summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTodd C. Miller <millert@cvs.openbsd.org>2002-06-07 21:35:27 +0000
committerTodd C. Miller <millert@cvs.openbsd.org>2002-06-07 21:35:27 +0000
commitcccd0fa144040165e4a4ddbdae55c3bab037d2b2 (patch)
treedc08be005dec3114f2933a8ab2f9767da3b596a6
parenta8a4729faded286eb50d21323bfcb165b3c5dc50 (diff)
Instead of passing seed and defaultseed to normal_mode() and
secure_mode() just pass in a single default seed. Only secure_mode() needs to actually change the seed and it can use its own temporary buffer. Fix zeroing of the secrete passphrase. Instead of useing multiple password buffers, crunch the key each time and compare the crunched values.
-rw-r--r--usr.bin/skeyinit/skeyinit.c81
1 files changed, 43 insertions, 38 deletions
diff --git a/usr.bin/skeyinit/skeyinit.c b/usr.bin/skeyinit/skeyinit.c
index a0e49d0faae..63ce5afe724 100644
--- a/usr.bin/skeyinit/skeyinit.c
+++ b/usr.bin/skeyinit/skeyinit.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: skeyinit.c,v 1.37 2002/06/06 20:56:02 aaron Exp $ */
+/* $OpenBSD: skeyinit.c,v 1.38 2002/06/07 21:35:26 millert Exp $ */
/* OpenBSD S/Key (skeyinit.c)
*
@@ -39,8 +39,8 @@
#endif
void usage(void);
-void secure_mode(int *, char *, char *, char *, char *, size_t);
-void normal_mode(char *, int, char *, char *, char *);
+void secure_mode(int *, char *, char *, char *, size_t);
+void normal_mode(char *, int, char *, char *);
void timedout(int);
void convert_db(void);
void enable_db(int);
@@ -50,7 +50,7 @@ main(int argc, char **argv)
{
int rval, i, l, n, defaultsetup, rmkey, hexmode, enable, convert;
char hostname[MAXHOSTNAMELEN];
- char seed[SKEY_MAX_SEED_LEN + 2], defaultseed[SKEY_MAX_SEED_LEN + 1];
+ char seed[SKEY_MAX_SEED_LEN + 1];
char buf[256], key[SKEY_BINKEY_SIZE], filename[PATH_MAX], *ht;
char lastc, me[UT_NAMESIZE + 1], *p, *auth_type;
struct skey skey;
@@ -63,7 +63,7 @@ main(int argc, char **argv)
/* Build up a default seed based on the hostname and time */
if (gethostname(hostname, sizeof(hostname)) < 0)
err(1, "gethostname");
- for (i = 0, p = defaultseed; hostname[i] && i < SKEY_NAMELEN; i++) {
+ for (i = 0, p = seed; hostname[i] && i < SKEY_NAMELEN; i++) {
if (isalpha(hostname[i])) {
if (isupper(hostname[i]))
hostname[i] = tolower(hostname[i]);
@@ -226,14 +226,14 @@ main(int argc, char **argv)
if (l > 0) {
lastc = skey.seed[l - 1];
if (isdigit(lastc) && lastc != '9') {
- (void)strcpy(defaultseed, skey.seed);
- defaultseed[l - 1] = lastc + 1;
+ (void)strcpy(seed, skey.seed);
+ seed[l - 1] = lastc + 1;
}
if (isdigit(lastc) && lastc == '9' && l < 16) {
- (void)strcpy(defaultseed, skey.seed);
- defaultseed[l - 1] = '0';
- defaultseed[l] = '0';
- defaultseed[l + 1] = '\0';
+ (void)strcpy(seed, skey.seed);
+ seed[l - 1] = '0';
+ seed[l] = '0';
+ seed[l + 1] = '\0';
}
}
break;
@@ -267,9 +267,9 @@ main(int argc, char **argv)
alarm(180);
if (!defaultsetup)
- secure_mode(&n, key, seed, defaultseed, buf, sizeof(buf));
+ secure_mode(&n, key, seed, buf, sizeof(buf));
else
- normal_mode(pp->pw_name, n, key, seed, defaultseed);
+ normal_mode(pp->pw_name, n, key, seed);
alarm(0);
/* XXX - why use malloc here? */
@@ -283,18 +283,17 @@ main(int argc, char **argv)
(void)fclose(skey.keyfile);
(void)printf("\nID %s skey is otp-%s %d %s\n", pp->pw_name,
