hey,
this was ok'ed by djm, somebody should commit it!
On Thu, Feb 04, 2010 at 19:25 +0300, Mike Belopuhov wrote:
> hey,
>
> while looking thru bioctl stuff, i've accidentaly stumbled upon
> pbkdf2 thing and found out that mount_vnd still uses local
> pkcs5_pbkdf2.c from NetBSD and links against libcrypto (although
> it's a static binary). reduction in size is about 2.5 times
> (from 353K to 145K), so it's a win, right? :)
>
> i've tested compatibility between old and new versions and
> everything looks.. er.. compatible.
>
> so sending this out that it won't be lost.
>
> Index: Makefile
> ===================================================================
> RCS file: /cvs/src/sbin/mount_vnd/Makefile,v
> retrieving revision 1.6
> diff -N -u -p Makefile
> --- Makefile 14 Jun 2008 01:47:27 -0000 1.6
> +++ Makefile 4 Feb 2010 16:10:01 -0000
> @@ -1,8 +1,11 @@
> # $OpenBSD: Makefile,v 1.6 2008/06/14 01:47:27 grunk Exp $
>
> +.PATH: ${.CURDIR}/../bioctl
> +CFLAGS+=-I${.CURDIR}/../bioctl
> +
> PROG= mount_vnd
> -SRCS= mount_vnd.c pkcs5_pbkdf2.c
> -LDADD= -lutil -lcrypto
> +SRCS= mount_vnd.c pbkdf2.c
> +LDADD= -lutil
> DPADD= ${LIBUTIL}
>
> CDIAGFLAGS+= -Wall
> Index: mount_vnd.c
> ===================================================================
> RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.c,v
> retrieving revision 1.8
> diff -N -u -p mount_vnd.c
> --- mount_vnd.c 3 Sep 2008 23:24:25 -0000 1.8
> +++ mount_vnd.c 4 Feb 2010 16:10:01 -0000
> @@ -49,14 +49,14 @@
> #include <err.h>
> #include <errno.h>
> #include <fcntl.h>
> -#include <pwd.h>
> +#include <readpassphrase.h>
> #include <stdio.h>
> #include <stdlib.h>
> #include <string.h>
> #include <unistd.h>
> #include <util.h>
>
> -#include "pkcs5_pbkdf2.h"
> +#include "pbkdf2.h"
>
> #define DEFAULT_VND "svnd0"
>
> @@ -180,19 +180,20 @@ main(int argc, char **argv)
> char *
> get_pkcs_key(char *arg, char *saltopt)
> {
> - char keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX];
> - char *saltfile;
> + char passphrase[128];
> + char saltbuf[128], saltfilebuf[PATH_MAX];
> char *key = NULL;
> + char *saltfile;
> const char *errstr;
> int rounds;
>
> rounds = strtonum(arg, 1000, INT_MAX, &errstr);
> if (errstr)
> err(1, "rounds: %s", errstr);
> - key = getpass("Encryption key: ");
> - if (!key || strlen(key) == 0)
> - errx(1, "Need an encryption key");
> - strncpy(keybuf, key, sizeof(keybuf));
> + bzero(passphrase, sizeof(passphrase));
> + if (readpassphrase("Encryption key: ", passphrase, sizeof(passphrase),
> + RPP_REQUIRE_TTY) == NULL)
> + errx(1, "Unable to read passphrase");
> if (saltopt)
> saltfile = saltopt;
> else {
> @@ -212,7 +213,8 @@ get_pkcs_key(char *arg, char *saltopt)
> if (fd == -1) {
> int *s;
>
> - fprintf(stderr, "Salt file not found, attempting to
> create one\n");
> + fprintf(stderr, "Salt file not found, attempting to "
> + "create one\n");
> fd = open(saltfile, O_RDWR|O_CREAT|O_EXCL, 0600);
> if (fd == -1)
> err(1, "Unable to create salt file: '%s'",
> @@ -222,18 +224,24 @@ get_pkcs_key(char *arg, char *saltopt)
> *s = arc4random();
> if (write(fd, saltbuf, sizeof(saltbuf))
> != sizeof(saltbuf))
> - err(1, "Unable to write salt file: '%s'",
> saltfile);
> - fprintf(stderr, "Salt file created as '%s'\n",
> saltfile);
> + err(1, "Unable to write salt file: '%s'",
> + saltfile);
> + fprintf(stderr, "Salt file created as '%s'\n",
> + saltfile);
> } else {
> if (read(fd, saltbuf, sizeof(saltbuf))
> != sizeof(saltbuf))
> - err(1, "Unable to read salt file: '%s'",
> saltfile);
> + err(1, "Unable to read salt file: '%s'",
> + saltfile);
> }
> close(fd);
> }
> - if (pkcs5_pbkdf2((u_int8_t**)&key, BLF_MAXUTILIZED, keybuf,
> - sizeof(keybuf), saltbuf, sizeof(saltbuf), rounds, 0))
> + if ((key = calloc(1, BLF_MAXUTILIZED)) == NULL)
> + err(1, NULL);
> + if (pkcs5_pbkdf2(passphrase, sizeof(passphrase), saltbuf,
> + sizeof (saltbuf), key, BLF_MAXUTILIZED, rounds))
> errx(1, "pkcs5_pbkdf2 failed");
> + memset(passphrase, 0, sizeof(passphrase));
>
> return (key);
> }
> Index: pkcs5_pbkdf2.c
> ===================================================================
> RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.c,v
> retrieving revision 1.5
> diff -N -u -p pkcs5_pbkdf2.c
> --- pkcs5_pbkdf2.c 26 Jun 2008 05:42:06 -0000 1.5
> +++ /dev/null 28 Sep 2008 10:50:08 -0000
> @@ -1,168 +0,0 @@
> -/* $NetBSD: pkcs5_pbkdf2.c,v 1.5 2004/03/17 01:29:13 dan Exp $ */
> -
> -/*-
> - * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
> - * All rights reserved.
> - *
> - * This code is derived from software contributed to The NetBSD Foundation
> - * by Roland C. Dowdeswell.
> - *
> - * Redistribution and use in source and binary forms, with or without
> - * modification, are permitted provided that the following conditions
> - * are met:
> - * 1. Redistributions of source code must retain the above copyright
> - * notice, this list of conditions and the following disclaimer.
> - * 2. Redistributions in binary form must reproduce the above copyright
> - * notice, this list of conditions and the following disclaimer in the
> - * documentation and/or other materials provided with the distribution.
> - *
> - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
> - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> LIMITED
> - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
> - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
> - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
> - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
> - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> - * POSSIBILITY OF SUCH DAMAGE.
> - */
> -
> -/*
> - * This code is an implementation of PKCS #5 PBKDF2 which is described
> - * in:
> - *
> - * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories,
> - * March 25, 1999.
> - *
> - * and can be found at the following URL:
> - *
> - * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/
> - *
> - * It was also republished as RFC 2898.
> - */
> -
> -
> -#include <sys/types.h>
> -#include <sys/time.h>
> -#include <sys/resource.h>
> -
> -#include <assert.h>
> -#include <err.h>
> -#include <stdlib.h>
> -#include <string.h>
> -
> -#include <openssl/hmac.h>
> -
> -#include "pkcs5_pbkdf2.h"
> -
> -static void int_encode(u_int8_t *, int);
> -static void prf_iterate(u_int8_t *, const u_int8_t *, int,
> - const u_int8_t *, int, int, int);
> -
> -static void
> -memxor(void *res, const void *src, size_t len)
> -{
> - size_t i;
> - char *r;
> - const char *s;
> -
> - r = res;
> - s = src;
> - for (i=0; i < len; i++)
> - r[i] ^= s[i];
> -}
> -
> -#define PRF_BLOCKLEN 20
> -
> -/*
> - * int_encode encodes i as a four octet integer, most significant
> - * octet first. (from the end of Step 3).
