cmd/auth: remove private /dev/random reading routines, use genrandom()
This commit is contained in:
parent
809522e80f
commit
c6a9cbb071
14 changed files with 31 additions and 131 deletions
|
@ -52,7 +52,6 @@ main(int argc, char *argv[])
|
|||
}ARGEND
|
||||
|
||||
initcap();
|
||||
srand(getpid()*time(0));
|
||||
if(argc >= 2)
|
||||
runas(argv[0], argv[1]);
|
||||
else
|
||||
|
@ -96,15 +95,6 @@ usage(void)
|
|||
exits("usage");
|
||||
}
|
||||
|
||||
void
|
||||
memrandom(void *p, int n)
|
||||
{
|
||||
uchar *cp;
|
||||
|
||||
for(cp = (uchar*)p; n > 0; n--)
|
||||
*cp++ = fastrand();
|
||||
}
|
||||
|
||||
/*
|
||||
* keep caphash fd open since opens of it could be disabled
|
||||
*/
|
||||
|
@ -138,7 +128,7 @@ mkcap(char *from, char *to)
|
|||
nfrom = strlen(from);
|
||||
cap = emalloc(nfrom+1+nto+1+sizeof(rand)*3+1);
|
||||
sprint(cap, "%s@%s", from, to);
|
||||
memrandom(rand, sizeof(rand));
|
||||
genrandom(rand, sizeof(rand));
|
||||
key = cap+nfrom+1+nto+1;
|
||||
enc64(key, sizeof(rand)*3, rand, sizeof(rand));
|
||||
|
||||
|
|
|
@ -33,7 +33,6 @@ void replyerror(char*, ...);
|
|||
void getraddr(char*);
|
||||
void mkkey(Authkey*);
|
||||
void mkticket(Ticketreq*, Ticket*);
|
||||
void randombytes(uchar*, int);
|
||||
void nthash(uchar hash[MShashlen], char *passwd);
|
||||
void lmhash(uchar hash[MShashlen], char *passwd);
|
||||
void ntv2hash(uchar hash[MShashlen], char *passwd, char *user, char *dom);
|
||||
|
@ -64,7 +63,6 @@ main(int argc, char *argv[])
|
|||
if(db == 0)
|
||||
syslog(0, AUTHLOG, "no /lib/ndb/auth");
|
||||
|
||||
srand(time(0)*getpid());
|
||||
for(;;){
|
||||
n = readn(0, buf, sizeof(buf));
|
||||
if(n <= 0 || convM2TR(buf, n, &tr) <= 0)
|
||||
|
@ -167,7 +165,7 @@ challengebox(Ticketreq *tr)
|
|||
netkey = finddeskey(NETKEYDB, tr->uid, nkbuf);
|
||||
if(key == nil && netkey == nil){
|
||||
/* make one up so caller doesn't know it was wrong */
|
||||
randombytes((uchar*)nkbuf, DESKEYLEN);
|
||||
genrandom((uchar*)nkbuf, DESKEYLEN);
|
||||
netkey = nkbuf;
|
||||
if(debug)
|
||||
syslog(0, AUTHLOG, "cr-fail uid %s@%s", tr->uid, raddr);
|
||||
|
@ -185,7 +183,7 @@ challengebox(Ticketreq *tr)
|
|||
*/
|
||||
memset(buf, 0, sizeof(buf));
|
||||
buf[0] = AuthOK;
|
||||
chal = lnrand(MAXNETCHAL);
|
||||
chal = nfastrand(MAXNETCHAL);
|
||||
sprint(buf+1, "%lud", chal);
|
||||
if(write(1, buf, NETCHLEN+1) < 0)
|
||||
exits(0);
|
||||
|
@ -322,7 +320,7 @@ http(Ticketreq *tr)
|
|||
|
||||
/* send back a ticket encrypted with the key */
|
||||
mkticket(tr, &t);
|
||||
randombytes((uchar*)t.chal, CHALLEN);
|
||||
genrandom((uchar*)t.chal, CHALLEN);
|
||||
t.num = AuthHr;
|
||||
n = 0;
|
||||
tbuf[n++] = AuthOK;
|
||||
|
@ -388,7 +386,7 @@ apop(Ticketreq *tr, int type)
|
|||
/*
|
||||
* Create a challenge and send it.
