diff options
author | Joel Sing <jsing@cvs.openbsd.org> | 2016-09-10 17:08:45 +0000 |
---|---|---|
committer | Joel Sing <jsing@cvs.openbsd.org> | 2016-09-10 17:08:45 +0000 |
commit | 30beccce00ffbebd5bf514cbaded2d7640549627 (patch) | |
tree | fc1c73149f00baf65135d6abe0d836fab2af21db | |
parent | 7072e590cf8f56e8aa86478ecadadd9ecb8f8dc5 (diff) |
Teach bioctl derive_key() how to handle bcrypt_pbkdf.
Part of a diff from djm@
-rw-r--r-- | sbin/bioctl/bioctl.c | 22 |
1 files changed, 16 insertions, 6 deletions
diff --git a/sbin/bioctl/bioctl.c b/sbin/bioctl/bioctl.c index dda37288514..c7e57fabc8b 100644 --- a/sbin/bioctl/bioctl.c +++ b/sbin/bioctl/bioctl.c @@ -1,4 +1,4 @@ -/* $OpenBSD: bioctl.c,v 1.136 2016/09/10 17:06:11 jsing Exp $ */ +/* $OpenBSD: bioctl.c,v 1.137 2016/09/10 17:08:44 jsing Exp $ */ /* * Copyright (c) 2004, 2005 Marco Peereboom @@ -1275,9 +1275,11 @@ derive_key(u_int32_t type, int rounds, u_int8_t *key, size_t keysz, if (!salt) errx(1, "Invalid salt"); - if (type != SR_CRYPTOKDFT_PKCS5_PBKDF2) + if (type != SR_CRYPTOKDFT_PKCS5_PBKDF2 && + type != SR_CRYPTOKDFT_BCRYPT_PBKDF) errx(1, "unknown KDF type %d", type); - if (rounds < 1000) + + if (rounds < (type == SR_CRYPTOKDFT_PKCS5_PBKDF2 ? 1000 : 4)) errx(1, "number of KDF rounds is too small: %d", rounds); /* get passphrase */ @@ -1325,9 +1327,17 @@ derive_key(u_int32_t type, int rounds, u_int8_t *key, size_t keysz, } /* derive key from passphrase */ - if (pkcs5_pbkdf2(passphrase, strlen(passphrase), salt, saltsz, - key, keysz, rounds) != 0) - errx(1, "pbkdf2 failed"); + if (type == SR_CRYPTOKDFT_PKCS5_PBKDF2) { + if (pkcs5_pbkdf2(passphrase, strlen(passphrase), salt, saltsz, + key, keysz, rounds) != 0) + errx(1, "pkcs5_pbkdf2 failed"); + } else if (type == SR_CRYPTOKDFT_BCRYPT_PBKDF) { + if (bcrypt_pbkdf(passphrase, strlen(passphrase), salt, saltsz, + key, keysz, rounds) != 0) + errx(1, "bcrypt_pbkdf failed"); + } else { + errx(1, "unknown KDF type %d", type); + } /* forget passphrase */ explicit_bzero(passphrase, sizeof(passphrase)); |