Use dedicated simple password retriever for size of future crypto disks modules and simplify entering passwords routines

This commit is contained in:
Vladimir 'phcoder' Serbinenko 2009-12-06 20:11:50 +01:00
parent c0a6bd447e
commit b391bdb2f2
7 changed files with 71 additions and 46 deletions

View file

@ -27,20 +27,11 @@
static grub_dl_t my_mod; static grub_dl_t my_mod;
#define MAX_PASSLEN 1024
static grub_err_t static grub_err_t
check_password (const char *user, check_password (const char *user, const char *entered,
void *password) void *password)
{ {
char entered[MAX_PASSLEN]; if (grub_crypto_memcmp (entered, password, GRUB_AUTH_MAX_PASSLEN) != 0)
grub_memset (entered, 0, sizeof (entered));
if (!GRUB_GET_PASSWORD (entered, sizeof (entered) - 1))
return GRUB_ACCESS_DENIED;
if (grub_crypto_memcmp (entered, password, MAX_PASSLEN) != 0)
return GRUB_ACCESS_DENIED; return GRUB_ACCESS_DENIED;
grub_auth_authenticate (user); grub_auth_authenticate (user);
@ -59,12 +50,12 @@ grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
if (argc != 2) if (argc != 2)
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Two arguments expected."); return grub_error (GRUB_ERR_BAD_ARGUMENT, "Two arguments expected.");
pass = grub_zalloc (MAX_PASSLEN); pass = grub_zalloc (GRUB_AUTH_MAX_PASSLEN);
if (!pass) if (!pass)
return grub_errno; return grub_errno;
copylen = grub_strlen (args[1]); copylen = grub_strlen (args[1]);
if (copylen >= MAX_PASSLEN) if (copylen >= GRUB_AUTH_MAX_PASSLEN)
copylen = MAX_PASSLEN - 1; copylen = GRUB_AUTH_MAX_PASSLEN - 1;
grub_memcpy (pass, args[1], copylen); grub_memcpy (pass, args[1], copylen);
err = grub_auth_register_authentication (args[0], check_password, pass); err = grub_auth_register_authentication (args[0], check_password, pass);

View file

@ -16,6 +16,7 @@
* along with GRUB. If not, see <http://www.gnu.org/licenses/>. * along with GRUB. If not, see <http://www.gnu.org/licenses/>.
*/ */
#include <grub/auth.h>
#include <grub/crypto.h> #include <grub/crypto.h>
#include <grub/list.h> #include <grub/list.h>
#include <grub/mm.h> #include <grub/mm.h>
@ -36,23 +37,17 @@ struct pbkdf2_password
}; };
static grub_err_t static grub_err_t
check_password (const char *user, void *pin) check_password (const char *user, const char *entered, void *pin)
{ {
char entered[1024];
grub_uint8_t *buf; grub_uint8_t *buf;
struct pbkdf2_password *pass = pin; struct pbkdf2_password *pass = pin;
gcry_err_code_t err; gcry_err_code_t err;
grub_memset (entered, 0, sizeof (entered));
if (!GRUB_GET_PASSWORD (entered, sizeof (entered) - 1))
return GRUB_ACCESS_DENIED;
buf = grub_malloc (pass->buflen); buf = grub_malloc (pass->buflen);
if (!buf) if (!buf)
return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY); return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY);
err = grub_crypto_pbkdf2 (GRUB_MD_SHA512, (grub_uint8_t *) &entered, err = grub_crypto_pbkdf2 (GRUB_MD_SHA512, (grub_uint8_t *) entered,
grub_strlen (entered), grub_strlen (entered),
pass->salt, pass->saltlen, pass->c, pass->salt, pass->saltlen, pass->c,
buf, pass->buflen); buf, pass->buflen);

View file

@ -651,6 +651,6 @@ password_pbkdf2_mod_LDFLAGS = $(COMMON_LDFLAGS)
bin_UTILITIES += grub-mkpasswd-pbkdf2 bin_UTILITIES += grub-mkpasswd-pbkdf2
grub_mkpasswd_pbkdf2_SOURCES = gnulib/progname.c util/grub-mkpasswd-pbkdf2.c lib/crypto.c lib/libgcrypt-grub/cipher/sha512.c lib/pbkdf2.c util/misc.c kern/err.c grub_mkpasswd_pbkdf2_SOURCES = gnulib/progname.c util/grub-mkpasswd-pbkdf2.c lib/crypto.c lib/libgcrypt-grub/cipher/sha512.c lib/pbkdf2.c util/misc.c kern/err.c
grub_mkpasswd_pbkdf2_CFLAGS += -Wno-missing-field-initializers -Wno-error -I$(srcdir)/lib/libgcrypt_wrap grub_mkpasswd_pbkdf2_CFLAGS += -Wno-missing-field-initializers -Wno-error -I$(srcdir)/lib/libgcrypt_wrap -DGRUB_MKPASSWD=1
include $(srcdir)/conf/gcry.mk include $(srcdir)/conf/gcry.mk

