Add check for wrong password.

Embed original file's SHA256 hash in encrypted file for a later match.

Signed-off-by: Arun Prakash Jana <engineerarun@gmail.com>

README.md

@@ -75,7 +75,7 @@ OR, on Ubuntu,
   - `-s` : match any of the keywords in URL or title. Order is irrelevant.
   - `-S` : match all the keywords in URL or title. Order is irrelevant.
   - Search results are indexed serially. This index is different from actual database index of a bookmark reord which is shown within `()` after the URL.
-- Encryption support is manual. Database file should be unlocked (`-k`) before using markit and locked (`-l`) afterwards. Note that the database file is <i>unecrypted on creation</i>. AES256 is used for encryption. Even a wrong password leads to (mathematically) successful decryption. So keep your encrypted database file safe i.e. do not overwrite it without verifying the file is decrypted correctly.
+- Encryption support is manual. Database file should be unlocked (`-k`) before using markit and locked (`-l`) afterwards. Note that the database file is <i>unecrypted on creation</i>. AES256 is used for encryption.
   
 <b>Cmdline help:</b>
   

markit

@@ -37,6 +37,7 @@ try:
     import struct
 
     no_crypto = False
+    BLOCKSIZE = 65536
 except ImportError:
     no_crypto = True
 
@@ -456,6 +457,19 @@ def browser_open(url):
 
 
 
+# Get the SHA256 hash of a file
+def get_filehash(filepath):
+    with open(filepath, 'rb') as f:
+        hasher = hashlib.sha256()
+        buf = f.read(BLOCKSIZE)
+        while len(buf) > 0:
+            hasher.update(buf)
+            buf = f.read(BLOCKSIZE)
+
+        return hasher.digest()
+
+
+
 # Encrypt the bookmarks database file
 def encrypt_file():
     dbpath = os.path.join(os.environ.get('HOME'), '.cache', 'markit', 'bookmarks.db')
@@ -477,6 +491,9 @@ def encrypt_file():
     chunksize = 512 * 1024
     encpath = dbpath + '.enc'
 
+    # Get SHA256 hash of DB file
+    dbhash = get_filehash(dbpath)
+
     iv = Random.new().read(AES.block_size)
     cipher = AES.new(key, AES.MODE_CBC, iv)
     filesize = os.path.getsize(dbpath)
@@ -486,6 +503,9 @@ def encrypt_file():
             outfile.write(struct.pack('<Q', filesize))
             outfile.write(iv)
 
+            # Embed DB file hash in encrypted file
+            outfile.write(dbhash)
+
             while True:
                 chunk = infile.read(chunksize)
                 if len(chunk) == 0:
@@ -523,6 +543,9 @@ def decrypt_file():
         iv = infile.read(16)
         cipher = AES.new(key, AES.MODE_CBC, iv)
 
+        # Get original DB file's SHA256 hash from encrypted file
+        enchash = infile.read(32)
+
         with open(dbpath, 'wb') as outfile:
             while True:
                 chunk = infile.read(chunksize)
@@ -533,7 +556,15 @@ def decrypt_file():
 
             outfile.truncate(origsize)
 
+    # Match hash of generated file with that of original DB file
+    dbhash = get_filehash(dbpath)
+    if dbhash != enchash:
+        os.remove(dbpath)
+        print("Wrong password")
+    else:
+        os.remove(encpath)
         print("File decrypted")
+
     sys.exit(0)
 
 

markit.1

@@ -26,7 +26,7 @@ Search works in mysterious ways:
   - '-S' : match all the keywords in URL or title. Order is irrelevant. 
   - Search results are indexed serially. This index is different from actual database index of a bookmark reord which is shown within '()' after the URL.
 .PP
-Encryption support is manual. Database file should be unlocked ('-k') before using markit and locked ('-l') afterwards. Note that the database file is unecrypted on creation. AES256 is used for encryption. Even a wrong password leads to (mathematically) successful decryption. So keep your encrypted database file safe i.e. do not overwrite it without verifying the file is decrypted correctly.
+Encryption support is manual. Database file should be unlocked ('-k') before using markit and locked ('-l') afterwards. Note that the database file is unecrypted on creation. AES256 is used for encryption.
 .SH OPTIONS
 .TP
 .BI \-a " URL" " " "tag 1", " tag 2", " ..."