Use dedicated simple password retriever for size of future crypto disks modules and simplify entering passwords routines
This commit is contained in:
parent
c0a6bd447e
commit
b391bdb2f2
7 changed files with 71 additions and 46 deletions
|
@ -27,20 +27,11 @@
|
||||||
|
|
||||||
static grub_dl_t my_mod;
|
static grub_dl_t my_mod;
|
||||||
|
|
||||||
#define MAX_PASSLEN 1024
|
|
||||||
|
|
||||||
static grub_err_t
|
static grub_err_t
|
||||||
check_password (const char *user,
|
check_password (const char *user, const char *entered,
|
||||||
void *password)
|
void *password)
|
||||||
{
|
{
|
||||||
char entered[MAX_PASSLEN];
|
if (grub_crypto_memcmp (entered, password, GRUB_AUTH_MAX_PASSLEN) != 0)
|
||||||
|
|
||||||
grub_memset (entered, 0, sizeof (entered));
|
|
||||||
|
|
||||||
if (!GRUB_GET_PASSWORD (entered, sizeof (entered) - 1))
|
|
||||||
return GRUB_ACCESS_DENIED;
|
|
||||||
|
|
||||||
if (grub_crypto_memcmp (entered, password, MAX_PASSLEN) != 0)
|
|
||||||
return GRUB_ACCESS_DENIED;
|
return GRUB_ACCESS_DENIED;
|
||||||
|
|
||||||
grub_auth_authenticate (user);
|
grub_auth_authenticate (user);
|
||||||
|
@ -59,12 +50,12 @@ grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
|
||||||
if (argc != 2)
|
if (argc != 2)
|
||||||
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Two arguments expected.");
|
return grub_error (GRUB_ERR_BAD_ARGUMENT, "Two arguments expected.");
|
||||||
|
|
||||||
pass = grub_zalloc (MAX_PASSLEN);
|
pass = grub_zalloc (GRUB_AUTH_MAX_PASSLEN);
|
||||||
if (!pass)
|
if (!pass)
|
||||||
return grub_errno;
|
return grub_errno;
|
||||||
copylen = grub_strlen (args[1]);
|
copylen = grub_strlen (args[1]);
|
||||||
if (copylen >= MAX_PASSLEN)
|
if (copylen >= GRUB_AUTH_MAX_PASSLEN)
|
||||||
copylen = MAX_PASSLEN - 1;
|
copylen = GRUB_AUTH_MAX_PASSLEN - 1;
|
||||||
grub_memcpy (pass, args[1], copylen);
|
grub_memcpy (pass, args[1], copylen);
|
||||||
|
|
||||||
err = grub_auth_register_authentication (args[0], check_password, pass);
|
err = grub_auth_register_authentication (args[0], check_password, pass);
|
||||||
|
|
|
@ -16,6 +16,7 @@
|
||||||
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
* along with GRUB. If not, see <http://www.gnu.org/licenses/>.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
#include <grub/auth.h>
|
||||||
#include <grub/crypto.h>
|
#include <grub/crypto.h>
|
||||||
#include <grub/list.h>
|
#include <grub/list.h>
|
||||||
#include <grub/mm.h>
|
#include <grub/mm.h>
|
||||||
|
@ -36,23 +37,17 @@ struct pbkdf2_password
|
||||||
};
|
};
|
||||||
|
|
||||||
static grub_err_t
|
static grub_err_t
|
||||||
check_password (const char *user, void *pin)
|
check_password (const char *user, const char *entered, void *pin)
|
||||||
{
|
{
|
||||||
char entered[1024];
|
|
||||||
grub_uint8_t *buf;
|
grub_uint8_t *buf;
|
||||||
struct pbkdf2_password *pass = pin;
|
struct pbkdf2_password *pass = pin;
|
||||||
gcry_err_code_t err;
|
gcry_err_code_t err;
|
||||||
|
|
||||||
grub_memset (entered, 0, sizeof (entered));
|
|
||||||
|
|
||||||
if (!GRUB_GET_PASSWORD (entered, sizeof (entered) - 1))
|
|
||||||
return GRUB_ACCESS_DENIED;
|
|
||||||
|
|
||||||
buf = grub_malloc (pass->buflen);
|
