diff options
| author |   jsing <jsing@openbsd.org> | 2016-09-18 16:34:59 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2016-09-18 16:34:59 +0000 |
| commit | df1890a2d2078c7e4514e8b74146e8390b916a92 (patch) | |
| tree | b7d5ae8582606ed0cbe3b17f4012335eeb946ed4 /sys/lib/libsa/softraid.c | |
| parent | sync (diff) | |
| download | wireguard-openbsd-df1890a2d2078c7e4514e8b74146e8390b916a92.tar.xz wireguard-openbsd-df1890a2d2078c7e4514e8b74146e8390b916a92.zip | |
Add bcrypt pbkdf support to the softraid crypto boot loader code.
Based on a diff from djm@
Diffstat (limited to 'sys/lib/libsa/softraid.c')
| -rw-r--r-- | sys/lib/libsa/softraid.c | 33 |
1 files changed, 28 insertions, 5 deletions
diff --git a/sys/lib/libsa/softraid.c b/sys/lib/libsa/softraid.c index d751b2250fa..47780132bf7 100644 --- a/sys/lib/libsa/softraid.c +++ b/sys/lib/libsa/softraid.c @@ -1,4 +1,4 @@ -/* $OpenBSD: softraid.c,v 1.1 2016/09/11 17:49:36 jsing Exp $ */ +/* $OpenBSD: softraid.c,v 1.2 2016/09/18 16:34:59 jsing Exp $ */ /* * Copyright (c) 2012 Joel Sing <jsing@openbsd.org> @@ -22,6 +22,7 @@ #include <dev/biovar.h> #include <dev/softraidvar.h> +#include <lib/libsa/bcrypt_pbkdf.h> #include <lib/libsa/hmac_sha1.h> #include <lib/libsa/pkcs5_pbkdf2.h> #include <lib/libsa/rijndael.h> @@ -119,6 +120,7 @@ sr_crypto_decrypt_keys(struct sr_boot_volume *bv) u_int8_t *keys = NULL; u_int8_t *kp, *cp; rijndael_ctx ctx; + u_int32_t type; int rv = -1; int c, i; @@ -150,6 +152,12 @@ sr_crypto_decrypt_keys(struct sr_boot_volume *bv) if (kd) { bcopy(&kd->kd_key, &kdfinfo.maskkey, sizeof(kdfinfo.maskkey)); } else { + if (kdfhint->generic.type != SR_CRYPTOKDFT_PKCS5_PBKDF2 && + kdfhint->generic.type != SR_CRYPTOKDFT_BCRYPT_PBKDF) { + printf("unknown KDF type %u\n", kdfhint->generic.type); + goto done; + } + printf("Passphrase: "); for (i = 0; i < PASSPHRASE_LENGTH - 1; i++) { c = cngetc(); @@ -169,10 +177,25 @@ sr_crypto_decrypt_keys(struct sr_boot_volume *bv) passphrase, strlen(passphrase)); #endif - if (pkcs5_pbkdf2(passphrase, strlen(passphrase), kdfhint->salt, - sizeof(kdfhint->salt), kdfinfo.maskkey, - sizeof(kdfinfo.maskkey), kdfhint->rounds) != 0) { - printf("pbkdf2 failed\n"); + type = kdfhint->generic.type; + if (type == SR_CRYPTOKDFT_PKCS5_PBKDF2) { + if (pkcs5_pbkdf2(passphrase, strlen(passphrase), + kdfhint->salt, sizeof(kdfhint->salt), + kdfinfo.maskkey, sizeof(kdfinfo.maskkey), + kdfhint->rounds) != 0) { + printf("pkcs5_pbkdf2 failed\n"); + goto done; + } + } else if (type == SR_CRYPTOKDFT_BCRYPT_PBKDF) { + if (bcrypt_pbkdf(passphrase, strlen(passphrase), + kdfhint->salt, sizeof(kdfhint->salt), + kdfinfo.maskkey, sizeof(kdfinfo.maskkey), + kdfhint->rounds) != 0) { + printf("bcrypt_pbkdf failed\n"); + goto done; + } + } else { + printf("unknown KDF type %u\n", kdfhint->generic.type); goto done; } } |