Home » Mailing list archives » openbsd-tech » 2010 » February » 4

remove a libcrypto dependancy in mount_vnd(8)

Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
[view in full thread]
From: Mike Belopuhov
Subject: remove a libcrypto dependancy in mount_vnd(8)
Date: Thursday, February 4, 2010 - 9:25 am

hey,

while looking thru bioctl stuff, i've accidentaly stumbled upon
pbkdf2 thing and found out that mount_vnd still uses local
pkcs5_pbkdf2.c from NetBSD and links against libcrypto (although
it's a static binary).  reduction in size is about 2.5 times
(from 353K to 145K), so it's a win, right? :)

i've tested compatibility between old and new versions and
everything looks.. er.. compatible.

so sending this out that it won't be lost.

Index: Makefile
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/Makefile,v
retrieving revision 1.6
diff -N -u -p Makefile
--- Makefile	14 Jun 2008 01:47:27 -0000	1.6
+++ Makefile	4 Feb 2010 16:10:01 -0000
@@ -1,8 +1,11 @@
 # $OpenBSD: Makefile,v 1.6 2008/06/14 01:47:27 grunk Exp $
 
+.PATH: ${.CURDIR}/../bioctl
+CFLAGS+=-I${.CURDIR}/../bioctl
+
 PROG=	mount_vnd
-SRCS=	mount_vnd.c pkcs5_pbkdf2.c
-LDADD=	-lutil -lcrypto
+SRCS=	mount_vnd.c pbkdf2.c
+LDADD=	-lutil
 DPADD=	${LIBUTIL}
 
 CDIAGFLAGS+=	-Wall
Index: mount_vnd.c
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/mount_vnd.c,v
retrieving revision 1.8
diff -N -u -p mount_vnd.c
--- mount_vnd.c	3 Sep 2008 23:24:25 -0000	1.8
+++ mount_vnd.c	4 Feb 2010 16:10:01 -0000
@@ -49,14 +49,14 @@
 #include <err.h>
 #include <errno.h>
 #include <fcntl.h>
-#include <pwd.h>
+#include <readpassphrase.h>
 #include <stdio.h>
 #include <stdlib.h>
 #include <string.h>
 #include <unistd.h>
 #include <util.h>
 
-#include "pkcs5_pbkdf2.h"
+#include "pbkdf2.h"
 
 #define DEFAULT_VND	"svnd0"
 
@@ -180,19 +180,20 @@ main(int argc, char **argv)
 char *
 get_pkcs_key(char *arg, char *saltopt)
 {
-	char		 keybuf[128], saltbuf[128], saltfilebuf[PATH_MAX];
-	char		*saltfile;
+	char		 passphrase[128];
+	char		 saltbuf[128], saltfilebuf[PATH_MAX];
 	char		*key = NULL;
+	char		*saltfile;
 	const char	*errstr;
 	int		 rounds;
 
 	rounds = strtonum(arg, 1000, INT_MAX, &errstr);
 	if (errstr)
 		err(1, "rounds: %s", errstr);
-	key = getpass("Encryption key: ");
-	if (!key || strlen(key) == 0)
-		errx(1, "Need an encryption key");
-	strncpy(keybuf, key, sizeof(keybuf));
+	bzero(passphrase, sizeof(passphrase));
+	if (readpassphrase("Encryption key: ", passphrase, sizeof(passphrase),
+	    RPP_REQUIRE_TTY) == NULL)
+		errx(1, "Unable to read passphrase");
 	if (saltopt)
 		saltfile = saltopt;
 	else {
@@ -212,7 +213,8 @@ get_pkcs_key(char *arg, char *saltopt)
 		if (fd == -1) {
 			int *s;
 
-			fprintf(stderr, "Salt file not found, attempting to create one\n");
+			fprintf(stderr, "Salt file not found, attempting to "
+			    "create one\n");
 			fd = open(saltfile, O_RDWR|O_CREAT|O_EXCL, 0600);
 			if (fd == -1)
 				err(1, "Unable to create salt file: '%s'",
@@ -222,18 +224,24 @@ get_pkcs_key(char *arg, char *saltopt)
 				*s = arc4random();
 			if (write(fd, saltbuf, sizeof(saltbuf))
 			    != sizeof(saltbuf))
-				err(1, "Unable to write salt file: '%s'", saltfile);
-			fprintf(stderr, "Salt file created as '%s'\n", saltfile);
+				err(1, "Unable to write salt file: '%s'",
+				    saltfile);
+			fprintf(stderr, "Salt file created as '%s'\n",
+			    saltfile);
 		} else {
 			if (read(fd, saltbuf, sizeof(saltbuf))
 			    != sizeof(saltbuf))
-				err(1, "Unable to read salt file: '%s'", saltfile);
+				err(1, "Unable to read salt file: '%s'",
+				    saltfile);
 		}
 		close(fd);
 	}
-	if (pkcs5_pbkdf2((u_int8_t**)&key, BLF_MAXUTILIZED, keybuf,
-	    sizeof(keybuf), saltbuf, sizeof(saltbuf), rounds, 0))
+	if ((key = calloc(1, BLF_MAXUTILIZED)) == NULL)
+		err(1, NULL);
+	if (pkcs5_pbkdf2(passphrase, sizeof(passphrase), saltbuf,
+	    sizeof (saltbuf), key, BLF_MAXUTILIZED, rounds))
 		errx(1, "pkcs5_pbkdf2 failed");
+	memset(passphrase, 0, sizeof(passphrase));
 
 	return (key);
 }
Index: pkcs5_pbkdf2.c
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.c,v
retrieving revision 1.5
diff -N -u -p pkcs5_pbkdf2.c
--- pkcs5_pbkdf2.c	26 Jun 2008 05:42:06 -0000	1.5
+++ /dev/null	28 Sep 2008 10:50:08 -0000
@@ -1,168 +0,0 @@
-/* $NetBSD: pkcs5_pbkdf2.c,v 1.5 2004/03/17 01:29:13 dan Exp $ */
-
-/*-
- * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Roland C. Dowdeswell.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-/*
- * This code is an implementation of PKCS #5 PBKDF2 which is described
- * in:
- *
- * ``PKCS #5 v2.0: Password-Based Cryptography Standard'', RSA Laboratories,
- * March 25, 1999.
- *
- * and can be found at the following URL:
- *
- *	http://www.rsasecurity.com/rsalabs/pkcs/pkcs-5/
- *
- * It was also republished as RFC 2898.
- */
-
-
-#include <sys/types.h>
-#include <sys/time.h>
-#include <sys/resource.h>
-
-#include <assert.h>
-#include <err.h>
-#include <stdlib.h>
-#include <string.h>
-
-#include <openssl/hmac.h>
-
-#include "pkcs5_pbkdf2.h"
-
-static void	int_encode(u_int8_t *, int);
-static void	prf_iterate(u_int8_t *, const u_int8_t *, int,
-			    const u_int8_t *, int, int, int);
-
-static void
-memxor(void *res, const void *src, size_t len)
-{
-	size_t i;
-	char *r;
-	const char *s;
-
-	r = res;
-	s = src;
-	for (i=0; i < len; i++)
-		r[i] ^= s[i];
-}
-
-#define PRF_BLOCKLEN	20
-
-/*
- * int_encode encodes i as a four octet integer, most significant
- * octet first.  (from the end of Step 3).
- */
-
-static void
-int_encode(u_int8_t *res, int i)
-{
-
-	*res++ = (i >> 24) & 0xff;
-	*res++ = (i >> 16) & 0xff;
-	*res++ = (i >>  8) & 0xff;
-	*res   = (i      ) & 0xff;
-}
-
-static void
-prf_iterate(u_int8_t *r, const u_int8_t *P, int Plen,
-	    const u_int8_t *S, int Slen, int c, int ind)
-{
-	int		 first_time = 1;
-	int		 i;
-	int		 datalen;
-	int		 tmplen;
-	u_int8_t	*data;
-	u_int8_t	 tmp[EVP_MAX_MD_SIZE];
-
-	data = malloc(Slen + 4);
-	if (!data)
-		err(1, "prf_iterate");
-	memcpy(data, S, Slen);
-	int_encode(data + Slen, ind);
-	datalen = Slen + 4;
-
-	for (i=0; i < c; i++) {
-		HMAC(EVP_sha1(), P, Plen, data, datalen, tmp, &tmplen);
-
-		assert(tmplen == PRF_BLOCKLEN);
-
-		if (first_time) {
-			memcpy(r, tmp, PRF_BLOCKLEN);
-			first_time = 0;
-		} else 
-			memxor(r, tmp, PRF_BLOCKLEN);
-		memcpy(data, tmp, PRF_BLOCKLEN);
-		datalen = PRF_BLOCKLEN;
-	}
-	free(data);
-}
-
-/*
- * pkcs5_pbkdf2 takes all of its lengths in bytes.
- */
-
-int
-pkcs5_pbkdf2(u_int8_t **r, int dkLen, const u_int8_t *P, int Plen,
-	     const u_int8_t *S, int Slen, int c, int compat)
-{
-	int	i;
-	int	l;
-
-	/* sanity */
-	if (!r)
-		return -1;
-	if (dkLen <= 0)
-		return -1;
-	if (c < 1)
-		return -1;
-
-	/* Step 2 */
-	l = (dkLen + PRF_BLOCKLEN - 1) / PRF_BLOCKLEN;
-
-	/* allocate the output */
-	*r = calloc(l, PRF_BLOCKLEN);
-	if (!*r)
-		return -1;
-
-	/* Step 3 */
-	for (i=0; i < l; i++)
-		prf_iterate(*r + (PRF_BLOCKLEN * i), P, Plen, S, Slen, c, 
-			(compat?i:i+1));
-
-	/* Step 4 and 5
-	 *  by the structure of the code, we do not need to concatenate
-	 *  the blocks, they're already concatenated.  We do not extract
-	 *  the first dkLen octets, since we [naturally] assume that the
-	 *  calling function will use only the octets that it needs and
-	 *  the free(3) will free all of the allocated memory.
-	 */
-	return 0;
-}
Index: pkcs5_pbkdf2.h
===================================================================
RCS file: /cvs/src/sbin/mount_vnd/pkcs5_pbkdf2.h,v
retrieving revision 1.3
diff -N -u -p pkcs5_pbkdf2.h
--- pkcs5_pbkdf2.h	26 Jun 2008 05:42:06 -0000	1.3
+++ /dev/null	28 Sep 2008 10:50:08 -0000
@@ -1,39 +0,0 @@
-/* $NetBSD: pkcs5_pbkdf2.h,v 1.3 2004/03/17 01:29:13 dan Exp $ */
-
-/*-
- * Copyright (c) 2002, 2003 The NetBSD Foundation, Inc.
- * All rights reserved.
- *
- * This code is derived from software contributed to The NetBSD Foundation
- * by Roland C. Dowdeswell.
- *
- * Redistribution and use in source and binary forms, with or without
- * modification, are permitted provided that the following conditions
- * are met:
- * 1. Redistributions of source code must retain the above copyright
- *    notice, this list of conditions and the following disclaimer.
- * 2. Redistributions in binary form must reproduce the above copyright
- *    notice, this list of conditions and the following disclaimer in the
- *    documentation and/or other materials provided with the distribution.
- *
- * THIS SOFTWARE IS PROVIDED BY THE NETBSD FOUNDATION, INC. AND CONTRIBUTORS
- * ``AS IS'' AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED
- * TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
- * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE FOUNDATION OR CONTRIBUTORS
- * BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR
- * CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF
- * SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS
- * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN
- * CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
- * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
- * POSSIBILITY OF SUCH DAMAGE.
- */
-
-#ifndef PKCS5_PBKDF2_H
-#define PKCS5_PBKDF2_H
-
-__BEGIN_DECLS
-int	pkcs5_pbkdf2(u_int8_t **, int, const u_int8_t *, int,
-		     const u_int8_t *, int, int, int);
-__END_DECLS
-#endif
Previous message: [thread] [date] [author]
Next message: [thread] [date] [author]
Messages in current thread:
remove a libcrypto dependancy in mount_vnd(8), Mike Belopuhov, (Thu Feb 4, 9:25 am)
Re: remove a libcrypto dependancy in mount_vnd(8), Damien Miller, (Fri Feb 5, 3:26 pm)
Re: remove a libcrypto dependancy in mount_vnd(8), Mike Belopuhov, (Wed Apr 7, 12:45 pm)