_SIG = 24
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+EXP_SIG_SUB_KEYFLAGS = 27
+
+
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
 EXP_SIG_SUB_NOTATION = 20
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SIG_CIPHER_NAME = "ED25519"
+PCP_VAULT_ID = 14
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SIG_CIPHER = 0x23
+EXP_SK_HEADER = "----- BEGIN ED25519-CURVE29915 PRIVATE KEY -----"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_ZFILE_HEADER = "----- BEGIN Z85 ENCODED FILE -----"
+PCP_ENFILE_HEADER = "----- BEGIN PCP ENCRYPTED FILE -----\r\n"
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+PCP_SIG_HEADER = "----- BEGIN ED25519 SIGNED MESSAGE -----"
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+PCP_SIGPREFIX = "\nnacl-"
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+PCP_ZFILE_FOOTER = "----- END Z85 ENCODED FILE -----"
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+EXP_SK_FOOTER = "----- END ED25519-CURVE29915 PRIVATE KEY -----"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
@@ -923,11 +939,15 @@ PCP_SIG_END = "----- END ED25519 SIGNATURE -----"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_PK_CIPHER = 0x21
+PCP_RFC_CIPHER = 0x21 
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_RFC_CIPHER = 0x21 
+PCP_ENCRYPT_MAC = 56
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+PCP_ME = "Pretty Curved Privacy"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
@@ -939,31 +959,15 @@ PCP_ENFILE_FOOTER = "\r\n----- END PCP ENCRYPTED FILE -----\r\n"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_SYM_CIPHER = 23
+EXP_SIG_SUB_CTIME = 2
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SIG_TYPE = 0x1F 
+PCP_SIG_START = "----- BEGIN ED25519 SIGNATURE -----"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SIG_SUB_KEYFLAGS = 27
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SK_HEADER = "----- BEGIN ED25519-CURVE29915 PRIVATE KEY -----"
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_SIGPREFIX = "\nnacl-"
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_ME = "Pretty Curved Privacy"
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_ZFILE_FOOTER = "----- END Z85 ENCODED FILE -----"
+PCP_ZFILE_HEADER = "----- BEGIN Z85 ENCODED FILE -----"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
@@ -971,7 +975,11 @@ EXP_SIG_SUB_SIGEXPIRE = 3
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_ENCRYPT_MAC = 56
+EXP_SIG_CIPHER_NAME = "ED25519"
+
+
+# ./gencffi.pl: from ../../include/pcp/defines.h:172
+EXP_PK_CIPHER = 0x21
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
@@ -979,19 +987,15 @@ EXP_PK_FOOTER = "----- END ED25519-CURVE29915 PUBLIC KEY -----"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SIG_SUB_CTIME = 2
+EXP_SIG_SUB_KEYEXPIRE = 9
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_VAULT_ID = 14
+EXP_FORMAT_NATIVE = 1
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_SIG_HEADER = "----- BEGIN ED25519 SIGNED MESSAGE -----"
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_ASYM_CIPHER_SIG = 24
+PCP_SYM_CIPHER = 23
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
@@ -999,16 +1003,12 @@ EXP_PK_CIPHER_NAME = "CURVE25519-ED25519-POLY1305-SALSA20"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_FORMAT_PBP = 2
+PBP_COMPAT_SALT = "qa~t](84z<1t<1oz:ik.@IRNyhG=8q(on9}4#!/_h#a7wqK{Nt$T?W>,mt8NqYq&6U<GB1$,<$j>,rSYI2GRDd:Bcm"
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_CRYPTO_ADD = (32 - 16)
+PCP_BLOCK_SIZE = 32 * 1024
 
 
 # ./gencffi.pl: from ../../include/pcp/defines.h:172
-EXP_SIG_SUB_KEYEXPIRE = 9
-
-
-# ./gencffi.pl: from ../../include/pcp/defines.h:172
-PCP_SIG_START = "----- BEGIN ED25519 SIGNATURE -----"
+EXP_SIG_TYPE = 0x1F 

include/pcp.h

@@ -7,7 +7,6 @@ extern "C" {
 
 #include "pcp/config.h"
 #include "pcp/buffer.h"
-#include "pcp/config.h"
 #include "pcp/context.h"
 #include "pcp/crypto.h"
 #include "pcp/defines.h"

include/pcp/crypto.h

@@ -333,7 +333,7 @@ int pcp_sodium_verify_mac(byte **cleartext,
   
     \return Returns 0 on error.
 */
-int pcp_checksum(PCPCTX *ptx, Pcpstream *in, byte *checksum);
+int pcp_checksum(PCPCTX *ptx, Pcpstream *in, byte *checksum, byte *key, size_t keylen);
 