|
||||
*/
|
||||
randombytes((uchar*)rb, sizeof(rb));
|
||||
genrandom((uchar*)rb, sizeof(rb));
|
||||
p = chal;
|
||||
p += snprint(p, sizeof(chal), "<%lux%lux.%lux%lux@%s>",
|
||||
rb[0], rb[1], rb[2], rb[3], domainname());
|
||||
|
@ -502,7 +500,7 @@ vnc(Ticketreq *tr)
|
|||
/*
|
||||
* Create a challenge and send it.
|
||||
*/
|
||||
randombytes(chal+6, VNCchallen);
|
||||
genrandom(chal+6, VNCchallen);
|
||||
chal[0] = AuthOKvar;
|
||||
sprint((char*)chal+1, "%-5d", VNCchallen);
|
||||
if(write(1, chal, sizeof(chal)) != sizeof(chal))
|
||||
|
@ -514,7 +512,7 @@ vnc(Ticketreq *tr)
|
|||
memset(sbuf, 0, sizeof(sbuf));
|
||||
secret = findsecret(KEYDB, tr->uid, sbuf);
|
||||
if(secret == nil){
|
||||
randombytes((uchar*)sbuf, sizeof(sbuf));
|
||||
genrandom((uchar*)sbuf, sizeof(sbuf));
|
||||
secret = sbuf;
|
||||
}
|
||||
for(i = 0; i < 8; i++)
|
||||
|
@ -565,7 +563,7 @@ chap(Ticketreq *tr)
|
|||
/*
|
||||
* Create a challenge and send it.
|
||||
*/
|
||||
randombytes((uchar*)chal, sizeof(chal));
|
||||
genrandom((uchar*)chal, sizeof(chal));
|
||||
write(1, chal, sizeof(chal));
|
||||
|
||||
/*
|
||||
|
@ -682,7 +680,7 @@ mschap(Ticketreq *tr)
|
|||
/*
|
||||
* Create a challenge and send it.
|
||||
*/
|
||||
randombytes((uchar*)chal, sizeof(chal));
|
||||
genrandom(chal, sizeof(chal));
|
||||
write(1, chal, sizeof(chal));
|
||||
|
||||
/*
|
||||
|
@ -1001,8 +999,8 @@ getraddr(char *dir)
|
|||
void
|
||||
mkkey(Authkey *k)
|
||||
{
|
||||
randombytes((uchar*)k->des, DESKEYLEN);
|
||||
randombytes((uchar*)k->aes, AESKEYLEN);
|
||||
genrandom((uchar*)k->des, DESKEYLEN);
|
||||
genrandom((uchar*)k->aes, AESKEYLEN);
|
||||
}
|
||||
|
||||
void
|
||||
|
@ -1012,19 +1010,7 @@ mkticket(Ticketreq *tr, Ticket *t)
|
|||
memmove(t->chal, tr->chal, CHALLEN);
|
||||
safecpy(t->cuid, tr->uid, sizeof(t->cuid));
|
||||
safecpy(t->suid, tr->uid, sizeof(t->suid));
|
||||
randombytes((uchar*)t->key, DESKEYLEN);
|
||||
}
|
||||
|
||||
void
|
||||
randombytes(uchar *buf, int len)
|
||||
{
|
||||
int i;
|
||||
|
||||
if(readfile("/dev/random", (char*)buf, len) >= 0)
|
||||
return;
|
||||
|
||||
for(i = 0; i < len; i++)
|
||||
buf[i] = rand();
|
||||
genrandom((uchar*)t->key, DESKEYLEN);
|
||||
}
|
||||
|
||||
/*
|
||||
|
|
|
@ -1,5 +1,6 @@
|
|||
#include <u.h>
|
||||
#include <libc.h>
|
||||
#include <libsec.h>
|
||||
#include <authsrv.h>
|
||||
#include <ctype.h>
|
||||
#include <bio.h>
|
||||
|
@ -19,13 +20,12 @@ void
|
|||
main(int argc, char *argv[])
|
||||
{
|
||||
char *u, answer[32], p9pass[32];
|
||||
int which, i, newkey, newbio, dosecret;
|
||||
int which, newkey, newbio, dosecret;
|
||||
long t;
|
||||
Authkey key;
|
||||
Acctbio a;
|
||||
Fs *f;
|
||||
|
||||
srand(getpid()*time(0));
|
||||
fmtinstall('K', deskeyfmt);
|
||||
|
||||
which = 0;
|
||||
|
@ -84,8 +84,7 @@ main(int argc, char *argv[])
|
|||
}
|
||||
if(newkey){
|
||||