buf = grub_malloc (pass->buflen);
|
||||||
if (!buf)
|
if (!buf)
|
||||||
return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY);
|
return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY);
|
||||||
|
|
||||||
err = grub_crypto_pbkdf2 (GRUB_MD_SHA512, (grub_uint8_t *) &entered,
|
err = grub_crypto_pbkdf2 (GRUB_MD_SHA512, (grub_uint8_t *) entered,
|
||||||
grub_strlen (entered),
|
grub_strlen (entered),
|
||||||
pass->salt, pass->saltlen, pass->c,
|
pass->salt, pass->saltlen, pass->c,
|
||||||
buf, pass->buflen);
|
buf, pass->buflen);
|
||||||
|
|
|
@ -651,6 +651,6 @@ password_pbkdf2_mod_LDFLAGS = $(COMMON_LDFLAGS)
|
||||||
|
|
||||||
bin_UTILITIES += grub-mkpasswd-pbkdf2
|
bin_UTILITIES += grub-mkpasswd-pbkdf2
|
||||||
grub_mkpasswd_pbkdf2_SOURCES = gnulib/progname.c util/grub-mkpasswd-pbkdf2.c lib/crypto.c lib/libgcrypt-grub/cipher/sha512.c lib/pbkdf2.c util/misc.c kern/err.c
|
grub_mkpasswd_pbkdf2_SOURCES = gnulib/progname.c util/grub-mkpasswd-pbkdf2.c lib/crypto.c lib/libgcrypt-grub/cipher/sha512.c lib/pbkdf2.c util/misc.c kern/err.c
|
||||||
grub_mkpasswd_pbkdf2_CFLAGS += -Wno-missing-field-initializers -Wno-error -I$(srcdir)/lib/libgcrypt_wrap
|
grub_mkpasswd_pbkdf2_CFLAGS += -Wno-missing-field-initializers -Wno-error -I$(srcdir)/lib/libgcrypt_wrap -DGRUB_MKPASSWD=1
|
||||||
|
|
||||||
include $(srcdir)/conf/gcry.mk
|
include $(srcdir)/conf/gcry.mk
|
||||||
|
|
|
@ -19,14 +19,11 @@
|
||||||
#define GRUB_AUTH_HEADER 1
|
#define GRUB_AUTH_HEADER 1
|
||||||
|
|
||||||
#include <grub/err.h>
|
#include <grub/err.h>
|
||||||
|
#include <grub/crypto.h>
|
||||||
|
|
||||||
/* Macros for indistinguishibility. */
|
#define GRUB_AUTH_MAX_PASSLEN 1024
|
||||||
#define GRUB_ACCESS_DENIED grub_error (GRUB_ERR_ACCESS_DENIED, "Access denied.")
|
|
||||||
#define GRUB_GET_PASSWORD(string, len) grub_cmdline_get ("Enter password: ", \
|
|
||||||
string, len, \
|
|
||||||
'*', 0, 0)
|
|
||||||
|
|
||||||
typedef grub_err_t (*grub_auth_callback_t) (const char*, void *);
|
typedef grub_err_t (*grub_auth_callback_t) (const char *, const char *, void *);
|
||||||
|
|
||||||
grub_err_t grub_auth_register_authentication (const char *user,
|
grub_err_t grub_auth_register_authentication (const char *user,
|
||||||
grub_auth_callback_t callback,
|
grub_auth_callback_t callback,
|
||||||
|
|
|
@ -26,8 +26,6 @@
|
||||||
#include <grub/symbol.h>
|
#include <grub/symbol.h>
|
||||||
#include <grub/types.h>
|
#include <grub/types.h>
|
||||||
#include <grub/err.h>
|
#include <grub/err.h>
|
||||||
/* For GRUB_ACCESS_DENIED. */
|
|
||||||
#include <grub/auth.h>
|
|
||||||
|
|
||||||
typedef enum
|
typedef enum
|
||||||
{
|
{
|
||||||
|
@ -264,6 +262,12 @@ grub_crypto_pbkdf2 (const struct gcry_md_spec *md,
|
||||||
grub_uint8_t *DK, grub_size_t dkLen);
|
grub_uint8_t *DK, grub_size_t dkLen);
|
||||||
|
|
||||||
int
|
int
|
||||||
grub_crypto_memcmp (void *a, void *b, grub_size_t n);
|
grub_crypto_memcmp (const void *a, const void *b, grub_size_t n);
|
||||||
|
|
||||||
|
int
|
||||||
|
grub_password_get (char buf[], unsigned buf_size);
|
||||||
|
|
||||||
|
/* For indistinguishibility. */
|
||||||
|
#define GRUB_ACCESS_DENIED grub_error (GRUB_ERR_ACCESS_DENIED, "Access denied.")
