From mboxrd@z Thu Jan 1 00:00:00 1970 Return-path: Received: from 7.mo68.mail-out.ovh.net ([46.105.63.230]) by bombadil.infradead.org with esmtps (Exim 4.80.1 #2 (Red Hat Linux)) id 1YXS5A-000227-0G for barebox@lists.infradead.org; Mon, 16 Mar 2015 10:17:14 +0000 Received: from mail189.ha.ovh.net (b6.ovh.net [213.186.33.56]) by mo68.mail-out.ovh.net (Postfix) with SMTP id 6817AFFAA3B for ; Mon, 16 Mar 2015 11:16:50 +0100 (CET) From: Jean-Christophe PLAGNIOL-VILLARD Date: Mon, 16 Mar 2015 11:15:42 +0100 Message-Id: <1426500945-31815-7-git-send-email-plagnioj@jcrosoft.com> In-Reply-To: <1426500945-31815-1-git-send-email-plagnioj@jcrosoft.com> References: <20150316101321.GA26127@ns203013.ovh.net> <1426500945-31815-1-git-send-email-plagnioj@jcrosoft.com> List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Sender: "barebox" Errors-To: barebox-bounces+u.kleine-koenig=pengutronix.de@lists.infradead.org Subject: [PATCH 07/10] password: add pbkdf2 support To: barebox@lists.infradead.org We will use "barebox_password" as salt and 10000 round to generate a 64 bytes key. Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD --- common/Kconfig | 4 +++ common/password.c | 79 +++++++++++++++++++++++++++++++++++-------------------- 2 files changed, 55 insertions(+), 28 deletions(-) diff --git a/common/Kconfig b/common/Kconfig index 96ace6b..ad8a596 100644 --- a/common/Kconfig +++ b/common/Kconfig @@ -453,6 +453,10 @@ config PASSWD_SUM_SHA512 bool "SHA512" select SHA512 +config PASSWD_CRYPTO_PBKDF2 + bool "PBKDF2" + select CRYPTO_PBKDF2 + endchoice endif diff --git a/common/password.c b/common/password.c index 6ecf717..0e1db61 100644 --- a/common/password.c +++ b/common/password.c @@ -26,6 +26,7 @@ #include #include #include +#include #if defined(CONFIG_PASSWD_SUM_MD5) #define PASSWD_SUM "md5" @@ -35,8 +36,14 @@ #define PASSWD_SUM "sha256" #elif defined(CONFIG_PASSWD_SUM_SHA512) #define PASSWD_SUM "sha512" +#else +#define PASSWD_SUM NULL #endif +#define PBKDF2_SALT "barebox_password" +#define PBKDF2_LENGTH 64 +#define PBKDF2_COUNT 10000 + int password(unsigned char *passwd, size_t length, int flags, int timeout) { unsigned char *buf = passwd; @@ -277,45 +284,50 @@ EXPORT_SYMBOL(write_env_passwd); static int __check_passwd(unsigned char* passwd, size_t length, int std) { - struct digest *d; + struct digest *d = NULL; unsigned char *passwd1_sum; unsigned char *passwd2_sum; int ret = 0; + int hash_len; - d = digest_alloc(PASSWD_SUM); + if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) { + hash_len = PBKDF2_LENGTH; + } else { + d = digest_alloc(PASSWD_SUM); - passwd1_sum = calloc(digest_length(d), sizeof(unsigned char)); + hash_len = digest_length(d); + } + passwd1_sum = calloc(hash_len * 2, sizeof(unsigned char)); if (!passwd1_sum) return -ENOMEM; - passwd2_sum = calloc(digest_length(d), sizeof(unsigned char)); - - if (!passwd2_sum) { - ret = -ENOMEM; - goto err1; - } + passwd2_sum = passwd1_sum + hash_len; - digest_init(d); + if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) { + char *salt = PBKDF2_SALT; - digest_update(d, passwd, length); + ret = pkcs5_pbkdf2_hmac_sha1(passwd, length, salt, strlen(salt), + PBKDF2_COUNT, hash_len, passwd1_sum); + } else { + ret = digest_digest(d, passwd, length, passwd1_sum); + } - digest_final(d, passwd1_sum); + if (ret) + goto err; if (std) - ret = read_env_passwd(passwd2_sum, digest_length(d)); + ret = read_env_passwd(passwd2_sum, hash_len); else - ret = read_default_passwd(passwd2_sum, digest_length(d)); + ret = read_default_passwd(passwd2_sum, hash_len); if (ret < 0) - goto err2; + goto err; - if (strncmp(passwd1_sum, passwd2_sum, digest_length(d)) == 0) + if (strncmp(passwd1_sum, passwd2_sum, hash_len) == 0) ret = 1; -err2: - free(passwd2_sum); -err1: +err: free(passwd1_sum); digest_free(d); @@ -346,25 +358,36 @@ int check_passwd(unsigned char* passwd, size_t length) int set_env_passwd(unsigned char* passwd, size_t length) { - struct digest *d; + struct digest *d = NULL; unsigned char *passwd_sum; - int ret; + int ret, hash_len; - d = digest_alloc(PASSWD_SUM); + if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) { + hash_len = PBKDF2_LENGTH; + } else { + d = digest_alloc(PASSWD_SUM); - passwd_sum = calloc(digest_length(d), sizeof(unsigned char)); + hash_len = digest_length(d); + } + passwd_sum = calloc(hash_len, sizeof(unsigned char)); if (!passwd_sum) return -ENOMEM; - digest_init(d); + if (IS_ENABLED(CONFIG_PASSWD_CRYPTO_PBKDF2)) { + char *salt = PBKDF2_SALT; - digest_update(d, passwd, length); - - digest_final(d, passwd_sum); + ret = pkcs5_pbkdf2_hmac_sha1(passwd, length, salt, strlen(salt), + PBKDF2_COUNT, hash_len, passwd_sum); + } else { + ret = digest_digest(d, passwd, length, passwd_sum); + } + if (ret) + goto err; - ret = write_env_passwd(passwd_sum, digest_length(d)); + ret = write_env_passwd(passwd_sum, hash_len); +err: free(passwd_sum); return ret; -- 2.1.4 _______________________________________________ barebox mailing list barebox@lists.infradead.org http://lists.infradead.org/mailman/listinfo/barebox