202 lines
4.7 KiB
C
202 lines
4.7 KiB
C
|
/*
|
|||
|
* GRUB -- GRand Unified Bootloader
|
|||
|
* Copyright (C) 2009 Free Software Foundation, Inc.
|
|||
|
*
|
|||
|
* GRUB is free software: you can redistribute it and/or modify
|
|||
|
* it under the terms of the GNU General Public License as published by
|
|||
|
* the Free Software Foundation, either version 3 of the License, or
|
|||
|
* (at your option) any later version.
|
|||
|
*
|
|||
|
* GRUB is distributed in the hope that it will be useful,
|
|||
|
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|||
|
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|||
|
* GNU General Public License for more details.
|
|||
|
*
|
|||
|
* You should have received a copy of the GNU General Public License
|
|||
|
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
|||
|
*/
|
|||
|
|
|||
|
#include <grub/crypto.h>
|
|||
|
#include <grub/list.h>
|
|||
|
#include <grub/mm.h>
|
|||
|
#include <grub/misc.h>
|
|||
|
#include <grub/env.h>
|
|||
|
#include <grub/normal.h>
|
|||
|
#include <grub/dl.h>
|
|||
|
|
|||
|
static grub_dl_t my_mod;
|
|||
|
|
|||
|
struct pbkdf2_password
|
|||
|
{
|
|||
|
grub_uint8_t *salt;
|
|||
|
grub_size_t saltlen;
|
|||
|
unsigned int c;
|
|||
|
grub_uint8_t *expected;
|
|||
|
grub_size_t buflen;
|
|||
|
};
|
|||
|
|
|||
|
static grub_err_t
|
|||
|
check_password (const char *user, void *pin)
|
|||
|
{
|
|||
|
char entered[1024];
|
|||
|
grub_uint8_t *buf;
|
|||
|
struct pbkdf2_password *pass = pin;
|
|||
|
gcry_err_code_t err;
|
|||
|
|
|||
|
grub_memset (entered, 0, sizeof (entered));
|
|||
|
|
|||
|
if (!GRUB_GET_PASSWORD (entered, sizeof (entered) - 1))
|
|||
|
return GRUB_ACCESS_DENIED;
|
|||
|
|
|||
|
buf = grub_malloc (pass->buflen);
|
|||
|
if (!buf)
|
|||
|
return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY);
|
|||
|
|
|||
|
err = grub_crypto_pbkdf2 (GRUB_MD_SHA512, (grub_uint8_t *) &entered,
|
|||
|
grub_strlen (entered),
|
|||
|
pass->salt, pass->saltlen, pass->c,
|
|||
|
buf, pass->buflen);
|
|||
|
if (err)
|
|||
|
{
|
|||
|
grub_free (buf);
|
|||
|
return grub_crypto_gcry_error (err);
|
|||
|
}
|
|||
|
|
|||
|
if (grub_crypto_memcmp (buf, pass->expected, pass->buflen) != 0)
|
|||
|
return GRUB_ACCESS_DENIED;
|
|||
|
|
|||
|
grub_auth_authenticate (user);
|
|||
|
|
|||
|
return GRUB_ERR_NONE;
|
|||
|
}
|
|||
|
|
|||
|
static inline int
|
|||
|
hex2val (char hex)
|
|||
|
{
|
|||
|
if ('0' <= hex && hex <= '9')
|
|||
|
return hex - '0';
|
|||
|
if ('a' <= hex && hex <= 'f')
|
|||
|
return hex - 'a' + 10;
|
|||
|
if ('A' <= hex && hex <= 'F')
|
|||
|
return hex - 'A' + 10;
|
|||
|
return -1;
|
|||
|
}
|
|||
|
|
|||
|
static grub_err_t
|
|||
|
grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
|
|||
|
int argc, char **args)
|
|||
|
{
|
|||
|
grub_err_t err;
|
|||
|
char *ptr, *ptr2;
|
|||
|
grub_uint8_t *ptro;
|
|||
|
struct pbkdf2_password *pass;
|
|||
|
|
|||
|
if (argc != 2)
|
|||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Two arguments expected.");
|
|||
|
|
|||
|
if (grub_memcmp (args[1], "grub.pbkdf2.sha512.",
|
|||
|
sizeof ("grub.pbkdf2.sha512.") - 1) != 0)
|
|||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Incorrect PBKDF2 password.");
|
|||
|
|
|||
|
ptr = args[1] + sizeof ("grub.pbkdf2.sha512.") - 1;
|
|||
|
|
|||
|
pass = grub_malloc (sizeof (*pass));
|
|||
|
if (!pass)
|
|||
|
return grub_errno;
|
|||
|
|
|||
|
pass->c = grub_strtoul (ptr, &ptr, 0);
|
|||
|
if (*ptr != '.')
