In the event that a program uses invalid parameters, I think we should
overwrite the key with random data. Otherwise, there's a chance the program
will continue with a zero key. It may even appear to work, encrypting and
decrypting data, but with a weak key. Random data means it fails closed, and
should also make it easier to detect such errors since it no longer
interoperates.
Index: bcrypt_pbkdf.c
===================================================================
RCS file: /home/cvs/src/lib/libutil/bcrypt_pbkdf.c,v
retrieving revision 1.13
diff -u -p -r1.13 bcrypt_pbkdf.c
--- bcrypt_pbkdf.c 12 Jan 2015 03:20:04 -0000 1.13
+++ bcrypt_pbkdf.c 15 Oct 2019 19:14:12 -0000
@@ -110,10 +110,10 @@ bcrypt_pbkdf(const char *pass, size_t pa
/* nothing crazy */
if (rounds < 1)
- return -1;
+ goto bad;
if (passlen == 0 || saltlen == 0 || keylen == 0 ||
keylen > sizeof(out) * sizeof(out))
- return -1;
+ goto bad;
stride = (keylen + sizeof(out) - 1) / sizeof(out);
amt = (keylen + stride - 1) / stride;
@@ -166,4 +166,8 @@ bcrypt_pbkdf(const char *pass, size_t pa
explicit_bzero(out, sizeof(out));
return 0;
+
+bad:
+ arc4random_buf(key, keylen);
+ return -1;
}
Index: pkcs5_pbkdf2.c
===================================================================
RCS file: /home/cvs/src/lib/libutil/pkcs5_pbkdf2.c,v
retrieving revision 1.10
diff -u -p -r1.10 pkcs5_pbkdf2.c
--- pkcs5_pbkdf2.c 18 Apr 2017 04:06:21 -0000 1.10
+++ pkcs5_pbkdf2.c 15 Oct 2019 19:17:08 -0000
@@ -84,11 +84,11 @@ pkcs5_pbkdf2(const char *pass, size_t pa
size_t r;
if (rounds < 1 || key_len == 0)
- return -1;
+ goto bad;
if (salt_len == 0 || salt_len > SIZE_MAX - 4)
- return -1;
+ goto bad;
if ((asalt = malloc(salt_len + 4)) == NULL)
- return -1;
+ goto bad;
memcpy(asalt, salt, salt_len);
@@ -118,4 +118,8 @@ pkcs5_pbkdf2(const char *pass, size_t pa
explicit_bzero(obuf, sizeof(obuf));
return 0;
+
+bad:
+ arc4random_buf(key, key_len);
+ return -1;
}
