hey,
while looking thru bioctl stuff, i've accidentaly stumbled upon
pbkdf2 thing and found out that mount_vnd still uses local
pkcs5_pbkdf2.c from NetBSD and links against libcrypto (although
it's a static binary). reduction in size is about 2.5 times
(from 353K to 145K), so it's a win, right? :)
i've tested compatibility between old and new versions and
everything looks.. er.. compatible.
so sending this out that it won't be lost.
Index: Makefile
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/Makefile,v
retrieving revision 1.6
diff -N -u -p Makefile
--- Makefile 14 Jun 2008 01:47:27 -0000 1.6
+++ Makefile 4 Feb 2010 16:10:01 -0000
@@ -1,8 +1,11 @@
# $OpenBSD: Makefile,v 1.6 2008/06/14 01:47:27 grunk Exp $
+.PATH: ${.CURDIR}/../bioctl
+CFLAGS+=-I${.CURDIR}/../bioctl
+
PROG= mount_vnd
-SRCS= mount_vnd.c pkcs5_pbkdf2.c
-LDADD= -lutil -lcrypto
+SRCS= mount_vnd.c pbkdf2.c
+LDADD= -lutil
DPADD= ${LIBUTIL}
CDIAGFLAGS+= -Wall
Index: mount_vnd.c
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.c,v
retrieving revision 1.8
diff -N -u -p mount_vnd.c
--- mount_vnd.c 3 Sep 2008 23:24:25 -0000 1.8
+++ mount_vnd.c 4 Feb 2010 16:10:01 -0000
@@ -49,14 +49,14 @@
#include <err.h>
#include <errno.h>
#include <fcntl.h>
-#include <pwd.h>
+#include <readpassphrase.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <util.h>
-#include "pkcs5_pbkdf2.h"
+#include "pbkdf2.h"
#define DEFAULT_VND "svnd0"
@@ -180,19 +180,20 @@ main(int argc, char **argv)
char *
get_pkcs_key(char *arg, char *saltopt)
{
- char keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX];
- char *saltfile;
+ char passphrase[128];
+ char saltbuf[128], saltfilebuf[PATH_MAX];
char *key = NULL;
+ char *saltfile;
const char *errstr;
int rounds;
rounds = strtonum(arg, 1000, INT_MAX, &errstr);
if (errstr)
err(1, "rounds: %s", errstr);
- key = getpass("Encryption key: ");
- if (!key || strlen(key) == 0)
- errx(1, "Need an encryption key");
- strncpy(keybuf, key, sizeof(keybuf));
+ bzero(passphrase, sizeof(passphrase));
+ if (readpassphrase("Encryption key: ", passphrase, sizeof(passphrase),
+ RPP_REQUIRE_TTY) == NULL)
+ errx(1, "Unable to read passphrase");
if (saltopt)
saltfile = saltopt;
else {
@@ -212,7 +213,8 @@ get_pkcs_key(char *arg, char *saltopt)
if (fd == -1) {
int *s;
- fprintf(stderr, "Salt file not found, attempting to
create one\n");
+ fprintf(stderr, "Salt file not found, attempting to "
+ "create one\n");
fd = open(saltfile, O_RDWR|O_CREAT|O_EXCL, 0600);
if (fd == -1)
err(1, "Unable to create salt file: '%s'",
@@ -222,18 +224,24 @@ get_pkcs_key(char *arg, char *saltopt)
*s = arc4random();
if (write(fd, saltbuf, sizeof(saltbuf))
!= sizeof(saltbuf))
- err(1, "Unable to write salt file: '%s'",
saltfile);
- fprintf(stderr, "Salt file created as '%s'\n",
saltfile);
+ err(1, "Unable to write salt file: '%s'",
+ saltfile);
+ fprintf(stderr, "Salt file created as '%s'\n",
+ saltfile);
} else {
if (read(fd, saltbuf, sizeof(saltbuf))
!= sizeof(saltbuf))
- err(1, "Unable to read salt file: '%s'",
saltfile);
+ err(1, "Unable to read salt file: '%s'",
+ saltfile);
}
close(fd);
}
- if (pkcs5_pbkdf2((u_int8_t**)&key, BLF_MAXUTILIZED, keybuf,
- sizeof(keybuf), saltbuf, sizeof(saltbuf), rounds, 0))
+ if ((key = calloc(1, BLF_MAXUTILIZED)) == NULL)
+ err(1, NULL);
+ if (pkcs5_pbkdf2(passphrase, sizeof(passphrase), saltbuf,
+ sizeof (saltbuf), key, BLF_MAXUTILIZED, rounds))
errx(1, "pkcs5_pbkdf2 failed");
+ memset(passphrase, 0, sizeof(passphrase));
return (key);
}
Index: pkcs5_pbkdf2.c
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.c,v
retrieving revision 1.5
diff -N -u -p pkcs5_pbkdf2.c
--- pkcs5_pbkdf2.c 26 Jun 2008 05:42:06 -0000 1.5
+++ /dev/null 28 Sep 2008 10:50:08 -0000
@@ -1,168 +0,0 @@
-/* $NetBSD: pkcs5_pbkdf2.c,v 1.5 2004/03/17 01:29:13 dan Exp $ */
-
-/*-
- * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Roland C. Dowdeswell.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This code is an implementation of PKCS #5 PBKDF2 which is described
- * in:
- *
- * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories,
- * March 25, 1999.