 
 

libpcp/crypto.c

@@ -812,13 +812,18 @@ http://mrob.com/pub/math/int128.c.txt
 http://locklessinc.com/articles/256bit_arithmetic/
 */
 
-int pcp_checksum(PCPCTX *ptx, Pcpstream *in, byte *checksum) {
+int pcp_checksum(PCPCTX *ptx, Pcpstream *in, byte *checksum, byte *key, size_t keylen) {
   crypto_generichash_state *st = ucmalloc(sizeof(crypto_generichash_state));
   byte *buf = ucmalloc(PCP_BLOCK_SIZE);
   size_t bufsize = 0;
   int ret = 1;
+
   
-  crypto_generichash_init(st, NULL, 0, 0);
+  if(key != NULL && keylen <= crypto_generichash_KEYBYTES_MAX) {
+    crypto_generichash_init(st, key, keylen, crypto_generichash_KEYBYTES_MAX);
+  }
+  else
+    crypto_generichash_init(st, NULL, 0, 0);
   
   while(!ps_end(in)) {
     bufsize = ps_read(in, buf, PCP_BLOCK_SIZE);

man/options.pod

@@ -132,8 +132,12 @@
                            uses stdin/stdout
  
  Misc Options:
- -C --checksum             Calculate a Blake2 checksum of one or more files.
+ -C --checksum [<key>]     Calculate a Blake2b checksum of one or more files.
+                           If <key> is provided, an authenticated hash will
+                           be calculated, otherwise a normal hash. If you don't
+                           want to generate an authenticated hash, specify
+                           -- after -C.
                            Use -I to specify one file or put multiple file
-                           names after -C like "pcp1 -C file1 file2 file3".
+                           names after -C like "pcp1 -C -- file1 file2 file3".
  
 

