2010-01-07 Vladimir Serbinenko <phcoder@gmail.com>

Merge crypto branch. * Makefile.in (pkglib_DATA): Add crypto.lst. (crypto.lst): New target. * commands/hashsum.c: New file. * commands/password.c (check_password): Use grub_crypto_memcmp. * commands/password_pbkdf2.c: New file. * commands/xnu_uuid.c: Remove MD5. Use GRUB_MD_MD5. * conf/any-emu.rmk (grub_emu_SOURCES): Add lib/crypto.c, normal/crypto.c and lib/libgcrypt-grub/cipher/md5.c. (grub_emu_CFLAGS): Add -Wno-missing-field-initializers -Wno-error -I$(srcdir)/lib/libgcrypt_wrap. * conf/common.rmk (normal_mod_SOURCES): Add normal/crypto.c. (pkglib_MODULES): Add crypto.mod, hashsum.mod, pbkdf2.mod and password_pbkdf2.mod. (crypto_mod_SOURCES): New variable. (crypto_mod_CFLAGS): Likewise. (crypto_mod_LDFLAGS): Likewise. (hashsum_mod_SOURCES): New variable. (hashsum_mod_CFLAGS): Likewise. (hashsum_mod_LDFLAGS): Likewise. (pbkdf2_mod_SOURCES): New variable. (pbkdf2_mod_CFLAGS): Likewise. (pbkdf2_mod_LDFLAGS): Likewise. (password_pbkdf2_mod_SOURCES): New variable. (password_pbkdf2_mod_CFLAGS): Likewise. (password_pbkdf2_mod_LDFLAGS): Likewise. (bin_UTILITIES): Add grub-mkpasswd-pbkdf2. (grub_mkpasswd_pbkdf2_SOURCES): New variable. (grub_mkpasswd_pbkdf2_CFLAGS): Likewise. Include conf/gcry.rmk. * include/grub/auth.h: Rewritten. * include/grub/crypto.h: New file. * include/grub/disk.h (grub_disk_dev_id): Add GRUB_DISK_DEVICE_LUKS_ID. * include/grub/normal.h (read_crypto_list): New prototype. * lib/crypto.c: New file. * lib/libgcrypt_wrap/cipher_wrap.h: Likewise. * lib/pbkdf2.c: Likewise. * normal/auth.c (grub_auth_strcmp): Removed. (grub_iswordseparator): Likewise. (grub_auth_strword): Likewise. (is_authenticated): Use grub_strword. (grub_auth_check_authentication): Use grub_strcmp, grub_password_get and grub_strword. Pass entered password to authentication callback. * normal/crypto.c: New file. * normal/main.c: Call read_crypto_list. * util/grub-mkpasswd-pbkdf2.c: New file. * util/import_gcry.py: Generate crypto.lst. Add hash blocklen.
2010-01-07 01:13:01 +01:00 · 2010-01-07 01:13:01 +01:00 · 607a3701db
commit 607a3701db
parent 42841caa75 3851cc386e
21 changed files with 2086 additions and 414 deletions
--- a/lib/crypto.c
+++ b/lib/crypto.c
@ -0,0 +1,453 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 1998, 1999, 2000, 2001, 2002, 2003, 2004, 2006
+ *                2007, 2008, 2009  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#include <grub/crypto.h>
+#include <grub/misc.h>
+#include <grub/mm.h>
+#include <grub/term.h>
+
+struct grub_crypto_hmac_handle
+{
+  const struct gcry_md_spec *md;
+  void *ctx;
+  void *opad;
+};
+
+static gcry_cipher_spec_t *grub_ciphers = NULL;
+static gcry_md_spec_t *grub_digests = NULL;
+
+void (*grub_crypto_autoload_hook) (const char *name) = NULL;
+
+/* Based on libgcrypt-1.4.4/src/misc.c.  */
+void
+grub_burn_stack (grub_size_t size)
+{
+  char buf[64];
+
+  grub_memset (buf, 0, sizeof (buf));
+  if (size > sizeof (buf))
+    grub_burn_stack (size - sizeof (buf));
+}
+
+
+void 
+grub_cipher_register (gcry_cipher_spec_t *cipher)
+{
+  cipher->next = grub_ciphers;
+  grub_ciphers = cipher;
+}
+
+void
+grub_cipher_unregister (gcry_cipher_spec_t *cipher)
+{
+  gcry_cipher_spec_t **ciph;
+  for (ciph = &grub_ciphers; *ciph; ciph = &((*ciph)->next))
+    if (*ciph == cipher)
+      {
+	*ciph = (*ciph)->next;
+	break;
+      }
+}
+
+void 
+grub_md_register (gcry_md_spec_t *digest)
+{
+  digest->next = grub_digests;
+  grub_digests = digest;
+}
+
+void 
+grub_md_unregister (gcry_md_spec_t *cipher)
+{
+  gcry_md_spec_t **ciph;
+  for (ciph = &grub_digests; *ciph; ciph = &((*ciph)->next))
+    if (*ciph == cipher)
+      {
+	*ciph = (*ciph)->next;
+	break;
+      }
+}
+
+void
+grub_crypto_hash (const gcry_md_spec_t *hash, void *out, const void *in,
+		  grub_size_t inlen)
+{
+  grub_uint8_t ctx[hash->contextsize];
+  hash->init (&ctx);
+  hash->write (&ctx, in, inlen);
+  hash->final (&ctx);
+  grub_memcpy (out, hash->read (&ctx), hash->mdlen);
+}
+
+const gcry_md_spec_t *
+grub_crypto_lookup_md_by_name (const char *name)
+{
+  const gcry_md_spec_t *md;
+  int first = 1;
+  while (1)
+    {
+      for (md = grub_digests; md; md = md->next)
+	if (grub_strcasecmp (name, md->name) == 0)
+	  return md;
+      if (grub_crypto_autoload_hook && first)
+	grub_crypto_autoload_hook (name);
+      else
+	return NULL;
+      first = 0;
+    }
+}
+
+const gcry_cipher_spec_t *
+grub_crypto_lookup_cipher_by_name (const char *name)
+{
+  const gcry_cipher_spec_t *ciph;
+  int first = 1;
+  while (1)
+    {
+      for (ciph = grub_ciphers; ciph; ciph = ciph->next)
+	{
+	  const char **alias;
+	  if (grub_strcasecmp (name, ciph->name) == 0)
+	    return ciph;
+	  if (!ciph->aliases)
+	    continue;
+	  for (alias = ciph->aliases; *alias; alias++)
+	    if (grub_strcasecmp (name, *alias) == 0)
+	      return ciph;
+	}
+      if (grub_crypto_autoload_hook && first)
+	grub_crypto_autoload_hook (name);
+      else
+	return NULL;
+      first = 0;
+    }
+}
+
+
+grub_crypto_cipher_handle_t
+grub_crypto_cipher_open (const struct gcry_cipher_spec *cipher)
+{
+  grub_crypto_cipher_handle_t ret;
+  ret = grub_malloc (sizeof (*ret) + cipher->contextsize);
+  if (!ret)
+    return NULL;
+  ret->cipher = cipher;
+  return ret;
+}
+
+gcry_err_code_t
+grub_crypto_cipher_set_key (grub_crypto_cipher_handle_t cipher,
+			    const unsigned char *key,
+			    unsigned keylen)
+{
+  return cipher->cipher->setkey (cipher->ctx, key, keylen);
+}
+
+
+void
+grub_crypto_cipher_close (grub_crypto_cipher_handle_t cipher)
+{
+  grub_free (cipher);
+}
+
+
+void
+grub_crypto_xor (void *out, const void *in1, const void *in2, grub_size_t size)
+{
+  const grub_uint8_t *in1ptr = in1, *in2ptr = in2;
+  grub_uint8_t *outptr = out;
+  while (size--)
+    {
+      *outptr = *in1ptr ^ *in2ptr;
+      in1ptr++;
+      in2ptr++;
+      outptr++;
+    }
+}
+
+gcry_err_code_t
+grub_crypto_ecb_decrypt (grub_crypto_cipher_handle_t cipher,
+			 void *out, void *in, grub_size_t size)
+{
+  grub_uint8_t *inptr, *outptr, *end;
+  if (!cipher->cipher->decrypt)
+    return GPG_ERR_NOT_SUPPORTED;
+  if (size % cipher->cipher->blocksize != 0)
+    return GPG_ERR_INV_ARG;
+  end = (grub_uint8_t *) in + size;
+  for (inptr = in, outptr = out; inptr < end;
+       inptr += cipher->cipher->blocksize, outptr += cipher->cipher->blocksize)
+    cipher->cipher->decrypt (cipher->ctx, outptr, inptr);
+  return GPG_ERR_NO_ERROR;
+}
+
+gcry_err_code_t
+grub_crypto_ecb_encrypt (grub_crypto_cipher_handle_t cipher,
+			 void *out, void *in, grub_size_t size)
+{
+  grub_uint8_t *inptr, *outptr, *end;
+  if (!cipher->cipher->encrypt)
+    return GPG_ERR_NOT_SUPPORTED;
+  if (size % cipher->cipher->blocksize != 0)
+    return GPG_ERR_INV_ARG;
+  end = (grub_uint8_t *) in + size;
+  for (inptr = in, outptr = out; inptr < end;
+       inptr += cipher->cipher->blocksize, outptr += cipher->cipher->blocksize)
+    cipher->cipher->encrypt (cipher->ctx, outptr, inptr);
+  return GPG_ERR_NO_ERROR;
+}
+
+gcry_err_code_t
+grub_crypto_cbc_encrypt (grub_crypto_cipher_handle_t cipher,
+			 void *out, void *in, grub_size_t size,
+			 void *iv_in)
+{
+  grub_uint8_t *inptr, *outptr, *end;
+  void *iv;
+  if (!cipher->cipher->decrypt)
+    return GPG_ERR_NOT_SUPPORTED;
+  if (size % cipher->cipher->blocksize != 0)
+    return GPG_ERR_INV_ARG;
+  end = (grub_uint8_t *) in + size;
+  iv = iv_in;
+  for (inptr = in, outptr = out; inptr < end;
+       inptr += cipher->cipher->blocksize, outptr += cipher->cipher->blocksize)
+    {
+      grub_crypto_xor (outptr, inptr, iv, cipher->cipher->blocksize);
+      cipher->cipher->encrypt (cipher->ctx, outptr, outptr);
+      iv = outptr;
+    }
+  grub_memcpy (iv_in, iv, cipher->cipher->blocksize);
+  return GPG_ERR_NO_ERROR;
+}
+
+gcry_err_code_t
+grub_crypto_cbc_decrypt (grub_crypto_cipher_handle_t cipher,
+			 void *out, void *in, grub_size_t size,
+			 void *iv)
+{
+  grub_uint8_t *inptr, *outptr, *end;
+  grub_uint8_t ivt[cipher->cipher->blocksize];
+  if (!cipher->cipher->decrypt)
+    return GPG_ERR_NOT_SUPPORTED;
+  if (size % cipher->cipher->blocksize != 0)
+    return GPG_ERR_INV_ARG;
+  end = (grub_uint8_t *) in + size;
+  for (inptr = in, outptr = out; inptr < end;
+       inptr += cipher->cipher->blocksize, outptr += cipher->cipher->blocksize)
+    {
+      grub_memcpy (ivt, inptr, cipher->cipher->blocksize);
+      cipher->cipher->decrypt (cipher->ctx, outptr, inptr);
+      grub_crypto_xor (outptr, outptr, iv, cipher->cipher->blocksize);
+      grub_memcpy (iv, ivt, cipher->cipher->blocksize);
+    }
+  return GPG_ERR_NO_ERROR;
+}
+
+/* Based on gcry/cipher/md.c.  */
+struct grub_crypto_hmac_handle *
+grub_crypto_hmac_init (const struct gcry_md_spec *md,
+		       const void *key, grub_size_t keylen)
+{
+  grub_uint8_t *helpkey = NULL;
+  grub_uint8_t *ipad = NULL, *opad = NULL;
+  void *ctx = NULL;
+  struct grub_crypto_hmac_handle *ret = NULL;
+  unsigned i;
+
+  if (md->mdlen > md->blocksize)
+    return NULL;
+
+  ctx = grub_malloc (md->contextsize);
+  if (!ctx)
+    goto err;
+
+  if ( keylen > md->blocksize ) 
+    {
+      helpkey = grub_malloc (md->mdlen);
+      if (!helpkey)
+	goto err;
+      grub_crypto_hash (md, helpkey, key, keylen);
+
+      key = helpkey;
+      keylen = md->mdlen;
+    }
+
+  ipad = grub_zalloc (md->blocksize);
+  if (!ipad)
+    goto err;
+
+  opad = grub_zalloc (md->blocksize);
+  if (!opad)
+    goto err;
+
+  grub_memcpy ( ipad, key, keylen );
+  grub_memcpy ( opad, key, keylen );
+  for (i=0; i < md->blocksize; i++ ) 
+    {
+      ipad[i] ^= 0x36;
+      opad[i] ^= 0x5c;
+    }
+  grub_free (helpkey);
+  helpkey = NULL;
+
+  md->init (ctx);
+
+  md->write (ctx, ipad, md->blocksize); /* inner pad */
+  grub_memset (ipad, 0, md->blocksize);
+  grub_free (ipad);
+  ipad = NULL;
+
+  ret = grub_malloc (sizeof (*ret));
+  if (!ret)
+    goto err;
+
+  ret->md = md;
+  ret->ctx = ctx;
+  ret->opad = opad;
+
+  return ret;
+
+ err:
+  grub_free (helpkey);
+  grub_free (ctx);
+  grub_free (ipad);
+  grub_free (opad);
+  return NULL;
+}
+
+void
+grub_crypto_hmac_write (struct grub_crypto_hmac_handle *hnd, void *data,
+			grub_size_t datalen)
+{
+  hnd->md->write (hnd->ctx, data, datalen);
+}
+
+gcry_err_code_t
+grub_crypto_hmac_fini (struct grub_crypto_hmac_handle *hnd, void *out)
+{
+  grub_uint8_t *p;
+  grub_uint8_t *ctx2;
+
+  ctx2 = grub_malloc (hnd->md->contextsize);
+  if (!ctx2)
+    return GPG_ERR_OUT_OF_MEMORY;
+
+  hnd->md->final (hnd->ctx);
+  hnd->md->read (hnd->ctx);
+  p = hnd->md->read (hnd->ctx);
+
+  hnd->md->init (ctx2);
+  hnd->md->write (ctx2, hnd->opad, hnd->md->blocksize);
+  hnd->md->write (ctx2, p, hnd->md->mdlen);
+  hnd->md->final (ctx2);
+  grub_memset (hnd->opad, 0, hnd->md->blocksize);
+  grub_free (hnd->opad);
+  grub_memset (hnd->ctx, 0, hnd->md->contextsize);
+  grub_free (hnd->ctx);
+
+  grub_memcpy (out, hnd->md->read (ctx2), hnd->md->mdlen);
+  grub_memset (ctx2, 0, hnd->md->contextsize);
+  grub_free (ctx2);
+
+  grub_memset (hnd, 0, sizeof (*hnd));
+  grub_free (hnd);
+
+  return GPG_ERR_NO_ERROR;
+}
+
+gcry_err_code_t
+grub_crypto_hmac_buffer (const struct gcry_md_spec *md,
+			 const void *key, grub_size_t keylen,
+			 void *data, grub_size_t datalen, void *out)
+{
+  struct grub_crypto_hmac_handle *hnd;
+
+  hnd = grub_crypto_hmac_init (md, key, keylen);
+  if (!hnd)
+    return GPG_ERR_OUT_OF_MEMORY;
+
+  grub_crypto_hmac_write (hnd, data, datalen);
+  return grub_crypto_hmac_fini (hnd, out);
+}
+
+
+grub_err_t
+grub_crypto_gcry_error (gcry_err_code_t in)
+{
+  if (in == GPG_ERR_NO_ERROR)
+    return GRUB_ERR_NONE;
+  return GRUB_ACCESS_DENIED;
+}
+
+int
+grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
+{
+  register grub_size_t counter = 0;
+  const grub_uint8_t *pa, *pb;
+
+  for (pa = a, pb = b; n; pa++, pb++, n--)
+    {