View file

@ -19,14 +19,11 @@
#define GRUB_AUTH_HEADER 1 #define GRUB_AUTH_HEADER 1
#include <grub/err.h> #include <grub/err.h>
#include <grub/crypto.h>
/* Macros for indistinguishibility. */ #define GRUB_AUTH_MAX_PASSLEN 1024
#define GRUB_ACCESS_DENIED grub_error (GRUB_ERR_ACCESS_DENIED, "Access denied.")
#define GRUB_GET_PASSWORD(string, len) grub_cmdline_get ("Enter password: ", \
string, len, \
'*', 0, 0)
typedef grub_err_t (*grub_auth_callback_t) (const char*, void *); typedef grub_err_t (*grub_auth_callback_t) (const char *, const char *, void *);
grub_err_t grub_auth_register_authentication (const char *user, grub_err_t grub_auth_register_authentication (const char *user,
grub_auth_callback_t callback, grub_auth_callback_t callback,

View file

@ -26,8 +26,6 @@
#include <grub/symbol.h> #include <grub/symbol.h>
#include <grub/types.h> #include <grub/types.h>
#include <grub/err.h> #include <grub/err.h>
/* For GRUB_ACCESS_DENIED. */
#include <grub/auth.h>
typedef enum typedef enum
{ {
@ -264,6 +262,12 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
grub_uint8_t *DK, grub_size_t dkLen); grub_uint8_t *DK, grub_size_t dkLen);
int int
grub_crypto_memcmp (void *a, void *b, grub_size_t n); grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
int
grub_password_get (char buf[], unsigned buf_size);
/* For indistinguishibility. */
#define GRUB_ACCESS_DENIED grub_error (GRUB_ERR_ACCESS_DENIED, "Access denied.")
#endif #endif

View file

@ -20,6 +20,7 @@
#include <grub/crypto.h> #include <grub/crypto.h>
#include <grub/misc.h> #include <grub/misc.h>
#include <grub/mm.h> #include <grub/mm.h>
#include <grub/term.h>
struct grub_crypto_hmac_handle struct grub_crypto_hmac_handle
{ {
@ -372,10 +373,10 @@ grub_crypto_gcry_error (gcry_err_code_t in)
} }
int int
grub_crypto_memcmp (void *a, void *b, grub_size_t n) grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
{ {
register grub_size_t counter = 0; register grub_size_t counter = 0;
grub_uint8_t *pa, *pb; const grub_uint8_t *pa, *pb;
for (pa = a, pb = b; n; pa++, pb++, n--) for (pa = a, pb = b; n; pa++, pb++, n--)
{ {
@ -385,3 +386,44 @@ grub_crypto_memcmp (void *a, void *b, grub_size_t n)
return !!counter; return !!counter;
} }
#ifndef GRUB_MKPASSWD
int
grub_password_get (char buf[], unsigned buf_size)
{
unsigned cur_len = 0;
int key;
while (1)
{
key = GRUB_TERM_ASCII_CHAR (grub_getkey ());
if (key == '\n' || key == '\r')
break;
if (key == '\e')
{
cur_len = 0;
break;
}
if (key == '\b')
{
cur_len--;
continue;
}
if (!grub_isprint (key))
continue;
if (cur_len + 2 < buf_size)
buf[cur_len++] = key;
}
grub_memset (buf + cur_len, 0, buf_size - cur_len);
grub_putchar ('\n');
grub_refresh ();
return (key != '\e');
}
#endif

View file

@ -160,6 +160,7 @@ grub_auth_check_authentication (const char *userlist)
struct grub_auth_user *cur = NULL; struct grub_auth_user *cur = NULL;
grub_err_t err; grub_err_t err;
static unsigned long punishment_delay = 1; static unsigned long punishment_delay = 1;
char entered[GRUB_AUTH_MAX_PASSLEN];
auto int hook (grub_list_t item); auto int hook (grub_list_t item);
int hook (grub_list_t item) int hook (grub_list_t item)
@ -189,22 +190,17 @@ grub_auth_check_authentication (const char *userlist)
0, 0, 0)) 0, 0, 0))
goto access_denied; goto access_denied;
grub_printf ("Enter password: ");
if (!grub_password_get (entered, GRUB_AUTH_MAX_PASSLEN))
goto access_denied;
grub_list_iterate (GRUB_AS_LIST (users), hook); grub_list_iterate (GRUB_AS_LIST (users), hook);
if (!cur || ! cur->callback) if (!cur || ! cur->callback)
{ goto access_denied;
grub_list_iterate (GRUB_AS_LIST (users), hook_any);
/* No users present at all. */ err = cur->callback (login, entered, cur->arg);
if (!cur)
goto access_denied;
/* Display any of available authentication schemes. */
err = cur->callback (login, 0);
goto access_denied;
}
err = cur->callback (login, cur->arg);
if (is_authenticated (userlist)) if (is_authenticated (userlist))
{ {
punishment_delay = 1; punishment_delay = 1;