memset(&key, 0, sizeof(key));
|
||||
for(i=0; i<DESKEYLEN; i++)
|
||||
key.des[i] = nrand(256);
|
||||
genrandom((uchar*)key.des, DESKEYLEN);
|
||||
}
|
||||
if(a.user == 0){
|
||||
t = getexpiration(f->keys, u);
|
||||
|
|
|
@ -74,23 +74,6 @@ main(int argc, char *argv[])
|
|||
exits(nil);
|
||||
}
|
||||
|
||||
void
|
||||
randombytes(uchar *p, int len)
|
||||
{
|
||||
int i, fd;
|
||||
|
||||
fd = open("/dev/random", OREAD);
|
||||
if(fd < 0){
|
||||
fprint(2, "%s: can't open /dev/random, using rand()\n", argv0);
|
||||
srand(time(0));
|
||||
for(i = 0; i < len; i++)
|
||||
p[i] = rand();
|
||||
return;
|
||||
}
|
||||
read(fd, p, len);
|
||||
close(fd);
|
||||
}
|
||||
|
||||
int
|
||||
badname(char *s)
|
||||
{
|
||||
|
@ -181,7 +164,7 @@ convert(char **db, int len)
|
|||
keydbaes = 1;
|
||||
}
|
||||
|
||||
randombytes((uchar*)p, keydboff);
|
||||
genrandom((uchar*)p, keydboff);
|
||||
if(keydbaes){
|
||||
AESstate s;
|
||||
|
||||
|
|
|
@ -12,7 +12,6 @@ int usepass;
|
|||
|
||||
int convert(char*, char*, Authkey*, int);
|
||||
void usage(void);
|
||||
void randombytes(uchar*, int);
|
||||
|
||||
void
|
||||
main(int argc, char *argv[])
|
||||
|
@ -101,7 +100,7 @@ convert(char *p, char *np, Authkey *key, int len)
|
|||
if(verb)
|
||||
print("%s\n", &p[off]);
|
||||
}
|
||||
randombytes((uchar*)np, KEYDBOFF);
|
||||
genrandom((uchar*)np, KEYDBOFF);
|
||||
len = (len*KEYDBLEN) + KEYDBOFF;
|
||||
oldCBCencrypt(key->des, np, len);
|
||||
return len;
|
||||
|
@ -113,20 +112,3 @@ usage(void)
|
|||
fprint(2, "usage: convkeys2 keyfile\n");
|
||||
exits("usage");
|
||||
}
|
||||
|
||||
void
|
||||
randombytes(uchar *p, int len)
|
||||
{
|
||||
int i, fd;
|
||||
|
||||
fd = open("/dev/random", OREAD);
|
||||
if(fd < 0){
|
||||
fprint(2, "convkeys2: can't open /dev/random, using rand()\n");
|
||||
srand(time(0));
|
||||
for(i = 0; i < len; i++)
|
||||
p[i] = rand();
|
||||
return;
|
||||
}
|
||||
read(fd, p, len);
|
||||
close(fd);
|
||||
}
|
||||
|
|
|
@ -191,7 +191,6 @@ main(int argc, char *argv[])
|
|||
fatal("cron already running: %r");
|
||||
|
||||
argv0 = "cron";
|
||||
srand(getpid()*time(0));
|
||||
last = time(0);
|
||||
for(;;){
|
||||
readalljobs();
|
||||
|
@ -656,15 +655,6 @@ qidcmp(Qid a, Qid b)
|
|||
return(a.path != b.path || a.vers != b.vers);
|
||||
}
|
||||
|
||||
void
|
||||
memrandom(void *p, int n)
|
||||
{
|
||||
uchar *cp;
|
||||
|
||||
for(cp = (uchar*)p; n > 0; n--)
|
||||
*cp++ = fastrand();
|
||||
}
|
||||
|
||||
/*
|
||||
* keep caphash fd open since opens of it could be disabled
|
||||
*/
|
||||
|
@ -699,7 +689,7 @@ mkcap(char *from, char *to)
|
|||
ncap = nfrom + 1 + nto + 1 + sizeof(rand)*3 + 1;
|
||||
cap = emalloc(ncap);
|
||||
snprint(cap, ncap, "%s@%s", from, to);
|
||||
memrandom(rand, sizeof(rand));
|
||||
genrandom(rand, sizeof(rand));
|
||||
key = cap+nfrom+1+nto+1;
|
||||
enc64(key, sizeof(rand)*3, rand, sizeof(rand));
|
||||
|
||||
|
|
|
@ -261,7 +261,7 @@ doreply(State *s, char *user, char *response)
|
|||
goto err;
|
||||
}
|
||||
|
||||
memrandom(s->tr.chal, CHALLEN);
|
||||
genrandom((uchar*)s->tr.chal, CHALLEN);
|
||||
safecpy(s->tr.uid, user, sizeof(s->tr.uid));
|
||||
alarm(30*1000);
|
||||
if(_asrequest(s->asfd, &s->tr) < 0){
|
||||
|
|
|
@ -188,7 +188,7 @@ chapwrite(Fsstate *fss, void *va, uint n)
|
|||
if(user == nil)
|
||||
break;
|
||||
|
||||
memrandom(pchal, MSchallenv2);
|
||||
genrandom((uchar*)pchal, MSchallenv2);
|
||||
|
||||
/* ChallengeHash() */
|
||||
ds = sha1(pchal, MSchallenv2, nil, nil);
|
||||
|
@ -579,7 +579,7 @@ domschap2(char *passwd, char *user, char *dom, uchar chal[MSchallen], uchar *res
|
|||
*p++ = t >> 48;
|
||||
*p++ = t >> 56;
|
||||
|
||||
memrandom(p, 8);
|
||||
genrandom(p, 8);
|
||||
p += 8; /* 64bit: client nonce */
|
||||
|
||||
*p++ = 0; /* 32bit: unknown data */
|
||||
|
@ -617,7 +617,7 @@ domschap2(char *passwd, char *user, char *dom, uchar chal[MSchallen], uchar *res
|
|||
* LmResponse = Cat(HMAC_MD5(LmHash, Cat(SC, CC)), CC)
|
||||
*/
|
||||
s = hmac_md5(chal, 8, hash, MShashlen, nil, nil);
|
||||
memrandom((uchar*)r->LMresp+16, 8);
|
||||
genrandom((uchar*)r->LMresp+16, 8);
|
||||
hmac_md5((uchar*)r->LMresp+16, 8, hash, MShashlen, (uchar*)r->LMresp, s);
|
||||
|
||||
/*
|
||||
|
|
|
@ -203,7 +203,6 @@ char *getnvramkey(int);
|
|||
void initcap(void);
|
||||
int isclient(char*);
|
||||
int matchattr(Attr*, Attr*, Attr*);
|
||||
void memrandom(void*, int);
|
||||
char *mkcap(char*, char*);
|
||||
int phaseerror(Fsstate*, char*);
|
||||
char *phasename(Fsstate*, int, char*);
|
||||
|
|
|
@ -88,7 +88,7 @@ p9skinit(Proto *p, Fsstate *fss)
|
|||
switch(s->vers){
|
||||
case 1:
|
||||
fss->phase = CHaveChal;
|
||||
memrandom(s->cchal, CHALLEN);
|
||||
genrandom((uchar*)s->cchal, CHALLEN);
|
||||
break;
|
||||
case 2:
|
||||
fss->phase = CNeedTreq;
|
||||
|
@ -108,7 +108,7 @@ p9skinit(Proto *p, Fsstate *fss)
|
|||
safecpy(s->tr.authid, _strfindattr(k->attr, "user"), sizeof(s->tr.authid));
|
||||
safecpy(s->tr.authdom, _strfindattr(k->attr, "dom"), sizeof(s->tr.authdom));
|
||||
s->key = k;
|
||||
memrandom(s->tr.chal, sizeof s->tr.chal);
|
||||
genrandom((uchar*)s->tr.chal, sizeof s->tr.chal);
|
||||
switch(s->vers){
|
||||
case 1:
|
||||
fss->phase = SNeedChal;
|
||||
|
@ -449,7 +449,7 @@ mkserverticket(State *s, char *tbuf, int tbuflen)
|
|||
memmove(t.chal, tr->chal, CHALLEN);
|
||||
strcpy(t.cuid, tr->uid);
|
||||
strcpy(t.suid, tr->uid);
|
||||
memrandom(t.key, DESKEYLEN);
|
||||
genrandom((uchar*)t.key, DESKEYLEN);
|
||||
t.num = AuthTc;
|
||||
ret = convT2M(&t, tbuf, tbuflen, (Authkey*)s->key->priv);
|
||||
t.num = AuthTs;
|
||||
|
|
|
@ -566,15 +566,6 @@ matchattr(Attr *pat, Attr *a0, Attr *a1)
|
|||
return 1;
|
||||
}
|
||||
|
||||
void
|
||||
memrandom(void *p, int n)
|
||||
{
|
||||
uchar *cp;