man/pcp1.1

@@ -1,4 +1,4 @@
-.\" Automatically generated by Pod::Man 2.25 (Pod::Simple 3.16)
+.\" Automatically generated by Pod::Man 2.27 (Pod::Simple 3.28)
 .\"
 .\" Standard preamble:
 .\" ========================================================================
@@ -38,6 +38,8 @@
 .    ds PI \(*p
 .    ds L" ``
 .    ds R" ''
+.    ds C`
+.    ds C'
 'br\}
 .\"
 .\" Escape single quotes in literal strings from groff's Unicode transform.
@@ -48,17 +50,24 @@
 .\" titles (.TH), headers (.SH), subsections (.SS), items (.Ip), and index
 .\" entries marked with X<> in POD.  Of course, you'll have to process the
 .\" output yourself in some meaningful fashion.
-.ie \nF \{\
-.    de IX
-.    tm Index:\\$1\t\\n%\t"\\$2"
+.\"
+.\" Avoid warning from groff about undefined register 'F'.
+.de IX
 ..
-.    nr % 0
-.    rr F
-.\}
-.el \{\
-.    de IX
+.nr rF 0
+.if \n(.g .if rF .nr rF 1
+.if (\n(rF:(\n(.g==0)) \{
+.    if \nF \{
+.        de IX
+.        tm Index:\\$1\t\\n%\t"\\$2"
 ..
+.        if !\nF==2 \{
+.            nr % 0
+.            nr F 2
+.        \}
+.    \}
 .\}
+.rr rF
 .\"
 .\" Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
 .\" Fear.  Run.  Save yourself.  No user-serviceable parts.
@@ -124,7 +133,7 @@
 .\" ========================================================================
 .\"
 .IX Title "PCP1 1"
-.TH PCP1 1 "2015-07-17" "PCP 0.2.6" "USER CONTRIBUTED DOCUMENTATION"
+.TH PCP1 1 "2015-07-21" "PCP 0.3.0" "USER CONTRIBUTED DOCUMENTATION"
 .\" For nroff, turn off justification.  Always turn off hyphenation; it makes
 .\" way too many mistakes in technical documents.
 .if n .ad l
@@ -184,7 +193,7 @@ Pretty Curved Privacy \- File encryption using eliptic curve cryptography.
 \&  \-a \-\-armor \-\-textmode     same as \-z
 \&  
 \&  Misc Options:
-\&  \-C \-\-checksum             calculate a Blake2 checksum of one or more files.
+\&  \-C \-\-checksum [<key>]     calculate a Blake2 checksum of one or more files.
 \&  
 \&  Arguments:
 \&  Extra arguments after options are treated as filenames or
@@ -323,9 +332,13 @@ Pretty Curved Privacy \- File encryption using eliptic curve cryptography.
 \&                           uses stdin/stdout
 \& 
 \& Misc Options:
-\& \-C \-\-checksum             Calculate a Blake2 checksum of one or more files.
+\& \-C \-\-checksum [<key>]     Calculate a Blake2b checksum of one or more files.
+\&                           If <key> is provided, an authenticated hash will
+\&                           be calculated, otherwise a normal hash. If you don\*(Aqt
+\&                           want to generate an authenticated hash, specify
+\&                           \-\- after \-C.
 \&                           Use \-I to specify one file or put multiple file
-\&                           names after \-C like "pcp1 \-C file1 file2 file3".
+\&                           names after \-C like "pcp1 \-C \-\- file1 file2 file3".
 .Ve
 .SH "DESCRIPTION"
 .IX Header "DESCRIPTION"
@@ -333,7 +346,7 @@ Pretty Curved Privacy \- File encryption using eliptic curve cryptography.
 be used to encrypt files. \fBpcp1\fR uses eliptc curve cryptography
 for encryption (\s-1CURVE25519\s0 by Dan J. Bernstein). While \s-1CURVE25519\s0
 is no worldwide accepted standard it hasn't been compromised by
-the \s-1NSA\s0 \- which might be better, depending on your point of view.
+the \s-1NSA \-\s0 which might be better, depending on your point of view.
 .PP
 \&\fBCaution\fR: since \s-1CURVE25519\s0 is no accepted standard, \fBpcp1\fR has
 to be considered as experimental software. In fact, I wrote it just
@@ -659,10 +672,10 @@ Enable debugging output, where supported. Same as \fB\-D\fR.
 .IX Header "EXIT STATUS"
 Pcp may return one of several error codes if it encounters problems.
 .IP "0   No problems occurred." 4
-.IX Item "0   No problems occurred."
+.IX Item "0 No problems occurred."
 .PD 0
 .IP "1   Generic error code." 4
-.IX Item "1   Generic error code."
