mirror of
https://github.com/PowerShell/openssh-portable.git
synced 2025-07-31 01:35:11 +02:00
pull updated OpenBSD BCrypt PBKDF implementation
Includes fix for 1 byte output overflow for large key length requests (not reachable in OpenSSH). Pointed out by Joshua Rogers
This commit is contained in:
parent
c528c1b4af
commit
01b6349880
@ -1,4 +1,4 @@
|
|||||||
/* $OpenBSD: bcrypt_pbkdf.c,v 1.4 2013/07/29 00:55:53 tedu Exp $ */
|
/* $OpenBSD: bcrypt_pbkdf.c,v 1.9 2014/07/13 21:21:25 tedu Exp $ */
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
|
* Copyright (c) 2013 Ted Unangst <tedu@openbsd.org>
|
||||||
*
|
*
|
||||||
@ -51,8 +51,8 @@
|
|||||||
*
|
*
|
||||||
* One modification from official pbkdf2. Instead of outputting key material
|
* One modification from official pbkdf2. Instead of outputting key material
|
||||||
* linearly, we mix it. pbkdf2 has a known weakness where if one uses it to
|
* linearly, we mix it. pbkdf2 has a known weakness where if one uses it to
|
||||||
* generate (i.e.) 512 bits of key material for use as two 256 bit keys, an
|
* generate (e.g.) 512 bits of key material for use as two 256 bit keys, an
|
||||||
* attacker can merely run once through the outer loop below, but the user
|
* attacker can merely run once through the outer loop, but the user
|
||||||
* always runs it twice. Shuffling output bytes requires computing the
|
* always runs it twice. Shuffling output bytes requires computing the
|
||||||
* entirety of the key material to assemble any subkey. This is something a
|
* entirety of the key material to assemble any subkey. This is something a
|
||||||
* wise caller could do; we just do it for you.
|
* wise caller could do; we just do it for you.
|
||||||
@ -97,9 +97,9 @@ bcrypt_hash(u_int8_t *sha2pass, u_int8_t *sha2salt, u_int8_t *out)
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* zap */
|
/* zap */
|
||||||
memset(ciphertext, 0, sizeof(ciphertext));
|
explicit_bzero(ciphertext, sizeof(ciphertext));
|
||||||
memset(cdata, 0, sizeof(cdata));
|
explicit_bzero(cdata, sizeof(cdata));
|
||||||
memset(&state, 0, sizeof(state));
|
explicit_bzero(&state, sizeof(state));
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
@ -113,6 +113,7 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t salt
|
|||||||
u_int8_t *countsalt;
|
u_int8_t *countsalt;
|
||||||
size_t i, j, amt, stride;
|
size_t i, j, amt, stride;
|
||||||
uint32_t count;
|
uint32_t count;
|
||||||
|
size_t origkeylen = keylen;
|
||||||
|
|
||||||
/* nothing crazy */
|
/* nothing crazy */
|
||||||
if (rounds < 1)
|
if (rounds < 1)
|
||||||
@ -155,14 +156,17 @@ bcrypt_pbkdf(const char *pass, size_t passlen, const u_int8_t *salt, size_t salt
|
|||||||
* pbkdf2 deviation: ouput the key material non-linearly.
|
* pbkdf2 deviation: ouput the key material non-linearly.
|
||||||
*/
|
*/
|
||||||
amt = MIN(amt, keylen);
|
amt = MIN(amt, keylen);
|
||||||
for (i = 0; i < amt; i++)
|
for (i = 0; i < amt; i++) {
|
||||||
key[i * stride + (count - 1)] = out[i];
|
size_t dest = i * stride + (count - 1);
|
||||||
keylen -= amt;
|
if (dest >= origkeylen)
|
||||||
|
break;
|
||||||
|
key[dest] = out[i];
|
||||||
|
}
|
||||||
|
keylen -= i;
|
||||||
}
|
}
|
||||||
|
|
||||||
/* zap */
|
/* zap */
|
||||||
memset(out, 0, sizeof(out));
|
explicit_bzero(out, sizeof(out));
|
||||||
memset(countsalt, 0, saltlen + 4);
|
|
||||||
free(countsalt);
|
free(countsalt);
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
Loading…
x
Reference in New Issue
Block a user