- skey_get_algorithm(), n, seed);
+ skey_get_algorithm(), n, seed);
(void)printf("Next login password: %s\n\n",
hexmode ? put8(buf, key) : btoe(buf, key));
exit(0);
}
void
-secure_mode(int *count, char *key, char *seed, char *defaultseed, char *buf,
- size_t bufsiz)
+secure_mode(int *count, char *key, char *seed, char *buf, size_t bufsiz)
{
+ char *p, newseed[SKEY_MAX_SEED_LEN + 2];
int i, n;
- char *p;
(void)puts("You need the 6 words generated from the \"skey\" command.");
for (i = 0; ; i++) {
@@ -316,19 +315,16 @@ secure_mode(int *count, char *key, char *seed, char *defaultseed, char *buf,
if (i >= 2)
exit(1);
- (void)printf("Enter new seed [default %s]: ",
- defaultseed);
- (void)fgets(seed, SKEY_MAX_SEED_LEN+2, stdin); /* XXX */
+ (void)printf("Enter new seed [default %s]: ", seed);
+ (void)fgets(newseed, sizeof(newseed), stdin); /* XXX */
clearerr(stdin);
- rip(seed);
- if (strlen(seed) > SKEY_MAX_SEED_LEN) {
+ rip(newseed);
+ if (strlen(newseed) > SKEY_MAX_SEED_LEN) {
(void)fprintf(stderr, "ERROR: Seed must be between 1 "
"and %d characters in length\n", SKEY_MAX_SEED_LEN);
continue;
}
- if (seed[0] == '\0')
- (void)strcpy(seed, defaultseed);
- for (p = seed; *p; p++) {
+ for (p = newseed; *p; p++) {
if (isspace(*p)) {
(void)fputs("ERROR: Seed must not contain "
"any spaces\n", stderr);
@@ -345,6 +341,8 @@ secure_mode(int *count, char *key, char *seed, char *defaultseed, char *buf,
if (*p == '\0')
break; /* Valid seed */
}
+ if (newseed[0] != '\0')
+ (void)strcpy(seed, newseed);
for (i = 0; ; i++) {
if (i >= 2)
@@ -372,18 +370,15 @@ secure_mode(int *count, char *key, char *seed, char *defaultseed, char *buf,
}
void
-normal_mode(char *username, int n, char *key, char *seed, char *defaultseed)
+normal_mode(char *username, int n, char *key, char *seed)
{
int i, nn;
- char passwd[SKEY_MAX_PW_LEN+2], passwd2[SKEY_MAX_PW_LEN+2];
+ char passwd[SKEY_MAX_PW_LEN+2], key2[SKEY_BINKEY_SIZE];
/* Get user's secret passphrase */
for (i = 0; ; i++) {
- memset(passwd, 0, sizeof(passwd));
- memset(passwd2, 0, sizeof(passwd2));
-
if (i > 2)
- exit(1);
+ errx(1, "S/Key entry not updated");
if (readpassphrase("Enter secret passphrase: ", passwd,
sizeof(passwd), 0) == NULL || passwd[0] == '\0')
@@ -411,18 +406,28 @@ normal_mode(char *username, int n, char *key, char *seed, char *defaultseed)
}
/* XXX - should check for passphrase that is really too long */
- if (readpassphrase("Again secret passphrase: ", passwd2,
- sizeof(passwd2), 0) && strcmp(passwd, passwd2) == 0)
+ /* Crunch seed and passphrase into starting key */
+ nn = keycrunch(key, seed, passwd);
+ memset(passwd, 0, sizeof(passwd));
+ if (nn != 0)
+ err(2, "key crunch failed");
+
+ if (readpassphrase("Again secret passphrase: ", passwd,
+ sizeof(passwd), 0) == NULL || passwd[0] == '\0')
+ exit(1);
+
+ /* Crunch seed and passphrase into starting key */
+ nn = keycrunch(key2, seed, passwd);
+ memset(passwd, 0, sizeof(passwd));
+ if (nn != 0)
+ err(2, "key crunch failed");
+
+ if (memcmp(key, key2, sizeof(key2)) == 0)
break;
(void)fputs("Passphrases do not match.\n", stderr);
}
- /* Crunch seed and passphrase into starting key */
- (void)strcpy(seed, defaultseed);
- if (keycrunch(key, seed, passwd) != 0)
- err(2, "key crunch failed");
-
nn = n;
while (nn-- != 0)
f(key);