+.IX Item "1 Generic error code."
 .PD
 .SH "FILES"
 .IX Header "FILES"
@@ -711,7 +724,7 @@ don't use it for anything remotely serious.
 \&\fBIn short: don \s-1NOT\s0 use this software for production purposes!\fR
 .SH "INTERNALS"
 .IX Header "INTERNALS"
-.SS "\s-1VAULT\s0 \s-1FORMAT\s0"
+.SS "\s-1VAULT FORMAT\s0"
 .IX Subsection "VAULT FORMAT"
 The vault file contains all public and secret keys. It's a portable
 binary file.
@@ -758,7 +771,7 @@ Type can be one of:
 .Ve
 .PP
 The key header is followed by the actual key, see below.
-.SS "\s-1SECRET\s0 \s-1KEY\s0 \s-1FORMAT\s0"
+.SS "\s-1SECRET KEY FORMAT\s0"
 .IX Subsection "SECRET KEY FORMAT"
 A secret key is a binary structure with the following format:
 .PP
@@ -827,7 +840,7 @@ are otherwise unrelated. If one of them leaks, the other
 cannot be recalculated from it.
 .PP
 Take a look at the function \fB\f(BIpcp_keypairs()\fB\fR for details.
-.SS "\s-1PUBLIC\s0 \s-1KEY\s0 \s-1EXPORT\s0 \s-1FORMAT\s0"
+.SS "\s-1PUBLIC KEY EXPORT FORMAT\s0"
 .IX Subsection "PUBLIC KEY EXPORT FORMAT"
 Exported public and secret keys will be written in a portable
 way. Pcp uses \s-1RFC4880\s0 export format for public keys with some
@@ -931,7 +944,7 @@ So, a full pubkey export looks like this
 \&    hash
 \&    signature
 .Ve
-.SS "\s-1SECRET\s0 \s-1KEY\s0 \s-1EXPORT\s0 \s-1FORMAT\s0"
+.SS "\s-1SECRET KEY EXPORT FORMAT\s0"
 .IX Subsection "SECRET KEY EXPORT FORMAT"
 Secret keys are exported in a proprietary format.
 .PP
@@ -963,7 +976,7 @@ to encrypt the data and looks after encryption as such:
 .Vb 1
 \&  Nonce | Cipher
 .Ve
-.SS "\s-1ENCRYPTED\s0 \s-1OUTPUT\s0 \s-1FORMAT\s0"
+.SS "\s-1ENCRYPTED OUTPUT FORMAT\s0"
 .IX Subsection "ENCRYPTED OUTPUT FORMAT"
 The encryption protocol used by \s-1PCP\s0 uses mostly standard
 libsodium facilities with the exception that \s-1PCP\s0 uses counter
@@ -1056,7 +1069,7 @@ of the sender.
 The encrypted output maybe Z85 encoded. In this case the Z85
 encoding will be done blockwise with blocks of 16k bytes. The
 decoded content inside will be as described above.
-.SS "\s-1SIGNATURE\s0 \s-1FORMAT\s0"
+.SS "\s-1SIGNATURE FORMAT\s0"
 .IX Subsection "SIGNATURE FORMAT"
 There are different signature formats. Standard binary \s-1NACL\s0
 signatures have the following format:
@@ -1108,15 +1121,15 @@ Armored signatures have the following format:
 .PP
 The Z85 encoded signature at the end contains the same signature
 contents as the binary signature outlined above (hash+sig).
-.SS "\s-1SIGNED\s0 \s-1ENCRYPTION\s0 \s-1FORMAT\s0"
+.SS "\s-1SIGNED ENCRYPTION FORMAT\s0"
 .IX Subsection "SIGNED ENCRYPTION FORMAT"
 Signed encrypted files are in binary form only. The first part is
-the standard encrypted file as described in \fB\s-1ENCRYPTED\s0 \s-1OUTPUT\s0 \s-1FORMAT\s0\fR
-followed by the binary encrypted signature described in \fB\s-1SIGNATURE\s0 \s-1FORMAT\s0\fR
+the standard encrypted file as described in \fB\s-1ENCRYPTED OUTPUT FORMAT\s0\fR
+followed by the binary encrypted signature described in \fB\s-1SIGNATURE FORMAT\s0\fR
 without the offset separator.
 .PP
 However, not only the hash of the file content will be signed but the
-recipient list described in \fB\s-1ENCRYPTED\s0 \s-1OUTPUT\s0 \s-1FORMAT\s0\fR as well. A
+recipient list described in \fB\s-1ENCRYPTED OUTPUT FORMAT\s0\fR as well. A
 valid recipient is therefore not able to re-encrypt the decrypted
 message, append the original signature and send it to other recipients.
 The signature would not match since the recipient list differs and
@@ -1156,7 +1169,7 @@ Before encryption the signature format is:
 \& +\-\-\-\-\-\-\-\-\-\-\-\-\-|\-\-\-\-\-\-\-\-|\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-\-+
 .Ve
 .PP
-where R is: C(recipient)|C(recipient)... (see \fB\s-1ENCRYPTED\s0 \s-1OUTPUT\s0 \s-1FORMAT\s0\fR).
+where R is: C(recipient)|C(recipient)... (see \fB\s-1ENCRYPTED OUTPUT FORMAT\s0\fR).
 .PP
 Pseudocode:
 .PP
@@ -1223,9 +1236,9 @@ pcp1 \-z \-I file \-O file.z85
 Reverse the process:
 .PP
 pcp1 \-Z \-I file.z85 \-O file
-.SS "\s-1PBP\s0 \s-1COMPATIBILITY\s0"
+.SS "\s-1PBP COMPATIBILITY\s0"
 .IX Subsection "PBP COMPATIBILITY"
-\&\s-1PCP\s0 tries to be fully compatible with \s-1PBP\s0 (https://github.com/stef/pbp). Encrypted
+\&\s-1PCP\s0 tries to be fully compatible with \s-1PBP \s0(https://github.com/stef/pbp). Encrypted
 files and signatures \- at least their binary versions \- should be exchangable. However,
 this is a work in progress and might not work under all circumstances. Also there's currently
 no shared key format between pbp and pcp. However, it is possible to export and
@@ -1249,8 +1262,8 @@ functions:
 .PD
 .PP
 \&\s-1JSON\s0 support can be used either with the commandline tool \fBpcp1\fR or programmatically
-using the C, \*(C+ or Python \s-1API\s0.
-.SS "\s-1USING\s0 \s-1JSON\s0 \s-1FROM\s0 \s-1THE\s0 C \s-1API\s0"
+using the C, \*(C+ or Python \s-1API.\s0
+.SS "\s-1USING JSON FROM THE C API\s0"
 .IX Subsection "USING JSON FROM THE C API"
 In order to use \s-1JSON\s0 all you've got to do is to switch a context flag:
 .PP
@@ -1260,9 +1273,9 @@ In order to use \s-1JSON\s0 all you've got to do is to switch a context flag:
 .Ve
 .PP
 That all to it. Now any function normally used for key import and export works
-with \s-1JSON\s0, just fill the \fBBuffer\fR object with a \s-1JSON\s0 string for imports or
+with \s-1JSON,\s0 just fill the \fBBuffer\fR object with a \s-1JSON\s0 string for imports or
 fetch the Buffer content of an export function as a string.
-.SS "\s-1USING\s0 \s-1JSON\s0 \s-1FROM\s0 \s-1THE\s0 \s-1COMMANDLINE\s0"
+.SS "\s-1USING JSON FROM THE COMMANDLINE\s0"
 .IX Subsection "USING JSON FROM THE COMMANDLINE"
 In order to use \s-1JSON\s0 on the commandline, add \fB\-j\fR. This can be used in
 conjunction with the following options:
@@ -1280,9 +1293,9 @@ Public and secret key import.
 Text view mode (aka inspect mode).
 .PP
 The \fB\-z\fR and \fB\-Z\fR options are ignored in \s-1JSON\s0 mode.
-.SS "\s-1JSON\s0 \s-1OBJECT\s0 \s-1STRUCTURE\s0"
+.SS "\s-1JSON OBJECT STRUCTURE\s0"
 .IX Subsection "JSON OBJECT STRUCTURE"
-\fI\s-1JSON\s0 \s-1PUBLIC\s0 \s-1KEY\s0 (pcp1 \-p \-j)\fR
+\fI\s-1JSON PUBLIC KEY \s0(pcp1 \-p \-j)\fR
 .IX Subsection "JSON PUBLIC KEY (pcp1 -p -j)"
 .PP
 The \s-1JSON\s0 object for a public key looks like this:
@@ -1311,7 +1324,7 @@ Fields containing byte arrays are hex encoded.
 .PP
 Numbers are represented as literal integers.
 .PP
-\fI\s-1JSON\s0 \s-1SECRET\s0 \s-1KEY\s0 (pcp1 \-s \-j)\fR
+\fI\s-1JSON SECRET KEY \s0(pcp1 \-s \-j)\fR
 .IX Subsection "JSON SECRET KEY (pcp1 -s -j)"
 .PP
 The \s-1JSON\s0 object for a public key looks like this:
@@ -1342,7 +1355,7 @@ secret key material. Pcp does not support exporting a secret key unencrypted.
 The \fBnonce\fR is required for a later import and shall not be changed or
 decoupled from \fBsecrets\fR. This may change in the future.
 .PP
-\fI\s-1JSON\s0 \s-1VAULT\s0 (pcp1 \-t)\fR
+\fI\s-1JSON VAULT \s0(pcp1 \-t)\fR
 .IX Subsection "JSON VAULT (pcp1 -t)"
 .PP
 The \s-1JSON\s0 object for the vault looks like this:
@@ -1361,7 +1374,7 @@ The \s-1JSON\s0 object for the vault looks like this:
 The field \fBkeys\fR is an array containing one or more of the already
 described key objects.
 .PP
-\fI\s-1JSON\s0 \s-1PROGRAM\s0 \s-1OUTPUT\s0\fR
+\fI\s-1JSON PROGRAM OUTPUT\s0\fR
 .IX Subsection "JSON PROGRAM OUTPUT"
 .PP
 Currently pcp does not support \s-1JSON\s0 program output, that is, success or
@@ -1410,7 +1423,7 @@ under the \fB\s-1GPL\s0\fR as well.
 \&\fIT.v.Dein <tom \s-1AT\s0 vondein \s-1DOT\s0 org\fR>
 .SH "LICENSE"
 .IX Header "LICENSE"
-Licensed under the  \s-1GNU\s0 \s-1GENERAL\s0 \s-1PUBLIC\s0 \s-1LICENSE\s0 version 3.
+Licensed under the  \s-1GNU GENERAL PUBLIC LICENSE\s0 version 3.
 .SH "HOME"
 .IX Header "HOME"
 The homepage of Pretty Curved Privacy can be found on