|
||||
|
||||
for(cp = (uchar*)p; n > 0; n--)
|
||||
*cp++ = fastrand();
|
||||
}
|
||||
|
||||
/*
|
||||
* keep caphash fd open since opens of it could be disabled
|
||||
*/
|
||||
|
@ -608,7 +599,7 @@ mkcap(char *from, char *to)
|
|||
nfrom = strlen(from);
|
||||
cap = emalloc(nfrom+1+nto+1+sizeof(rand)*3+1);
|
||||
sprint(cap, "%s@%s", from, to);
|
||||
memrandom(rand, sizeof(rand));
|
||||
genrandom(rand, sizeof(rand));
|
||||
key = cap+nfrom+1+nto+1;
|
||||
enc64(key, sizeof(rand)*3, rand, sizeof(rand));
|
||||
|
||||
|
|
|
@ -6,6 +6,7 @@
|
|||
#include <fcall.h>
|
||||
#include <bio.h>
|
||||
#include <ndb.h>
|
||||
#include <libsec.h>
|
||||
#include <authsrv.h>
|
||||
#include "authcmdlib.h"
|
||||
|
||||
|
@ -57,7 +58,6 @@ main(int argc, char *argv[])
|
|||
getraddr(argv[argc-1]);
|
||||
|
||||
argv0 = "guard";
|
||||
srand((getpid()*1103515245)^time(0));
|
||||
notify(catchalarm);
|
||||
|
||||
/*
|
||||
|
@ -69,7 +69,7 @@ main(int argc, char *argv[])
|
|||
/*
|
||||
* challenge-response
|
||||
*/
|
||||
chal = lnrand(MAXNETCHAL);
|
||||
chal = nfastrand(MAXNETCHAL);
|
||||
sprint(buf, "challenge: %lud\nresponse: ", chal);
|
||||
n = strlen(buf) + 1;
|
||||
if(write(1, buf, n) != n){
|
||||
|
|
|
@ -696,24 +696,6 @@ dostat(User *user, ulong qtype, void *p, int n)
|
|||
return convD2M(&d, p, n);
|
||||
}
|
||||
|
||||
|
||||
void
|
||||
randombytes(uchar *p, int len)
|
||||
{
|
||||
int i, fd;
|
||||
|
||||
fd = open("/dev/random", OREAD);
|
||||
if(fd < 0){
|
||||
fprint(2, "keyfs: can't open /dev/random, using rand()\n");
|
||||
srand(time(0));
|
||||
for(i = 0; i < len; i++)
|
||||
p[i] = rand();
|
||||
return;
|
||||
}
|
||||
read(fd, p, len);
|
||||
close(fd);
|
||||
}
|
||||
|
||||
void
|
||||
writeusers(void)
|
||||
{
|
||||
|
@ -740,7 +722,7 @@ writeusers(void)
|
|||
/* pack into buffer */
|
||||
buf = emalloc(keydboff + nu*keydblen);
|
||||
p = buf;
|
||||
randombytes(p, keydboff);
|
||||
genrandom(p, keydboff);
|
||||
p += keydboff;
|
||||
for(i = 0; i < Nuser; i++)
|
||||
for(u = users[i]; u != nil; u = u->link){
|
||||
|
|
|
@ -148,16 +148,14 @@ getfile(SConn *conn, char *gf, uchar **buf, ulong *buflen, uchar *key, int nkey)
|
|||
static int
|
||||
putfile(SConn *conn, char *pf, uchar *buf, ulong len, uchar *key, int nkey)
|
||||
{
|
||||
int i, n, fd, ivo, bufi, done;
|
||||
int n, fd, ivo, bufi, done;
|
||||
char s[Maxmsg];
|
||||
uchar skey[SHA1dlen], b[CHK+Maxmsg], IV[AESbsize];
|
||||
AESstate aes;
|
||||
DigestState *sha;
|
||||
|
||||
/* create initialization vector */
|
||||
srand(time(0)); /* doesn't need to be unpredictable */
|
||||
for(i=0; i<AESbsize; i++)
|
||||
IV[i] = 0xff & rand();
|
||||
genrandom(IV, AESbsize);
|
||||
sha = sha1((uchar*)"aescbc file", 11, nil, nil);
|
||||
sha1(key, nkey, skey, sha);
|
||||
setupAESstate(&aes, skey, AESbsize, IV);
|
||||
|
|
Loading…
Reference in a new issue