new version

Author: hamkee

.github/workflows/verify.yml

@@ -0,0 +1,77 @@
+name: verify
+
+on:
+  push:
+  pull_request:
+  workflow_dispatch:
+  schedule:
+    - cron: "0 3 * * *"
+
+jobs:
+  verify:
+    strategy:
+      fail-fast: false
+      matrix:
+        os:
+          - ubuntu-latest
+          - macos-latest
+    runs-on: ${{ matrix.os }}
+    env:
+      OPENSSL_VERSION: "3.5.0"
+      OPENSSL_PREFIX: ${{ runner.temp }}/openssl-3.5.0
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Linux build tools
+        if: runner.os == 'Linux'
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y perl
+
+      - name: Cache OpenSSL
+        id: cache-openssl
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.OPENSSL_PREFIX }}
+          key: openssl-${{ env.OPENSSL_VERSION }}-${{ runner.os }}-${{ runner.arch }}
+
+      - name: Build OpenSSL
+        if: steps.cache-openssl.outputs.cache-hit != 'true'
+        run: sh ci/build_openssl.sh
+
+      - name: Verify
+        run: make clean all verify OPENSSL_PREFIX="${OPENSSL_PREFIX}"
+
+      - name: Portable fuzz run
+        run: make fuzz-run FUZZ_RUNS=5000 OPENSSL_PREFIX="${OPENSSL_PREFIX}"
+
+  nightly-fuzz:
+    if: github.event_name == 'schedule' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    env:
+      OPENSSL_VERSION: "3.5.0"
+      OPENSSL_PREFIX: ${{ runner.temp }}/openssl-3.5.0
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Install Linux build tools
+        run: |
+          sudo apt-get update
+          sudo apt-get install -y perl
+
+      - name: Cache OpenSSL
+        id: cache-openssl
+        uses: actions/cache@v4
+        with:
+          path: ${{ env.OPENSSL_PREFIX }}
+          key: openssl-${{ env.OPENSSL_VERSION }}-${{ runner.os }}-${{ runner.arch }}
+
+      - name: Build OpenSSL
+        if: steps.cache-openssl.outputs.cache-hit != 'true'
+        run: sh ci/build_openssl.sh
+
+      - name: Nightly verify
+        run: make clean all verify OPENSSL_PREFIX="${OPENSSL_PREFIX}"
+
+      - name: Extended fuzz run
+        run: make fuzz-run FUZZ_RUNS=20000 OPENSSL_PREFIX="${OPENSSL_PREFIX}"

README.md

@@ -4,31 +4,33 @@ eed is a simple, minimal, secure text editor inspired by ed, written in C.
 
 ✅ Supports encrypted text files
 
-✅ Uses AES-256-CBC for encryption
+✅ Uses Argon2id for password-based key derivation
 
-✅ Uses HMAC-SHA-256 for integrity protection (MAC)
+✅ Uses AES-256-GCM for authenticated encryption
 
-✅ Compatible with OpenSSL 3.x → no deprecated functions
+✅ Compatible with OpenSSL 3.5+ for Argon2id + AEAD primitives
 
-✅ Does not leak plaintext to disk
+✅ Save path writes ciphertext only
 
-✅ Holds buffer in RAM only
+✅ Keeps the working buffer in process memory, with optional strict memory-lock enforcement
 
 ✅ Works on Linux, macOS
 
 Features
 
 Password protected: securely prompts for password (hidden input)
 
-PBKDF2 (SHA-256) for key derivation (easy to swap to Argon2 if needed)
+Fixed Argon2id profile for password-based key derivation
 
-AES-256-CBC encryption
+AES-256-GCM authenticated encryption
 
-HMAC-SHA-256 message authentication (MAC) → detects tampering
+Authenticated `EED4` file format with header-bound associated data
 
-No temp files, only in-memory buffer until explicitly written
+Atomic encrypted saves with same-directory temp files (ciphertext only)
 
-Compatible with OpenSSL 3.x API → uses EVP_MAC, no deprecated HMAC_CTX
+Compatible with OpenSSL 3.5+ API → uses `EVP_KDF` for Argon2id and `EVP_CIPHER` AEAD APIs
+
+Encrypted recovery snapshots after each mutating command and mirrored backup copies for the latest durable state
 
 Simple ed-like commands:
 
@@ -49,18 +51,64 @@ Simple ed-like commands:
 
 Security Notes
 
-Editor uses AES-256-CBC with random IV per file
+Editor uses AES-256-GCM with a random 96-bit nonce per file
+
+Uses an authenticated `EED4` header and currently accepts only the fixed supported Argon2id profile
+
+Authenticates the full header as AEAD associated data before any plaintext is accepted
+
+If AEAD authentication fails, the file is not opened
 
-Uses PBKDF2 with 100,000 iterations (easy to increase or switch to Argon2)
+Saves are atomic: encrypted output is written to a temp file, synced, then renamed over the target
 
-Adds HMAC-SHA-256 over IV + ciphertext → integrity check
+Each open file is held with an exclusive advisory lock, and saves refuse to proceed if the pathname no longer points at the file originally opened
 
-If MAC verification fails, the file is not opened
+The editor save path intentionally writes only ciphertext; swap, hibernation, snapshots, and backups remain outside the editor's control
 
-No plaintext is written to disk unless you explicitly write
+Every mutating command refreshes an encrypted `.recovery` snapshot, and each save refreshes an encrypted `.bak` mirror before the primary rename so crashes still leave a recoverable ciphertext copy
+
+Quit will attempt to refresh a final encrypted recovery snapshot before exiting if the in-memory buffer is dirty and the prior recovery snapshot is stale
+
+The parent directory must be owned by the current user and not writable by group or others
 
 Plaintext buffer and password are securely wiped on exit
 
+Memory locking is attempted at startup; set `EED_REQUIRE_MLOCK=1` to fail closed on hosts where `mlockall()` is unavailable
+
+Current release writes an `EED4` file format and does not open files written by older releases
+
+
+Verification
+
+`make` builds the release binary
+
+`make asan` builds the sanitizer-enabled regression binary
+
+`make verify` runs static analysis, PTY smoke testing, property-style round-trip testing, deterministic vector checks, and malformed-file regression sweeps
+
+`make recovery` runs crash-recovery and latest-backup regression coverage
+
+`make fuzz-build` builds a portable sanitizer-backed fuzz harness for `load_encrypted()`
+
+`make libfuzzer-build` attempts the libFuzzer variant and prints guidance when the local toolchain does not provide the runtime
+
+`make audit-manifest` writes `dist/sha256.txt` and `dist/build-info.txt` for exact-build review
+
+
+Assurance Docs
+
+`docs/threat-model.md` defines the threat model and explicit non-goals
+
+`docs/security-invariants.md` records the invariants the code is expected to preserve
+
+`docs/storage-model.md` explains what the save path can and cannot honestly claim about recoverability
+
+`docs/release-process.md` documents the exact-build audit and signed-release workflow
+
+`docs/file-format-eed4.md` freezes the binary format and includes a deterministic test vector
+
+`docs/c-hardening-roadmap.md` lays out the next hardening steps within a C-only codebase
+
 
 Limitations
 
@@ -72,4 +120,6 @@ No multi-level undo
 
 No support for !shell commands (on purpose → security)
 
-No auto-recovery (intentional → secure)
+Crash recovery is sidecar-based; there is no multi-version recovery browser or undo journal
+
+Does not support symbolic links or files with multiple hard links

ci/build_openssl.sh

@@ -0,0 +1,28 @@
+#!/bin/sh
+set -eu
+
+OPENSSL_VERSION="${OPENSSL_VERSION:-3.5.0}"
+OPENSSL_PREFIX="${OPENSSL_PREFIX:-$PWD/.openssl/$OPENSSL_VERSION}"
+
+if [ -x "$OPENSSL_PREFIX/bin/openssl" ]; then
+    exit 0
+fi
+
+BUILD_ROOT="$(mktemp -d)"
+ARCHIVE="$BUILD_ROOT/openssl-$OPENSSL_VERSION.tar.gz"
+SOURCE_DIR="$BUILD_ROOT/openssl-$OPENSSL_VERSION"
+
+cleanup() {
+    rm -rf "$BUILD_ROOT"
+}
+trap cleanup EXIT
+
+curl -fsSL \
+    -o "$ARCHIVE" \
+    "https://github.com/openssl/openssl/releases/download/openssl-$OPENSSL_VERSION/openssl-$OPENSSL_VERSION.tar.gz"
+tar -xzf "$ARCHIVE" -C "$BUILD_ROOT"
+
+cd "$SOURCE_DIR"
+./config --prefix="$OPENSSL_PREFIX" --openssldir="$OPENSSL_PREFIX/ssl"
+make -j"$(getconf _NPROCESSORS_ONLN 2>/dev/null || echo 2)"
+make install_sw

docs/c-hardening-roadmap.md

@@ -0,0 +1,31 @@
+# C Hardening Roadmap
+
+## Current State
+
+The editor remains a C codebase by design. The current hardening strategy is therefore to narrow the dangerous surface, freeze the crypto container, and keep verification pressure high rather than to promise language-level memory safety.
+
+## Immediate Controls
+
+- Keep the crypto format fixed and documented in `docs/file-format-eed4.md`.
+- Keep `make verify` mandatory before release.
+- Keep `make fuzz-run` in regular use against `load_encrypted()`.
+- Preserve explicit cleansing of passwords, keys, tags, and plaintext buffers.
+- Keep risky helper functions `static` and continue preferring fixed-size buffers and explicit bounds checks.
+
+## Near-Term Assurance Work
+
+- Add stricter warning gates such as `-Wconversion`, `-Wshadow`, and `-Wstrict-prototypes` once the tree is clean under them.
+- Run `clang-tidy` and `cppcheck` in CI as advisory jobs.
+- Perform a manual MISRA-C-oriented review of the parser and save path, while being explicit that the project is not yet claiming formal MISRA compliance.
+- Expand deterministic test vectors to cover empty files and maximum-length line edge cases.
+
+## Higher-Assurance Options Without Leaving C
+
+- Split the file-format parser and serializer into a smaller translation unit with a narrower API.
+- Add CBMC or Frama-C proofs for header parsing, bounds checks, and line-count safety properties.
+- Add negative tests for every rejected header field combination in `EED4`.
+- Consider a dedicated hardened build profile with stack canaries, full RELRO, and platform-specific linker hardening flags.
+
+## Explicit Non-Claim
+
+This roadmap improves assurance inside a C codebase. It does not make C memory-safe, and it should not be described that way.

docs/file-format-eed4.md

@@ -0,0 +1,76 @@
+# EED4 File Format
+
+## Fixed Crypto Profile
+
+- KDF: Argon2id
+- Argon2 version: 19
+- Memory cost: 65536 KiB
+- Iterations: 3
+- Lanes: 1
+- Cipher: AES-256-GCM
+- Nonce length: 12 bytes
+- Tag length: 16 bytes
+- Header authentication: the full 48-byte header is passed as AEAD associated data
+
+## Plaintext Encoding
+
+The editor serializes the in-memory buffer as a byte stream of newline-terminated lines. Each stored line is emitted exactly as typed, followed by `0x0a`. An empty editor buffer produces an empty plaintext stream.
+
+## Binary Layout
+
+| Offset | Length | Field |
+| ------ | ------ | ----- |
+| `0` | `4` | Magic ASCII `EED4` |
+| `4` | `1` | File format version (`0x01`) |
+| `5` | `1` | KDF identifier (`0x01` = Argon2id) |
+| `6` | `1` | Cipher identifier (`0x01` = AES-256-GCM) |
+| `7` | `1` | Flags (`0x00`) |
+| `8` | `4` | Argon2 memory cost in KiB, big-endian |
+| `12` | `4` | Argon2 iteration count, big-endian |
+| `16` | `4` | Argon2 lane count, big-endian |
+| `20` | `16` | Random salt |
+| `36` | `12` | Random AES-GCM nonce |
+| `48` | `n` | Ciphertext |
+| `48 + n` | `16` | AES-GCM tag |
+
+## Acceptance Rules
+
+- The loader only accepts the fixed profile above.
+- Older `EED3` files are intentionally rejected.
+- The loader rejects oversized payloads, NUL bytes, overlong lines, excessive line counts, and authentication failures.
+
+## Deterministic Test Vector
+
+This vector is fixed in `tests/test_vectors.py` and is intended to detect accidental format or primitive drift.
+
+- Password: `vector-passphrase`
+- Salt: `000102030405060708090a0b0c0d0e0f`
+- Nonce: `101112131415161718191a1b`
+- Plaintext lines:
+  - `alpha`
+  - `beta/gamma`
+  - `Line 3 with spaces`
+
+Header:
+
+```text
+4545443401010100000100000000000300000001000102030405060708090a0b0c0d0e0f101112131415161718191a1b
+```
+
+Ciphertext:
+
+```text
+e0e8b9f9d13cf983046e60ed522f9e1d27e5b302ee5551ff4135f8a4614a53a20324ff84
+```
+
+Tag:
+
+```text
+2a1c8c48936d3b5555a2e7b3d1fa2eb2
+```
+
+Full file:
+
+```text
+4545443401010100000100000000000300000001000102030405060708090a0b0c0d0e0f101112131415161718191a1be0e8b9f9d13cf983046e60ed522f9e1d27e5b302ee5551ff4135f8a4614a53a20324ff842a1c8c48936d3b5555a2e7b3d1fa2eb2
+```

docs/release-process.md

@@ -0,0 +1,58 @@
+# Release And Audit Process
+
+## Purpose
+
+This repository can now produce a repeatable internal verification bundle, but an actual independent audit still requires a separate reviewer and a signing key that are not part of this workspace.
+
+## Minimum Release Procedure
+
+1. Build from a clean checkout of the exact commit being released.
+2. Set a fixed `SOURCE_DATE_EPOCH` for the release run.
+3. Run `make clean all verify audit-manifest`.
+4. Archive the resulting binary plus `dist/sha256.txt` and `dist/build-info.txt`.
+5. Record the exact OpenSSL version, compiler version, operating system, and committed `EED4` format spec in the release notes.
+
+## External Audit Procedure
+
+1. Hand the auditor the exact commit ID, the release artifact, and the audit manifest.
+2. Require the auditor to rebuild from the same commit and compare the resulting hashes against `dist/sha256.txt`.
+3. Scope the audit to the exact binary hash being shipped, not just to the source tree in general.
+4. Treat any source change, compiler change, or dependency change as a new audit candidate.
+
+## Signed Release Procedure
+
+1. Generate the audit manifest with `make audit-manifest`.
+2. Sign `dist/sha256.txt` and the release notes with an offline key that is kept outside the build machine.
+3. Publish the signature, the public verification key, and the binary hash together.
+4. Make signature verification part of the deployment checklist.
+
+The repository does not ship a signing key, and it should not. Signed releases need an operator-controlled trust root.
+
+## Reproducibility Notes
+
+- Avoid embedding ad hoc local changes, generated files, or untracked patches in the release build.
+- Pin the compiler family and OpenSSL build used for production.
+- Rebuild from scratch for each release instead of reusing a previously compiled binary.
+- Keep the deterministic vector in `docs/file-format-eed4.md` and `tests/test_vectors.py` in sync with the shipping format.
+
+## What This Repo Can Do Today
+
+- Release build: `make`
+- Sanitized regression build: `make asan`
+- Static analysis: `make analyze`
+- PTY smoke test: `make smoke`
+- Property-style round-trip test: `make property`
+- Deterministic format/vector test: `make vectors`
+- Crash-recovery and backup regression test: `make recovery`
+- Malformed-file regression sweep: `make malformed`
+- Portable parser fuzz harness build: `make fuzz-build`
+- Optional libFuzzer build on supported toolchains: `make libfuzzer-build`
+  The target prints guidance instead of hard-failing when the local clang does not ship the fuzzer runtime.
+- Audit manifest bundle: `make audit-manifest`
+- Continuous verify/fuzz workflow: `.github/workflows/verify.yml`
+
+## What Still Requires External Work
+
+- A truly independent review of the final ship binary
+- Real release signing with an offline organizational key
+- Longer-running fuzz campaigns with corpus management and crash triage