man/pcp1.pod

@@ -56,7 +56,7 @@ Pretty Curved Privacy - File encryption using eliptic curve cryptography.
   -a --armor --textmode     same as -z
   
   Misc Options:
-  -C --checksum             calculate a Blake2 checksum of one or more files.
+  -C --checksum [<key>]     calculate a Blake2 checksum of one or more files.
   
   Arguments:
   Extra arguments after options are treated as filenames or
@@ -195,9 +195,13 @@ Pretty Curved Privacy - File encryption using eliptic curve cryptography.
                            uses stdin/stdout
  
  Misc Options:
- -C --checksum             Calculate a Blake2 checksum of one or more files.
+ -C --checksum [<key>]     Calculate a Blake2b checksum of one or more files.
+                           If <key> is provided, an authenticated hash will
+                           be calculated, otherwise a normal hash. If you don't
+                           want to generate an authenticated hash, specify
+                           -- after -C.
                            Use -I to specify one file or put multiple file
-                           names after -C like "pcp1 -C file1 file2 file3".
+                           names after -C like "pcp1 -C -- file1 file2 file3".
  
 
 

src/encryption.c

@@ -360,9 +360,19 @@ int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *rec
   return 1;
 }
 
-void pcpchecksum(char **files, int filenum) {
+void pcpchecksum(char **files, int filenum, char *key) {
   int i;
   byte *checksum = ucmalloc(crypto_generichash_BYTES_MAX);
+  byte *keyhash = NULL;
+  size_t hashlen = 0;
+
+  if(key != NULL) {
+    keyhash = ucmalloc(crypto_generichash_BYTES);
+    crypto_generichash(keyhash, crypto_generichash_BYTES,
+		       (byte *)key, strlen(key),
+		       NULL, crypto_generichash_BYTES);
+    hashlen = crypto_generichash_BYTES;
+  }
   
   for(i=0; i<filenum; i++) {
     FILE *in;
@@ -377,9 +387,9 @@ void pcpchecksum(char **files, int filenum) {
       }
     }
     Pcpstream *pin = ps_new_file(in);
-    if(pcp_checksum(ptx, pin, checksum) > 0) {
+    if(pcp_checksum(ptx, pin, checksum, keyhash, hashlen) > 0) {
       char *hex = _bin2hex(checksum, crypto_generichash_BYTES_MAX);
-      fprintf(stdout, "BLAKE2 (%s) = %s\n", files[i], hex);
+      fprintf(stdout, "BLAKE2b (%s) = %s\n", files[i], hex);
       free(hex);
     }
     else
@@ -387,4 +397,7 @@ void pcpchecksum(char **files, int filenum) {
   }
 
   free(checksum);
+
+  if(keyhash != NULL)
+    free(keyhash);
 }

src/encryption.h

@@ -40,6 +40,6 @@
 
 int pcpdecrypt(char *id, int useid, char *infile, char *outfile, char *passwd, int verify);
 int pcpencrypt(char *id, char *infile, char *outfile, char *passwd, plist_t *recipient, int signcrypt, int armor, int anon);
-void pcpchecksum(char **files, int filenum);
+void pcpchecksum(char **files, int filenum, char *key);
 
 #endif /*  _HAVE_ENCRYPTION_H */

src/pcp.c

@@ -114,7 +114,7 @@ int main (int argc, char **argv)  {
     { "decrypt",         no_argument,       NULL,           'd' },
     { "anonymous",       no_argument,       NULL,           'A' },
     { "add-myself",      no_argument,       NULL,           'M' },
-    { "checksum",        no_argument,       NULL,           'C' },
+    { "checksum",        optional_argument, NULL,           'C' },
 
