From a205711a76860949eada466938644cb77ffacdc0 Mon Sep 17 00:00:00 2001
From: Peter Palfrader <peter@palfrader.org>
Date: Sat, 18 Aug 2012 13:56:48 +0200
Subject: [PATCH] Switch to a new KDF

---
 modules/bacula/manifests/init.pp              | 10 +--
 modules/bacula/manifests/node.pp              |  2 +-
 .../lib/puppet/parser/functions/hkdf.rb       | 89 +++++++++++++++++++
 3 files changed, 95 insertions(+), 6 deletions(-)
 create mode 100644 modules/puppetmaster/lib/puppet/parser/functions/hkdf.rb

diff --git a/modules/bacula/manifests/init.pp b/modules/bacula/manifests/init.pp
index ba15e6cec..bf2ed30d0 100644
--- a/modules/bacula/manifests/init.pp
+++ b/modules/bacula/manifests/init.pp
@@ -22,9 +22,9 @@ class bacula {
 
 	$bacula_backup_path       = '/srv/bacula'
 
-	$bacula_director_secret   = hmac('/etc/puppet/secret', "bacula-dir-${::hostname}")
-	$bacula_db_secret         = hmac('/etc/puppet/secret', "bacula-db-${::hostname}")
-	$bacula_storage_secret    = hmac('/etc/puppet/secret', "bacula-sd-${bacula_storage_name}")
-	$bacula_client_secret     = hmac('/etc/puppet/secret', "bacula-fd-${::fqdn}")
-	$bacula_monitor_secret    = hmac('/etc/puppet/secret', "bacula-monitor-${bacula_director_name}")
+	$bacula_director_secret   = hkdf('/etc/puppet/secret', "bacula-dir-${::hostname}")
+	$bacula_db_secret         = hkdf('/etc/puppet/secret', "bacula-db-${::hostname}")
+	$bacula_storage_secret    = hkdf('/etc/puppet/secret', "bacula-sd-${bacula_storage_name}")
+	$bacula_client_secret     = hkdf('/etc/puppet/secret', "bacula-fd-${::fqdn}")
+	$bacula_monitor_secret    = hkdf('/etc/puppet/secret', "bacula-monitor-${bacula_director_name}")
 }
diff --git a/modules/bacula/manifests/node.pp b/modules/bacula/manifests/node.pp
index 95c0e655c..d73c34e90 100644
--- a/modules/bacula/manifests/node.pp
+++ b/modules/bacula/manifests/node.pp
@@ -5,7 +5,7 @@ define bacula::node() {
 	$bacula_client_port   = $bacula::bacula_client_port
 
 	$bacula_client_name   = "${name}-fd"
-	$bacula_client_secret = hmac('/etc/puppet/secret', "bacula-fd-${name}")
+	$bacula_client_secret = hkdf('/etc/puppet/secret', "bacula-fd-${name}")
 	$client               = $name
 
 	file { "/etc/bacula/conf.d/${name}.conf":
diff --git a/modules/puppetmaster/lib/puppet/parser/functions/hkdf.rb b/modules/puppetmaster/lib/puppet/parser/functions/hkdf.rb
new file mode 100644
index 000000000..5453ef30d
--- /dev/null
+++ b/modules/puppetmaster/lib/puppet/parser/functions/hkdf.rb
@@ -0,0 +1,89 @@
+# a RFC5869 implementation:
+# HMAC-based Extract-and-Expand Key Derivation Function (HKDF)
+#
+# function John Downey, downloaded from https://rubygems.org/gems/hkdf
+# and distributed under the MIT license.
+
+
+require 'openssl'
+
+class HKDF
+  def initialize(source, options = {})
+    options = {:algorithm => 'SHA256', :info => '', :salt => nil}.merge(options)
+
+    @digest = OpenSSL::Digest.new(options[:algorithm])
+    @info = options[:info]
+
+    salt = options[:salt]
+    salt = 0.chr * @digest.digest_length if salt.nil? or salt.empty?
+
+    @prk = OpenSSL::HMAC.digest(@digest, salt, source)
+    @position = 0
+    @blocks = []
+    @blocks << ''
+  end
+
+  def algorithm
+    @digest.name
+  end
+
+  def max_length
+    @digest.digest_length * 255
+  end
+
+  def seek(position)
+    raise RangeError.new("cannot seek past #{max_length}") if position > max_length
+
+    @position = position
+  end
+
+  def rewind
+    seek(0)
+  end
+
+  def next_bytes(length)
+    new_position = length + @position
+    raise RangeError.new("requested #{length} bytes, only #{max_length} available") if new_position > max_length
+
+    _generate_blocks(new_position)
+
+    start = @position
+    @position = new_position
+
+    @blocks.join('').slice(start, length)
+  end
+
+  def next_hex_bytes(length)
+    next_bytes(length).unpack('H*').first
+  end
+
+  def _generate_blocks(length)
+    start = @blocks.size
+    block_count = (length.to_f / @digest.digest_length).ceil
+    start.upto(block_count) do |n|
+      @blocks << OpenSSL::HMAC.digest(@digest, @prk, @blocks[n - 1] + @info + n.chr)
+    end
+  end
+end
+
+# puppetization by weasel
+module Puppet::Parser::Functions
+  newfunction(:hkdf, :type => :rvalue) do |args|
+    secretfile = args.shift()
+    data = args.shift()
+
+    require 'openssl'
+    secret = ""
+    begin
+      secret = File.new(secretfile, "r").read
+    rescue => e
+      raise Puppet::ParseError, "Error loading secret from #{seccretfile}: #{e.message}\n#{e.backtrace}"
+    end
+
+    hkdf = HKDF.new(secret, :info => data)
+    return hkdf.next_hex_bytes(32)
+  end
+end
+# vim:set ts=2:
+# vim:set et:
+# vim:set shiftwidth=2:
-- 
2.20.1