+      if (*pa != *pb)
+	counter++;
+    }
+
+  return !!counter;
+}
+
+#ifndef GRUB_MKPASSWD
+int
+grub_password_get (char buf[], unsigned buf_size)
+{
+  unsigned cur_len = 0;
+  int key;
+
+  while (1)
+    {
+      key = GRUB_TERM_ASCII_CHAR (grub_getkey ()); 
+      if (key == '\n' || key == '\r')
+	break;
+
+      if (key == '\e')
+	{
+	  cur_len = 0;
+	  break;
+	}
+
+      if (key == '\b')
+	{
+	  cur_len--;
+	  continue;
+	}
+
+      if (!grub_isprint (key))
+	continue;
+
+      if (cur_len + 2 < buf_size)
+	buf[cur_len++] = key;
+    }
+
+  grub_memset (buf + cur_len, 0, buf_size - cur_len);
+
+  grub_putchar ('\n');
+  grub_refresh ();
+
+  return (key != '\e');
+}
+#endif
--- a/lib/libgcrypt_wrap/cipher_wrap.h
+++ b/lib/libgcrypt_wrap/cipher_wrap.h
@ -0,0 +1,86 @@
+/*
+ *  GRUB  --  GRand Unified Bootloader
+ *  Copyright (C) 2009  Free Software Foundation, Inc.
+ *
+ *  GRUB is free software: you can redistribute it and/or modify
+ *  it under the terms of the GNU General Public License as published by
+ *  the Free Software Foundation, either version 3 of the License, or
+ *  (at your option) any later version.
+ *
+ *  GRUB is distributed in the hope that it will be useful,
+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of
+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+ *  GNU General Public License for more details.
+ *
+ *  You should have received a copy of the GNU General Public License
+ *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
+ */
+
+#ifndef GRUB_GCRY_WRAP_HEADER
+#define GRUB_GCRY_WRAP_HEADER 1
+
+#include <grub/types.h>
+#include <grub/mm.h>
+#include <grub/misc.h>
+#include <grub/dl.h>
+#include <grub/crypto.h>
+
+#define __GNU_LIBRARY__
+
+#define DIM ARRAY_SIZE
+
+typedef grub_uint64_t u64;
+typedef grub_uint32_t u32;
+typedef grub_uint16_t u16;
+typedef grub_uint8_t byte;
+typedef grub_size_t size_t;
+
+#define U64_C(c) (c ## ULL)
+
+#define _gcry_burn_stack grub_burn_stack
+#define log_error(fmt, args...) grub_dprintf ("crypto", fmt, ## args)
+
+
+#define PUBKEY_FLAG_NO_BLINDING    (1 << 0)
+
+#define CIPHER_INFO_NO_WEAK_KEY    1
+
+#define HAVE_U64_TYPEDEF 1
+
+typedef union {
+    int a;
+    short b;
+    char c[1];
+    long d;
+#ifdef HAVE_U64_TYPEDEF
+    u64 e;
+#endif
+    float f;
+    double g;
+} PROPERLY_ALIGNED_TYPE;
+
+#define gcry_assert(x) grub_assert_real(__FILE__, __LINE__, x)
+
+static inline void
+grub_assert_real (const char *file, int line, int cond)
+{
+  if (!cond)
+    grub_fatal ("Assertion failed at %s:%d\n", file, line);
+}
+
+/* Selftests are in separate modules.  */
+static inline char *
+selftest (void)
+{
+  return NULL;
+}
+
+static inline int
+fips_mode (void)
+{
+  return 0;
+}
+
+#define memset grub_memset
+
+#endif
--- a/lib/pbkdf2.c
+++ b/lib/pbkdf2.c
@ -0,0 +1,102 @@
+/* gc-pbkdf2-sha1.c --- Password-Based Key Derivation Function a'la PKCS#5
+   Copyright (C) 2002, 2003, 2004, 2005, 2006, 2009 Free Software Foundation, Inc.
