hey, this was ok'ed by djm, somebody should commit it!
On Thu, Feb 04, 2010 at 19:25 +0300, Mike Belopuhov wrote: > hey, > > while looking thru bioctl stuff, i've accidentaly stumbled upon > pbkdf2 thing and found out that mount_vnd still uses local > pkcs5_pbkdf2.c from NetBSD and links against libcrypto (although > it's a static binary). reduction in size is about 2.5 times > (from 353K to 145K), so it's a win, right? :) > > i've tested compatibility between old and new versions and > everything looks.. er.. compatible. > > so sending this out that it won't be lost. > > Index: Makefile > =================================================================== > RCS file: /cvs/src/sbin/mount_vnd/Makefile,v > retrieving revision 1.6 > diff -N -u -p Makefile > --- Makefile 14 Jun 2008 01:47:27 -0000 1.6 > +++ Makefile 4 Feb 2010 16:10:01 -0000 > @@ -1,8 +1,11 @@ > # $OpenBSD: Makefile,v 1.6 2008/06/14 01:47:27 grunk Exp $ > > +.PATH: ${.CURDIR}/../bioctl > +CFLAGS+=-I${.CURDIR}/../bioctl > + > PROG= mount_vnd > -SRCS= mount_vnd.c pkcs5_pbkdf2.c > -LDADD= -lutil -lcrypto > +SRCS= mount_vnd.c pbkdf2.c > +LDADD= -lutil > DPADD= ${LIBUTIL} > > CDIAGFLAGS+= -Wall > Index: mount_vnd.c > =================================================================== > RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.c,v > retrieving revision 1.8 > diff -N -u -p mount_vnd.c > --- mount_vnd.c 3 Sep 2008 23:24:25 -0000 1.8 > +++ mount_vnd.c 4 Feb 2010 16:10:01 -0000 > @@ -49,14 +49,14 @@ > #include <err.h> > #include <errno.h> > #include <fcntl.h> > -#include <pwd.h> > +#include <readpassphrase.h> > #include <stdio.h> > #include <stdlib.h> > #include <string.h> > #include <unistd.h> > #include <util.h> > > -#include "pkcs5_pbkdf2.h" > +#include "pbkdf2.h" > > #define DEFAULT_VND "svnd0" > > @@ -180,19 +180,20 @@ main(int argc, char **argv) > char * > get_pkcs_key(char *arg, char *saltopt) > { > - char keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX]; > - char *saltfile; > + char passphrase[128]; > + char saltbuf[128], saltfilebuf[PATH_MAX]; > char *key = NULL; > + char *saltfile; > const char *errstr; > int rounds; > > rounds = strtonum(arg, 1000, INT_MAX, &errstr); > if (errstr) > err(1, "rounds: %s", errstr); > - key = getpass("Encryption key: "); > - if (!key || strlen(key) == 0) > - errx(1, "Need an encryption key"); > - strncpy(keybuf, key, sizeof(keybuf)); > + bzero(passphrase, sizeof(passphrase)); > + if (readpassphrase("Encryption key: ", passphrase, sizeof(passphrase), > + RPP_REQUIRE_TTY) == NULL) > + errx(1, "Unable to read passphrase"); > if (saltopt) > saltfile = saltopt; > else { > @@ -212,7 +213,8 @@ get_pkcs_key(char *arg, char *saltopt) > if (fd == -1) { > int *s; > > - fprintf(stderr, "Salt file not found, attempting to > create one\n"); > + fprintf(stderr, "Salt file not found, attempting to " > + "create one\n"); > fd = open(saltfile, O_RDWR|O_CREAT|O_EXCL, 0600); > if (fd == -1) > err(1, "Unable to create salt file: '%s'", > @@ -222,18 +224,24 @@ get_pkcs_key(char *arg, char *saltopt) > *s = arc4random(); > if (write(fd, saltbuf, sizeof(saltbuf)) > != sizeof(saltbuf)) > - err(1, "Unable to write salt file: '%s'", > saltfile); > - fprintf(stderr, "Salt file created as '%s'\n", > saltfile); > + err(1, "Unable to write salt file: '%s'", > + saltfile); > + fprintf(stderr, "Salt file created as '%s'\n", > + saltfile); > } else { > if (read(fd, saltbuf, sizeof(saltbuf)) > != sizeof(saltbuf)) > - err(1, "Unable to read salt file: '%s'", > saltfile); > + err(1, "Unable to read salt file: '%s'", > + saltfile); > } > close(fd); > } > - if (pkcs5_pbkdf2((u_int8_t**)&key, BLF_MAXUTILIZED, keybuf, > - sizeof(keybuf), saltbuf, sizeof(saltbuf), rounds, 0)) > + if ((key = calloc(1, BLF_MAXUTILIZED)) == NULL) > + err(1, NULL); > + if (pkcs5_pbkdf2(passphrase, sizeof(passphrase), saltbuf, > + sizeof (saltbuf), key, BLF_MAXUTILIZED, rounds)) > errx(1, "pkcs5_pbkdf2 failed"); > + memset(passphrase, 0, sizeof(passphrase)); > > return (key); > } > Index: pkcs5_pbkdf2.c > =================================================================== > RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.c,v > retrieving revision 1.5 > diff -N -u -p pkcs5_pbkdf2.c > --- pkcs5_pbkdf2.c 26 Jun 2008 05:42:06 -0000 1.5 > +++ /dev/null 28 Sep 2008 10:50:08 -0000 > @@ -1,168 +0,0 @@ > -/* $NetBSD: pkcs5_pbkdf2.c,v 1.5 2004/03/17 01:29:13 dan Exp $ */ > - > -/*- > - * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. > - * All rights reserved. > - * > - * This code is derived from software contributed to The NetBSD Foundation > - * by Roland C. Dowdeswell. > - * > - * Redistribution and use in source and binary forms, with or without > - * modification, are permitted provided that the following conditions > - * are met: > - * 1. Redistributions of source code must retain the above copyright > - * notice, this list of conditions and the following disclaimer. > - * 2. Redistributions in binary form must reproduce the above copyright > - * notice, this list of conditions and the following disclaimer in the > - * documentation and/or other materials provided with the distribution. > - * > - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS > - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > LIMITED > - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS > - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE > - * POSSIBILITY OF SUCH DAMAGE. > - */ > - > -/* > - * This code is an implementation of PKCS #5 PBKDF2 which is described > - * in: > - * > - * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories, > - * March 25, 1999. > - * > - * and can be found at the following URL: > - * > - * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/ > - * > - * It was also republished as RFC 2898. > - */ > - > - > -#include <sys/types.h> > -#include <sys/time.h> > -#include <sys/resource.h> > - > -#include <assert.h> > -#include <err.h> > -#include <stdlib.h> > -#include <string.h> > - > -#include <openssl/hmac.h> > - > -#include "pkcs5_pbkdf2.h" > - > -static void int_encode(u_int8_t *, int); > -static void prf_iterate(u_int8_t *, const u_int8_t *, int, > - const u_int8_t *, int, int, int); > - > -static void > -memxor(void *res, const void *src, size_t len) > -{ > - size_t i; > - char *r; > - const char *s; > - > - r = res; > - s = src; > - for (i=0; i < len; i++) > - r[i] ^= s[i]; > -} > - > -#define PRF_BLOCKLEN 20 > - > -/* > - * int_encode encodes i as a four octet integer, most significant > - * octet first. (from the end of Step 3). > - */ > - > -static void > -int_encode(u_int8_t *res, int i) > -{ > - > - *res++ = (i >> 24) & 0xff; > - *res++ = (i >> 16) & 0xff; > - *res++ = (i >> 8) & 0xff; > - *res = (i ) & 0xff; > -} > - > -static void > -prf_iterate(u_int8_t *r, const u_int8_t *P, int Plen, > - const u_int8_t *S, int Slen, int c, int ind) > -{ > - int first_time = 1; > - int i; > - int datalen; > - int tmplen; > - u_int8_t *data; > - u_int8_t tmp[EVP_MAX_MD_SIZE]; > - > - data = malloc(Slen + 4); > - if (!data) > - err(1, "prf_iterate"); > - memcpy(data, S, Slen); > - int_encode(data + Slen, ind); > - datalen = Slen + 4; > - > - for (i=0; i < c; i++) { > - HMAC(EVP_sha1(), P, Plen, data, datalen, tmp, &tmplen); > - > - assert(tmplen == PRF_BLOCKLEN); > - > - if (first_time) { > - memcpy(r, tmp, PRF_BLOCKLEN); > - first_time = 0; > - } else > - memxor(r, tmp, PRF_BLOCKLEN); > - memcpy(data, tmp, PRF_BLOCKLEN); > - datalen = PRF_BLOCKLEN; > - } > - free(data); > -} > - > -/* > - * pkcs5_pbkdf2 takes all of its lengths in bytes. > - */ > - > -int > -pkcs5_pbkdf2(u_int8_t **r, int dkLen, const u_int8_t *P, int Plen, > - const u_int8_t *S, int Slen, int c, int compat) > -{ > - int i; > - int l; > - > - /* sanity */ > - if (!r) > - return -1; > - if (dkLen <= 0) > - return -1; > - if (c < 1) > - return -1; > - > - /* Step 2 */ > - l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN; > - > - /* allocate the output */ > - *r = calloc(l, PRF_BLOCKLEN); > - if (!*r) > - return -1; > - > - /* Step 3 */ > - for (i=0; i < l; i++) > - prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c, > - (compat?i:i+1)); > - > - /* Step 4 and 5 > - * by the structure of the code, we do not need to concatenate > - * the blocks, they're already concatenated. We do not extract > - * the first dkLen octets, since we [naturally] assume that the > - * calling function will use only the octets that it needs and > - * the free(3) will free all of the allocated memory. > - */ > - return 0; > -} > Index: pkcs5_pbkdf2.h > =================================================================== > RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.h,v > retrieving revision 1.3 > diff -N -u -p pkcs5_pbkdf2.h > --- pkcs5_pbkdf2.h 26 Jun 2008 05:42:06 -0000 1.3 > +++ /dev/null 28 Sep 2008 10:50:08 -0000 > @@ -1,39 +0,0 @@ > -/* $NetBSD: pkcs5_pbkdf2.h,v 1.3 2004/03/17 01:29:13 dan Exp $ */ > - > -/*- > - * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc. > - * All rights reserved. > - * > - * This code is derived from software contributed to The NetBSD Foundation > - * by Roland C. Dowdeswell. > - * > - * Redistribution and use in source and binary forms, with or without > - * modification, are permitted provided that the following conditions > - * are met: > - * 1. Redistributions of source code must retain the above copyright > - * notice, this list of conditions and the following disclaimer. > - * 2. Redistributions in binary form must reproduce the above copyright > - * notice, this list of conditions and the following disclaimer in the > - * documentation and/or other materials provided with the distribution. > - * > - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS > - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT > LIMITED > - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR > - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS > - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR > - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF > - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS > - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN > - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) > - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE > - * POSSIBILITY OF SUCH DAMAGE. > - */ > - > -#ifndef PKCS5_PBKDF2_H > -#define PKCS5_PBKDF2_H > - > -__BEGIN_DECLS > -int pkcs5_pbkdf2(u_int8_t **, int, const u_int8_t *, int, > - const u_int8_t *, int, int, int); > -__END_DECLS > -#endif