authsrv: salt the keyseed from /adm/keyseed file
change the keyseed key derivation to hkdf sha256 using the hostowners des key plus 256 bit random salt from /adm/keyseed.
This commit is contained in:
cinap_lenrek
parent
27498dd63a
commit
009bec0752
1 changed files with 23 additions and 3 deletions
|
|
@ -1007,13 +1007,33 @@ initkeyseed(void)
|
||||||
{
|
{
|
||||||
static char info[] = "PRF key for generation of dummy user keys";
|
static char info[] = "PRF key for generation of dummy user keys";
|
||||||
char k[DESKEYLEN], *u;
|
char k[DESKEYLEN], *u;
|
||||||
|
int fd;
|
||||||
|
|
||||||
|
genrandom(keyseed, sizeof(keyseed));
|
||||||
|
|
||||||
u = getuser();
|
u = getuser();
|
||||||
if(!finddeskey(KEYDB, u, k)){
|
if(!finddeskey(KEYDB, u, k)){
|
||||||
syslog(0, AUTHLOG, "can't generate keyseed: user %s not in keydb", u);
|
syslog(0, AUTHLOG, "initkeyseed: user %s not in keydb", u);
|
||||||
exits(0);
|
return;
|
||||||
}
|
}
|
||||||
hmac_sha2_256((uchar*)info, sizeof(info)-1, (uchar*)k, sizeof(k), keyseed, nil);
|
|
||||||
|
if((fd = create("/adm/keyseed", OWRITE|OEXCL, 0600)) >= 0){
|
||||||
|
write(fd, keyseed, sizeof(keyseed));
|
||||||
|
} else if((fd = open("/adm/keyseed", OREAD)) >= 0){
|
||||||
|
read(fd, keyseed, sizeof(keyseed));
|
||||||
|
} else{
|
||||||
|
syslog(0, AUTHLOG, "initkeyseed: no seed file: %r");
|
||||||
|
memset(k, 0, sizeof(k));
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
close(fd);
|
||||||
|
|
||||||
|
hkdf_x( keyseed, sizeof(keyseed),
|
||||||
|
(uchar*)info, sizeof(info)-1,
|
||||||
|
(uchar*)k, sizeof(k),
|
||||||
|
keyseed, sizeof(keyseed),
|
||||||
|
hmac_sha2_256, SHA2_256dlen);
|
||||||
|
|
||||||
memset(k, 0, sizeof(k));
|
memset(k, 0, sizeof(k));
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue