From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
To: barebox@lists.infradead.org
Subject: [PATCH 7/8] password: add pbkdf2 support
Date: Mon, 16 Mar 2015 10:19:04 +0100 [thread overview]
Message-ID: <1426497545-24175-7-git-send-email-plagnioj@jcrosoft.com> (raw)
In-Reply-To: <1426497545-24175-1-git-send-email-plagnioj@jcrosoft.com>
We will use "barebox_password" as salt and 10000 round to generate a
64 bytes key.
Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com>
---
common/Kconfig | 4 +++
common/password.c | 79 +++++++++++++++++++++++++++++++++++--------------------
2 files changed, 55 insertions(+), 28 deletions(-)
diff --git a/common/Kconfig b/common/Kconfig
index 96ace6b..ad8a596 100644
--- a/common/Kconfig
+++ b/common/Kconfig
@@ -453,6 +453,10 @@ config PASSWD_SUM_SHA512
bool "SHA512"
select SHA512
+config PASSWD_CRYPTO_PBKDF2
+ bool "PBKDF2"
+ select CRYPTO_PBKDF2
+
endchoice
endif
diff --git a/common/password.c b/common/password.c
index 6ecf717..0e1db61 100644
--- a/common/password.c
+++ b/common/password.c
@@ -26,6 +26,7 @@
#include <xfuncs.h>
#include <clock.h>
#include <generated/passwd.h>
+#include <crypto/pbkdf2.h>
#if defined(CONFIG_PASSWD_SUM_MD5)
#define PASSWD_SUM "md5"
@@ -35,8 +36,14 @@
#define PASSWD_SUM "sha256"
#elif defined(CONFIG_PASSWD_SUM_SHA512)
#define PASSWD_SUM "sha512"
+#else
+#define PASSWD_SUM NULL
#endif
+#define PBKDF2_SALT "barebox_password"
+#define PBKDF2_LENGTH 64
+#define PBKDF2_COUNT 10000
+
int password(unsigned char *passwd, size_t length, int flags, int timeout)
{
unsigned char *buf = passwd;
@@ -277,45 +284,50 @@ EXPORT_SYMBOL(write_env_passwd);
static int __check_passwd(unsigned char* passwd, size_t length, int std)
{
- struct digest *d;
+ struct digest *d = NULL;
unsigned char *passwd1_sum;
unsigned char *passwd2_sum;
int ret = 0;
+ int hash_len;
- d = digest_alloc(PASSWD_SUM);
+ if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) {
+ hash_len = PBKDF2_LENGTH;
+ } else {
+ d = digest_alloc(PASSWD_SUM);
- passwd1_sum = calloc(digest_length(d), sizeof(unsigned char));
+ hash_len = digest_length(d);
+ }
+ passwd1_sum = calloc(hash_len * 2, sizeof(unsigned char));
if (!passwd1_sum)
return -ENOMEM;
- passwd2_sum = calloc(digest_length(d), sizeof(unsigned char));
-
- if (!passwd2_sum) {
- ret = -ENOMEM;
- goto err1;
- }
+ passwd2_sum = passwd1_sum + hash_len;
- digest_init(d);
+ if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) {
+ char *salt = PBKDF2_SALT;
- digest_update(d, passwd, length);
+ ret = pkcs5_pbkdf2_hmac_sha1(passwd, length, salt, strlen(salt),
+ PBKDF2_COUNT, hash_len, passwd1_sum);
+ } else {
+ ret = digest_digest(d, passwd, length, passwd1_sum);
+ }
- digest_final(d, passwd1_sum);
+ if (ret)
+ goto err;
if (std)
- ret = read_env_passwd(passwd2_sum, digest_length(d));
+ ret = read_env_passwd(passwd2_sum, hash_len);
else
- ret = read_default_passwd(passwd2_sum, digest_length(d));
+ ret = read_default_passwd(passwd2_sum, hash_len);
if (ret < 0)
- goto err2;
+ goto err;
- if (strncmp(passwd1_sum, passwd2_sum, digest_length(d)) == 0)
+ if (strncmp(passwd1_sum, passwd2_sum, hash_len) == 0)
ret = 1;
-err2:
- free(passwd2_sum);
-err1:
+err:
free(passwd1_sum);
digest_free(d);
@@ -346,25 +358,36 @@ int check_passwd(unsigned char* passwd, size_t length)
int set_env_passwd(unsigned char* passwd, size_t length)
{
- struct digest *d;
+ struct digest *d = NULL;
unsigned char *passwd_sum;
- int ret;
+ int ret, hash_len;
- d = digest_alloc(PASSWD_SUM);
+ if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) {
+ hash_len = PBKDF2_LENGTH;
+ } else {
+ d = digest_alloc(PASSWD_SUM);
- passwd_sum = calloc(digest_length(d), sizeof(unsigned char));
+ hash_len = digest_length(d);
+ }
+ passwd_sum = calloc(hash_len, sizeof(unsigned char));
if (!passwd_sum)
return -ENOMEM;
- digest_init(d);
+ if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) {
+ char *salt = PBKDF2_SALT;
- digest_update(d, passwd, length);
-
- digest_final(d, passwd_sum);
+ ret = pkcs5_pbkdf2_hmac_sha1(passwd, length, salt, strlen(salt),
+ PBKDF2_COUNT, hash_len, passwd_sum);
+ } else {
+ ret = digest_digest(d, passwd, length, passwd_sum);
+ }
+ if (ret)
+ goto err;
- ret = write_env_passwd(passwd_sum, digest_length(d));
+ ret = write_env_passwd(passwd_sum, hash_len);
+err:
free(passwd_sum);
return ret;
--
2.1.4
_______________________________________________
barebox mailing list
barebox@lists.infradead.org
http://lists.infradead.org/mailman/listinfo/barebox
next prev parent reply other threads:[~2015-03-16 9:19 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-16 9:17 [PATCH 0/8 v2] prepare for rsa support Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 9:18 ` [PATCH 1/8] digest: add verify callback Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 9:18 ` [PATCH 2/8] command: rename digest.c to hashsum.c Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 9:19 ` [PATCH 3/8] command: allow runtime usage Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 9:19 ` [PATCH 4/8] command: add generic digest command Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 9:19 ` [PATCH 5/8] digest: add digest callback Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 9:19 ` [PATCH 6/8] crypto: add pbkdf2 hmac key generator Jean-Christophe PLAGNIOL-VILLARD
2015-03-16 9:19 ` Jean-Christophe PLAGNIOL-VILLARD [this message]
2015-03-16 9:19 ` [PATCH 8/8] digest: allow algo to specify their length at runtime Jean-Christophe PLAGNIOL-VILLARD
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1426497545-24175-7-git-send-email-plagnioj@jcrosoft.com \
--to=plagnioj@jcrosoft.com \
--cc=barebox@lists.infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox