shithub: riscv

Download patch

ref: 009bec07521287ebfc9f4dcfddac18d8f27f1fb9
parent: 27498dd63a199bb634bbf23e62edb345814626c9
author: cinap_lenrek <[email protected]>
date: Sat Feb 25 22:47:46 EST 2017

authsrv: salt the keyseed from /adm/keyseed file

change the keyseed key derivation to hkdf sha256
using the hostowners des key plus 256 bit random
salt from /adm/keyseed.

--- a/sys/src/cmd/auth/authsrv.c
+++ b/sys/src/cmd/auth/authsrv.c
@@ -1007,13 +1007,33 @@
 {
 	static char info[] = "PRF key for generation of dummy user keys";
 	char k[DESKEYLEN], *u;
+	int fd;
 
+	genrandom(keyseed, sizeof(keyseed));
+
 	u = getuser();
 	if(!finddeskey(KEYDB, u, k)){
-		syslog(0, AUTHLOG, "can't generate keyseed: user %s not in keydb", u);
-		exits(0);
+		syslog(0, AUTHLOG, "initkeyseed: user %s not in keydb", u);
+		return;
 	}
-	hmac_sha2_256((uchar*)info, sizeof(info)-1, (uchar*)k, sizeof(k), keyseed, nil);
+
+	if((fd = create("/adm/keyseed", OWRITE|OEXCL, 0600)) >= 0){
+		write(fd, keyseed, sizeof(keyseed));
+	} else if((fd = open("/adm/keyseed", OREAD)) >= 0){
+		read(fd, keyseed, sizeof(keyseed));
+	} else{
+		syslog(0, AUTHLOG, "initkeyseed: no seed file: %r");
+		memset(k, 0, sizeof(k));
+		return;
+	}
+	close(fd);
+
+	hkdf_x(	keyseed, sizeof(keyseed),
+		(uchar*)info, sizeof(info)-1,
+		(uchar*)k, sizeof(k),
+		keyseed, sizeof(keyseed),
+		hmac_sha2_256, SHA2_256dlen);
+
 	memset(k, 0, sizeof(k));
 }