ref: 6de804b578e54fb2e7d24e56c3032def4d24547e
parent: da343924f4e72ed302208ef246d568c865a0a400
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Sun Feb 26 17:44:47 EST 2017
authsrv: don't hash in hostowner key for keyseed aiju → i don't like it, it's more bullshit ways to expose the key :) aiju → if someone can grab /adm/keyseed, they can also grab /adm/users and /adm/keys
--- a/sys/src/cmd/auth/authsrv.c
+++ b/sys/src/cmd/auth/authsrv.c
@@ -1005,18 +1005,9 @@
void
initkeyseed(void)
{- static char info[] = "PRF key for generation of dummy user keys";
- char k[DESKEYLEN], *u;
int fd;
genrandom(keyseed, sizeof(keyseed));
-
- u = getuser();
- if(!finddeskey(KEYDB, u, k)){- syslog(0, AUTHLOG, "initkeyseed: user %s not in keydb", u);
- return;
- }
-
if((fd = create("/adm/keyseed", OWRITE|OEXCL, 0600)) >= 0){write(fd, keyseed, sizeof(keyseed));
} else if((fd = open("/adm/keyseed", OREAD)) >= 0){@@ -1023,18 +1014,9 @@
read(fd, keyseed, sizeof(keyseed));
} else{syslog(0, AUTHLOG, "initkeyseed: no seed file: %r");
- memset(k, 0, sizeof(k));
return;
}
close(fd);
-
- hkdf_x( keyseed, sizeof(keyseed),
- (uchar*)info, sizeof(info)-1,
- (uchar*)k, sizeof(k),
- keyseed, sizeof(keyseed),
- hmac_sha2_256, SHA2_256dlen);
-
- memset(k, 0, sizeof(k));
}
void