     /*  encoding */
     { "z85-encode",      no_argument,       NULL,           'z' },
@@ -136,7 +136,7 @@ int main (int argc, char **argv)  {
     { NULL,              0,                 NULL,            0 }
   };
 
-  while ((opt = getopt_long(argc, argv, "klLV:vdehsO:i:I:pSPRtEx:DzaZr:gcmf:b1F:0KAMX:jC",
+  while ((opt = getopt_long(argc, argv, "klLV:vdehsO:i:I:pSPRtEx:DzaZr:gcmf:b1F:0KAMX:jC:",
 			    longopts, NULL)) != -1) {
   
     switch (opt)  {
@@ -233,6 +233,10 @@ int main (int argc, char **argv)  {
 	break;
       case 'C':
 	mode += PCP_MODE_CHECKSUM;
+	if(strlen(optarg) > 0 && strncmp(optarg, "--", 3) > 0) {
+	  xpass = smalloc(strlen(optarg)+1);
+	  strncpy(xpass, optarg, strlen(optarg)+1);
+	}
 	break;	
       case 'f':
 	sigfile = ucmalloc(strlen(optarg)+1);
@@ -612,16 +616,16 @@ int main (int argc, char **argv)  {
 	if(argc == 0) {
 	  char *list[1];
 	  list[0] = NULL;
-	  pcpchecksum(list, 1);
+	  pcpchecksum(list, 1, xpass);
 	}
 	else {
-	  pcpchecksum(argv, argc);
+	  pcpchecksum(argv, argc, xpass);
 	}
       }
       else {
 	char *list[1];
 	list[0] = infile;
-	pcpchecksum(list, 1);
+	pcpchecksum(list, 1, xpass);
       }
       break;
       

src/usage.h

@@ -51,7 +51,7 @@
 "-a --armor --textmode     same as -z\n" \
 "\n" \
 "Misc Options:\n" \
-"-C --checksum             calculate a Blake2 checksum of one or more files.\n" \
+"-C --checksum [<key>]     calculate a Blake2 checksum of one or more files.\n" \
 "\n" \
 "Arguments:\n" \
 "Extra arguments after options are treated as filenames or\n" \

src/usage.txt

@@ -49,7 +49,7 @@ Encoding Options:
 -a --armor --textmode     same as -z
 
 Misc Options:
--C --checksum             calculate a Blake2 checksum of one or more files.
+-C --checksum [<key>]     calculate a Blake2 checksum of one or more files.
 
 Arguments:
 Extra arguments after options are treated as filenames or

tests/unittests.cfg

@@ -573,17 +573,23 @@ temporarily disabled
 
 # checksum tests
 <test checksums>
-  blake2 = 5baec1cad5bf54287028749d83f2bf3e3ed09f0ee38a233f35dbda1361c6a67fd824e17c86ee3a85181038eb44836c17c42e6beff17fdf997075417914056992
+  blake2     = 5baec1cad5bf54287028749d83f2bf3e3ed09f0ee38a233f35dbda1361c6a67fd824e17c86ee3a85181038eb44836c17c42e6beff17fdf997075417914056992
+  blake2auth = 6d74340db1e77021861443d6cc0d1acedefed8c6d863789778ed800b99d32b6c96b782d087209ea180e983af51bd649064eff58ef0826c8996ae8017c35082b3
+  key        = 9U3Dk2s
   <test check-checksum-copying>
-    cmd = $pcp -C ../COPYING
+    cmd = $pcp -C -- ../COPYING
     expect = /$blake2/
   </test>
+  <test check-checksum-authenticated-copying>
+    cmd = $pcp -C $key ../COPYING
+    expect = /$blake2auth/
+  </test>
   <test check-checksum-copying-stdin>
-    cmd = $pcp -C < ../COPYING
+    cmd = $pcp -C -- < ../COPYING
     expect = /$blake2/
   </test>
   <test check-checksum-multiple>
-    cmd = $pcp -C ../COPYING ../README
+    cmd = $pcp -C -- ../COPYING ../README
     expect = /README/
   </test>
 </test>