+
+   This program is free software; you can redistribute it and/or modify
+   it under the terms of the GNU General Public License as published by
+   the Free Software Foundation; either version 2, or (at your option)
+   any later version.
+
+   This program is distributed in the hope that it will be useful,
+   but WITHOUT ANY WARRANTY; without even the implied warranty of
+   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+   GNU General Public License for more details.
+
+   You should have received a copy of the GNU General Public License
+   along with this program; if not, write to the Free Software Foundation,
+   Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.  */
+
+/* Written by Simon Josefsson.  */
+/* Imported from gnulib.  */
+
+#include <grub/crypto.h>
+#include <grub/mm.h>
+#include <grub/misc.h>
+
+/* Implement PKCS#5 PBKDF2 as per RFC 2898.  The PRF to use is HMAC variant
+   of digest supplied by MD.  Inputs are the password P of length PLEN,
+   the salt S of length SLEN, the iteration counter C (> 0), and the
+   desired derived output length DKLEN.  Output buffer is DK which
+   must have room for at least DKLEN octets.  The output buffer will
+   be filled with the derived data.  */
+gcry_err_code_t
+grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
+		    const grub_uint8_t *P, grub_size_t Plen,
+		    const grub_uint8_t *S, grub_size_t Slen,
+		    unsigned int c,
+		    grub_uint8_t *DK, grub_size_t dkLen)
+{
+  unsigned int hLen = md->mdlen;
+  grub_uint8_t U[md->mdlen];
+  grub_uint8_t T[md->mdlen];
+  unsigned int u;
+  unsigned int l;
+  unsigned int r;
+  unsigned int i;
+  unsigned int k;
+  gcry_err_code_t rc;
+  grub_uint8_t *tmp;
+  grub_size_t tmplen = Slen + 4;
+
+  if (c == 0)
+    return GPG_ERR_INV_ARG;
+
+  if (dkLen == 0)
+    return GPG_ERR_INV_ARG;
+
+  if (dkLen > 4294967295U)
+    return GPG_ERR_INV_ARG;
+
+  l = ((dkLen - 1) / hLen) + 1;
+  r = dkLen - (l - 1) * hLen;
+
+  tmp = grub_malloc (tmplen);
+  if (tmp == NULL)
+    return GPG_ERR_OUT_OF_MEMORY;
+
+  grub_memcpy (tmp, S, Slen);
+
+  for (i = 1; i <= l; i++)
+    {
+      grub_memset (T, 0, hLen);
+
+      for (u = 1; u <= c; u++)
+	{
+	  if (u == 1)
+	    {
+	      tmp[Slen + 0] = (i & 0xff000000) >> 24;
+	      tmp[Slen + 1] = (i & 0x00ff0000) >> 16;
+	      tmp[Slen + 2] = (i & 0x0000ff00) >> 8;
+	      tmp[Slen + 3] = (i & 0x000000ff) >> 0;
+
+	      rc = grub_crypto_hmac_buffer (md, P, Plen, tmp, tmplen, U);
+	    }
+	  else
+	    rc = grub_crypto_hmac_buffer (md, P, Plen, U, hLen, U);
+
+	  if (rc != GPG_ERR_NO_ERROR)
+	    {
+	      grub_free (tmp);
+	      return rc;
+	    }
+
+	  for (k = 0; k < hLen; k++)
+	    T[k] ^= U[k];
+	}
+
+      grub_memcpy (DK + (i - 1) * hLen, T, i == l ? r : hLen);
+    }
+
+  grub_free (tmp);
+
+  return GPG_ERR_NO_ERROR;
+}