> - */
> -
> -static void
> -int_encode(u_int8_t *res, int i)
> -{
> -
> - *res++ = (i >> 24) & 0xff;
> - *res++ = (i >> 16) & 0xff;
> - *res++ = (i >> 8) & 0xff;
> - *res = (i ) & 0xff;
> -}
> -
> -static void
> -prf_iterate(u_int8_t *r, const u_int8_t *P, int Plen,
> - const u_int8_t *S, int Slen, int c, int ind)
> -{
> - int first_time = 1;
> - int i;
> - int datalen;
> - int tmplen;
> - u_int8_t *data;
> - u_int8_t tmp[EVP_MAX_MD_SIZE];
> -
> - data = malloc(Slen + 4);
> - if (!data)
> - err(1, "prf_iterate");
> - memcpy(data, S, Slen);
> - int_encode(data + Slen, ind);
> - datalen = Slen + 4;
> -
> - for (i=0; i < c; i++) {
> - HMAC(EVP_sha1(), P, Plen, data, datalen, tmp, &tmplen);
> -
> - assert(tmplen == PRF_BLOCKLEN);
> -
> - if (first_time) {
> - memcpy(r, tmp, PRF_BLOCKLEN);
> - first_time = 0;
> - } else
> - memxor(r, tmp, PRF_BLOCKLEN);
> - memcpy(data, tmp, PRF_BLOCKLEN);
> - datalen = PRF_BLOCKLEN;
> - }
> - free(data);
> -}
> -
> -/*
> - * pkcs5_pbkdf2 takes all of its lengths in bytes.
> - */
> -
> -int
> -pkcs5_pbkdf2(u_int8_t **r, int dkLen, const u_int8_t *P, int Plen,
> - const u_int8_t *S, int Slen, int c, int compat)
> -{
> - int i;
> - int l;
> -
> - /* sanity */
> - if (!r)
> - return -1;
> - if (dkLen <= 0)
> - return -1;
> - if (c < 1)
> - return -1;
> -
> - /* Step 2 */
> - l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN;
> -
> - /* allocate the output */
> - *r = calloc(l, PRF_BLOCKLEN);
> - if (!*r)
> - return -1;
> -
> - /* Step 3 */
> - for (i=0; i < l; i++)
> - prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c,
> - (compat?i:i+1));
> -
> - /* Step 4 and 5
> - * by the structure of the code, we do not need to concatenate
> - * the blocks, they're already concatenated. We do not extract
> - * the first dkLen octets, since we [naturally] assume that the
> - * calling function will use only the octets that it needs and
> - * the free(3) will free all of the allocated memory.
> - */
> - return 0;
> -}
> Index: pkcs5_pbkdf2.h
> ===================================================================
> RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.h,v
> retrieving revision 1.3
> diff -N -u -p pkcs5_pbkdf2.h
> --- pkcs5_pbkdf2.h 26 Jun 2008 05:42:06 -0000 1.3
> +++ /dev/null 28 Sep 2008 10:50:08 -0000
> @@ -1,39 +0,0 @@
> -/* $NetBSD: pkcs5_pbkdf2.h,v 1.3 2004/03/17 01:29:13 dan Exp $ */
> -
> -/*-
> - * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
> - * All rights reserved.
> - *
> - * This code is derived from software contributed to The NetBSD Foundation
> - * by Roland C. Dowdeswell.
> - *
> - * Redistribution and use in source and binary forms, with or without
> - * modification, are permitted provided that the following conditions
> - * are met:
> - * 1. Redistributions of source code must retain the above copyright
> - * notice, this list of conditions and the following disclaimer.
> - * 2. Redistributions in binary form must reproduce the above copyright
> - * notice, this list of conditions and the following disclaimer in the
> - * documentation and/or other materials provided with the distribution.
> - *
> - * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
> - * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
> LIMITED
> - * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
> - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
> - * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
> - * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
> - * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
> - * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
> - * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
> - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
> - * POSSIBILITY OF SUCH DAMAGE.
> - */
> -
> -#ifndef PKCS5_PBKDF2_H
> -#define PKCS5_PBKDF2_H
> -
> -__BEGIN_DECLS
> -int pkcs5_pbkdf2(u_int8_t **, int, const u_int8_t *, int,
> - const u_int8_t *, int, int, int);
> -__END_DECLS
> -#endif
