ref: 009bec07521287ebfc9f4dcfddac18d8f27f1fb9
parent: 27498dd63a199bb634bbf23e62edb345814626c9
author: cinap_lenrek <[email protected]>
date: Sat Feb 25 22:47:46 EST 2017
authsrv: salt the keyseed from /adm/keyseed file change the keyseed key derivation to hkdf sha256 using the hostowners des key plus 256 bit random salt from /adm/keyseed.
--- a/sys/src/cmd/auth/authsrv.c
+++ b/sys/src/cmd/auth/authsrv.c
@@ -1007,13 +1007,33 @@
{
static char info[] = "PRF key for generation of dummy user keys";
char k[DESKEYLEN], *u;
+ int fd;
+ genrandom(keyseed, sizeof(keyseed));
+
u = getuser();
if(!finddeskey(KEYDB, u, k)){
- syslog(0, AUTHLOG, "can't generate keyseed: user %s not in keydb", u);
- exits(0);
+ syslog(0, AUTHLOG, "initkeyseed: user %s not in keydb", u);
+ return;
}
- hmac_sha2_256((uchar*)info, sizeof(info)-1, (uchar*)k, sizeof(k), keyseed, nil);
+
+ if((fd = create("/adm/keyseed", OWRITE|OEXCL, 0600)) >= 0){
+ write(fd, keyseed, sizeof(keyseed));
+ } else if((fd = open("/adm/keyseed", OREAD)) >= 0){
+ read(fd, keyseed, sizeof(keyseed));
+ } else{
+ syslog(0, AUTHLOG, "initkeyseed: no seed file: %r");
+ memset(k, 0, sizeof(k));
+ return;
+ }
+ close(fd);
+
+ hkdf_x( keyseed, sizeof(keyseed),
+ (uchar*)info, sizeof(info)-1,
+ (uchar*)k, sizeof(k),
+ keyseed, sizeof(keyseed),
+ hmac_sha2_256, SHA2_256dlen);
+
memset(k, 0, sizeof(k));
}