|
|||
|
{
|
|||
|
grub_free (pass);
|
|||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Incorrect PBKDF2 password.");
|
|||
|
}
|
|||
|
ptr++;
|
|||
|
|
|||
|
ptr2 = grub_strchr (ptr, '.');
|
|||
|
if (!ptr2 || ((ptr2 - ptr) & 1) || grub_strlen (ptr2 + 1) & 1)
|
|||
|
{
|
|||
|
grub_free (pass);
|
|||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Incorrect PBKDF2 password.");
|
|||
|
}
|
|||
|
|
|||
|
pass->saltlen = (ptr2 - ptr) >> 1;
|
|||
|
pass->buflen = grub_strlen (ptr2 + 1) >> 1;
|
|||
|
ptro = pass->salt = grub_malloc (pass->saltlen);
|
|||
|
if (!ptro)
|
|||
|
{
|
|||
|
grub_free (pass);
|
|||
|
return grub_errno;
|
|||
|
}
|
|||
|
while (ptr < ptr2)
|
|||
|
{
|
|||
|
int hex1, hex2;
|
|||
|
hex1 = hex2val (*ptr);
|
|||
|
ptr++;
|
|||
|
hex2 = hex2val (*ptr);
|
|||
|
ptr++;
|
|||
|
if (hex1 < 0 || hex2 < 0)
|
|||
|
{
|
|||
|
grub_free (pass->salt);
|
|||
|
grub_free (pass);
|
|||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|||
|
"Incorrect PBKDF2 password.");
|
|||
|
}
|
|||
|
|
|||
|
*ptro = (hex1 << 4) | hex2;
|
|||
|
ptro++;
|
|||
|
}
|
|||
|
|
|||
|
ptro = pass->expected = grub_malloc (pass->buflen);
|
|||
|
if (!ptro)
|
|||
|
{
|
|||
|
grub_free (pass->salt);
|
|||
|
grub_free (pass);
|
|||
|
return grub_errno;
|
|||
|
}
|
|||
|
ptr = ptr2 + 1;
|
|||
|
ptr2 += grub_strlen (ptr2);
|
|||
|
while (ptr < ptr2)
|
|||
|
{
|
|||
|
int hex1, hex2;
|
|||
|
hex1 = hex2val (*ptr);
|
|||
|
ptr++;
|
|||
|
hex2 = hex2val (*ptr);
|
|||
|
ptr++;
|
|||
|
if (hex1 < 0 || hex2 < 0)
|
|||
|
{
|
|||
|
grub_free (pass->expected);
|
|||
|
grub_free (pass->salt);
|
|||
|
grub_free (pass);
|
|||
|
return grub_error (GRUB_ERR_BAD_ARGUMENT,
|
|||
|
"Incorrect PBKDF2 password.");
|
|||
|
}
|
|||
|
|
|||
|
*ptro = (hex1 << 4) | hex2;
|
|||
|
ptro++;
|
|||
|
}
|
|||
|
|
|||
|
err = grub_auth_register_authentication (args[0], check_password, pass);
|
|||
|
if (err)
|
|||
|
{
|
|||
|
grub_free (pass);
|
|||
|
return err;
|
|||
|
}
|
|||
|
grub_dl_ref (my_mod);
|
|||
|
return GRUB_ERR_NONE;
|
|||
|
}
|
|||
|
|
|||
|
static grub_command_t cmd;
|
|||
|
|
|||
|
GRUB_MOD_INIT(password_pbkdf2)
|
|||
|
{
|
|||
|
my_mod = mod;
|
|||
|
cmd = grub_register_command ("password_pbkdf2", grub_cmd_password,
|
|||
|
"password_pbkdf2 USER PBKDF2_PASSWORD",
|
|||
|
"Set user password (PBKDF2). ");
|
|||
|
}
|
|||
|
|
|||
|
GRUB_MOD_FINI(password_pbkdf2)
|
|||
|
{
|
|||
|
grub_unregister_command (cmd);
|
|||
|
}
|