CVS commit: src

["Taylor R Campbell" <riastradh%netbsd.org@localhost>]

Module Name:    src
Committed By:   riastradh
Date:           Fri Aug 12 10:49:17 UTC 2022

Modified Files:
        src/distrib/sets/lists/tests: mi
        src/sbin/cgdconfig: Makefile cgdconfig.8 cgdconfig.c cgdlex.l
            cgdparse.y params.c params.h
        src/tests/dev/cgd: Makefile t_cgdconfig.sh
Added Files:
        src/sbin/cgdconfig: hkdf_hmac_sha256.c hkdf_hmac_sha256.h
        src/tests/dev/cgd: h_countkey.sh

Log Message:
cgdconfig(8): Add support for shared keys.

New clause `shared <id> algorithm <alg> subkey <info>' in a keygen
block enables `cgdconfig -C' to reuse a key between different params
files, so you can, e.g., use a single password for multiple disks.
This is better than simply caching the password itself because:

- Hashing the password is expensive, so it should only be done once.

  Suppose your budget is time t before you get bored, and you
  calibrate password hash parameters to unlock n disks before you get
  bored waiting for `cgdconfig -C'.

  . With n password hashings the adversary's cost goes up only by a
    factor of t/n.
  . With one password hashing and n subkeys the adversary's cost goes
    up by a factor of n.

  And if you ever add a disk, rehashing it will make `cgdconfig -C'
  go over budget, whereas another subkey adds negligible cost to you.

- Subkeys work for other types of keygen blocks, like shell_cmd,
  which could be used to get a key from a hardware token that needs a
  button press.

The <info> parameter must be different for each params file;
everything else in the keygen block must be the same.  With this
clause, the keygen block determines a shared key used only to derive
keys; the actual key used by cgdconfig is derived from the shared key
by the specified algorithm.

The only supported algorithm is hkdf-hmac-sha256, which uses
HKDF-Expand of RFC 5869 instantiated with SHA-256.

Example:

        algorithm aes-cbc;
        iv-method encblkno1;
        keylength 128;
        verify_method none;
        keygen pkcs5_pbkdf2/sha1 {
                iterations 39361;
                salt AAAAgMoHiYonye6KogdYJAobCHE=;
                shared "pw" algorithm hkdf-hmac-sha256
                    subkey AAAAgFlw0BMQ5gY+haYkZ6JC+yY=;
        };

The key used for this disk will be derived by

        HKDF-HMAC-SHA256_k(WXDQExDmBj6FpiRnokL7Jg==),

where k is the outcome of PBKDF2-SHA1 with the given parameters.

Note that <info> encodes a four-byte prefix giving the big-endian
length in bits of the info argument to HKDF, just like all other bit
strings in cgdconfig parameters files.

If you have multiple disks configured using the same keygen block
except for the info parameter, `cgdconfig -C' will only prompt once
for your passphrase, generate a shared key k with PBKDF2 as usual,
and then reuse it for each of the disks.


To generate a diff of this commit:
cvs rdiff -u -r1.1218 -r1.1219 src/distrib/sets/lists/tests/mi
cvs rdiff -u -r1.21 -r1.22 src/sbin/cgdconfig/Makefile
cvs rdiff -u -r1.54 -r1.55 src/sbin/cgdconfig/cgdconfig.8
cvs rdiff -u -r1.55 -r1.56 src/sbin/cgdconfig/cgdconfig.c
cvs rdiff -u -r1.6 -r1.7 src/sbin/cgdconfig/cgdlex.l \
    src/sbin/cgdconfig/cgdparse.y
cvs rdiff -u -r0 -r1.1 src/sbin/cgdconfig/hkdf_hmac_sha256.c \
    src/sbin/cgdconfig/hkdf_hmac_sha256.h
cvs rdiff -u -r1.32 -r1.33 src/sbin/cgdconfig/params.c
cvs rdiff -u -r1.12 -r1.13 src/sbin/cgdconfig/params.h
cvs rdiff -u -r1.12 -r1.13 src/tests/dev/cgd/Makefile
cvs rdiff -u -r0 -r1.1 src/tests/dev/cgd/h_countkey.sh
cvs rdiff -u -r1.2 -r1.3 src/tests/dev/cgd/t_cgdconfig.sh

Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.