src - OpenBSD base system

diff options


context:
space:
mode:

author	Joel Sing <jsing@cvs.openbsd.org>	2016-09-18 16:35:00 +0000
committer	Joel Sing <jsing@cvs.openbsd.org>	2016-09-18 16:35:00 +0000
commit	d1baabbe39d2fec309554d81e0893f1f57cd9864 (patch)
tree	44c6a5cb366c653bdeb0fb52a1ee8567431644c6 /sys/lib/libsa
parent	aff42c2450ae808acf14174033f9b4ab37ff2181 (diff)

Add bcrypt pbkdf support to the softraid crypto boot loader code.

Based on a diff from djm@

Diffstat (limited to 'sys/lib/libsa')

-rw-r--r--

sys/lib/libsa/softraid.c

1 files changed, 28 insertions, 5 deletions

diff --git a/sys/lib/libsa/softraid.c b/sys/lib/libsa/softraid.c
index d751b2250fa..47780132bf7 100644
--- a/sys/lib/libsa/softraid.c
+++ b/sys/lib/libsa/softraid.c

@@ -1,4 +1,4 @@

-/* $OpenBSD: softraid.c,v 1.1 2016/09/11 17:49:36 jsing Exp $ */

+/* $OpenBSD: softraid.c,v 1.2 2016/09/18 16:34:59 jsing Exp $ */

@@ -22,6 +22,7 @@

#include <dev/biovar.h>

#include <dev/softraidvar.h>

+#include <lib/libsa/bcrypt_pbkdf.h>

#include <lib/libsa/hmac_sha1.h>

#include <lib/libsa/pkcs5_pbkdf2.h>

#include <lib/libsa/rijndael.h>

@@ -119,6 +120,7 @@ sr_crypto_decrypt_keys(struct sr_boot_volume *bv)

u_int8_t *keys = NULL;

u_int8_t *kp, *cp;

rijndael_ctx ctx;

+ u_int32_t type;

int rv = -1;

int c, i;

@@ -150,6 +152,12 @@ sr_crypto_decrypt_keys(struct sr_boot_volume *bv)

if (kd) {

bcopy(&kd->kd_key, &kdfinfo.maskkey, sizeof(kdfinfo.maskkey));

} else {

+ if (kdfhint->generic.type != SR_CRYPTOKDFT_PKCS5_PBKDF2 &&

+ kdfhint->generic.type != SR_CRYPTOKDFT_BCRYPT_PBKDF) {

+ printf("unknown KDF type %u\n", kdfhint->generic.type);

+ goto done;

+ }

printf("Passphrase: ");

for (i = 0; i < PASSPHRASE_LENGTH - 1; i++) {

c = cngetc();

@@ -169,10 +177,25 @@ sr_crypto_decrypt_keys(struct sr_boot_volume *bv)

passphrase, strlen(passphrase));

#endif

- if (pkcs5_pbkdf2(passphrase, strlen(passphrase), kdfhint->salt,

- sizeof(kdfhint->salt), kdfinfo.maskkey,

- sizeof(kdfinfo.maskkey), kdfhint->rounds) != 0) {

- printf("pbkdf2 failed\n");

+ type = kdfhint->generic.type;

+ if (type == SR_CRYPTOKDFT_PKCS5_PBKDF2) {

+ if (pkcs5_pbkdf2(passphrase, strlen(passphrase),

+ kdfhint->salt, sizeof(kdfhint->salt),

+ kdfinfo.maskkey, sizeof(kdfinfo.maskkey),

+ kdfhint->rounds) != 0) {

+ printf("pkcs5_pbkdf2 failed\n");

+ goto done;

+ }

+ } else if (type == SR_CRYPTOKDFT_BCRYPT_PBKDF) {

+ if (bcrypt_pbkdf(passphrase, strlen(passphrase),

+ kdfhint->salt, sizeof(kdfhint->salt),

+ kdfinfo.maskkey, sizeof(kdfinfo.maskkey),

+ kdfhint->rounds) != 0) {

+ printf("bcrypt_pbkdf failed\n");

+ goto done;

+ }

+ } else {

+ printf("unknown KDF type %u\n", kdfhint->generic.type);

goto done;

}