- *
- * and can be found at the following URL:
- *
- * http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/
- *
- * It was also republished as RFC 2898.
- */
-
-
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-
-#include <assert.h>
-#include <err.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/hmac.h>
-
-#include "pkcs5_pbkdf2.h"
-
-static void int_encode(u_int8_t *, int);
-static void prf_iterate(u_int8_t *, const u_int8_t *, int,
- const u_int8_t *, int, int, int);
-
-static void
-memxor(void *res, const void *src, size_t len)
-{
- size_t i;
- char *r;
- const char *s;
-
- r = res;
- s = src;
- for (i=0; i < len; i++)
- r[i] ^= s[i];
-}
-
-#define PRF_BLOCKLEN 20
-
-/*
- * int_encode encodes i as a four octet integer, most significant
- * octet first. (from the end of Step 3).
- */
-
-static void
-int_encode(u_int8_t *res, int i)
-{
-
- *res++ = (i >> 24) & 0xff;
- *res++ = (i >> 16) & 0xff;
- *res++ = (i >> 8) & 0xff;
- *res = (i ) & 0xff;
-}
-
-static void
-prf_iterate(u_int8_t *r, const u_int8_t *P, int Plen,
- const u_int8_t *S, int Slen, int c, int ind)
-{
- int first_time = 1;
- int i;
- int datalen;
- int tmplen;
- u_int8_t *data;
- u_int8_t tmp[EVP_MAX_MD_SIZE];
-
- data = malloc(Slen + 4);
- if (!data)
- err(1, "prf_iterate");
- memcpy(data, S, Slen);
- int_encode(data + Slen, ind);
- datalen = Slen + 4;
-
- for (i=0; i < c; i++) {
- HMAC(EVP_sha1(), P, Plen, data, datalen, tmp, &tmplen);
-
- assert(tmplen == PRF_BLOCKLEN);
-
- if (first_time) {
- memcpy(r, tmp, PRF_BLOCKLEN);
- first_time = 0;
- } else
- memxor(r, tmp, PRF_BLOCKLEN);
- memcpy(data, tmp, PRF_BLOCKLEN);
- datalen = PRF_BLOCKLEN;
- }
- free(data);
-}
-
-/*
- * pkcs5_pbkdf2 takes all of its lengths in bytes.
- */
-
-int
-pkcs5_pbkdf2(u_int8_t **r, int dkLen, const u_int8_t *P, int Plen,
- const u_int8_t *S, int Slen, int c, int compat)
-{
- int i;
- int l;
-
- /* sanity */
- if (!r)
- return -1;
- if (dkLen <= 0)
- return -1;
- if (c < 1)
- return -1;
-
- /* Step 2 */
- l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN;
-
- /* allocate the output */
- *r = calloc(l, PRF_BLOCKLEN);
- if (!*r)
- return -1;
-
- /* Step 3 */
- for (i=0; i < l; i++)
- prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c,
- (compat?i:i+1));
-
- /* Step 4 and 5
- * by the structure of the code, we do not need to concatenate
- * the blocks, they're already concatenated. We do not extract
- * the first dkLen octets, since we [naturally] assume that the
- * calling function will use only the octets that it needs and
- * the free(3) will free all of the allocated memory.
- */
- return 0;
-}
Index: pkcs5_pbkdf2.h
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.h,v
retrieving revision 1.3
diff -N -u -p pkcs5_pbkdf2.h
--- pkcs5_pbkdf2.h 26 Jun 2008 05:42:06 -0000 1.3
+++ /dev/null 28 Sep 2008 10:50:08 -0000
@@ -1,39 +0,0 @@
-/* $NetBSD: pkcs5_pbkdf2.h,v 1.3 2004/03/17 01:29:13 dan Exp $ */
-
-/*-
- * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Roland C. Dowdeswell.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- * notice, this list of conditions and the following disclaimer in the
- * documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef PKCS5_PBKDF2_H
-#define PKCS5_PBKDF2_H
-
-__BEGIN_DECLS
-int pkcs5_pbkdf2(u_int8_t **, int, const u_int8_t *, int,
- const u_int8_t *, int, int, int);
-__END_DECLS
-#endif