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
46
lib/crypto.c
46
lib/crypto.c
|
@ -20,6 +20,7 @@
|
||||||
#include <grub/crypto.h>
|
#include <grub/crypto.h>
|
||||||
#include <grub/misc.h>
|
#include <grub/misc.h>
|
||||||
#include <grub/mm.h>
|
#include <grub/mm.h>
|
||||||
|
#include <grub/term.h>
|
||||||
|
|
||||||
struct grub_crypto_hmac_handle
|
struct grub_crypto_hmac_handle
|
||||||
{
|
{
|
||||||
|
@ -372,10 +373,10 @@ grub_crypto_gcry_error (gcry_err_code_t in)
|
||||||
}
|
}
|
||||||
|
|
||||||
int
|
int
|
||||||
grub_crypto_memcmp (void *a, void *b, grub_size_t n)
|
grub_crypto_memcmp (const void *a, const void *b, grub_size_t n)
|
||||||
{
|
{
|
||||||
register grub_size_t counter = 0;
|
register grub_size_t counter = 0;
|
||||||
grub_uint8_t *pa, *pb;
|
const grub_uint8_t *pa, *pb;
|
||||||
|
|
||||||
for (pa = a, pb = b; n; pa++, pb++, n--)
|
for (pa = a, pb = b; n; pa++, pb++, n--)
|
||||||
{
|
{
|
||||||
|
@ -385,3 +386,44 @@ grub_crypto_memcmp (void *a, void *b, grub_size_t n)
|
||||||
|
|
||||||
return !!counter;
|
return !!counter;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifndef GRUB_MKPASSWD
|
||||||
|
int
|
||||||
|
grub_password_get (char buf[], unsigned buf_size)
|
||||||
|
{
|
||||||
|
unsigned cur_len = 0;
|
||||||
|
int key;
|
||||||
|
|
||||||
|
while (1)
|
||||||
|
{
|
||||||
|
key = GRUB_TERM_ASCII_CHAR (grub_getkey ());
|
||||||
|
if (key == '\n' || key == '\r')
|
||||||
|
break;
|
||||||
|
|
||||||
|
if (key == '\e')
|
||||||
|
{
|
||||||
|
cur_len = 0;
|
||||||
|
break;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (key == '\b')
|
||||||
|
{
|
||||||
|
cur_len--;
|
||||||
|
continue;
|
||||||
|
}
|
||||||
|
|
||||||
|
if (!grub_isprint (key))
|
||||||
|
continue;
|
||||||
|
|
||||||
|
if (cur_len + 2 < buf_size)
|
||||||
|
buf[cur_len++] = key;
|
||||||
|
}
|
||||||
|
|
||||||
|
grub_memset (buf + cur_len, 0, buf_size - cur_len);
|
||||||
|
|
||||||
|
grub_putchar ('\n');
|
||||||
|
grub_refresh ();
|
||||||
|
|
||||||
|
return (key != '\e');
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
|
@ -160,6 +160,7 @@ grub_auth_check_authentication (const char *userlist)
|
||||||
struct grub_auth_user *cur = NULL;
|
struct grub_auth_user *cur = NULL;
|
||||||
grub_err_t err;
|
grub_err_t err;
|
||||||
static unsigned long punishment_delay = 1;
|
static unsigned long punishment_delay = 1;
|
||||||
|
char entered[GRUB_AUTH_MAX_PASSLEN];
|
||||||
|
|
||||||
auto int hook (grub_list_t item);
|
auto int hook (grub_list_t item);
|
||||||
int hook (grub_list_t item)
|
int hook (grub_list_t item)
|
||||||
|
@ -189,22 +190,17 @@ grub_auth_check_authentication (const char *userlist)
|
||||||
0, 0, 0))
|
0, 0, 0))
|
||||||
goto access_denied;
|
goto access_denied;
|
||||||
|
|
||||||
|
grub_printf ("Enter password: ");
|
||||||
|
|
||||||
|
if (!grub_password_get (entered, GRUB_AUTH_MAX_PASSLEN))
|
||||||
|
goto access_denied;
|
||||||
|
|
||||||
grub_list_iterate (GRUB_AS_LIST (users), hook);
|
grub_list_iterate (GRUB_AS_LIST (users), hook);
|
||||||
|
|
||||||
if (!cur || ! cur->callback)
|
if (!cur || ! cur->callback)
|
||||||
{
|
goto access_denied;
|
||||||
grub_list_iterate (GRUB_AS_LIST (users), hook_any);
|
|
||||||
|
|
||||||
/* No users present at all. */
|
err = cur->callback (login, entered, cur->arg);
|
||||||
if (!cur)
|
|
||||||
goto access_denied;
|
|
||||||
|
|
||||||
/* Display any of available authentication schemes. */
|
|
||||||
err = cur->callback (login, 0);
|
|
||||||
|
|
||||||
goto access_denied;
|
|
||||||
}
|
|
||||||
err = cur->callback (login, cur->arg);
|
|
||||||
if (is_authenticated (userlist))
|
if (is_authenticated (userlist))
|
||||||
{
|
{
|
||||||
punishment_delay = 1;
|
punishment_delay = 1;
|
||||||
|
|
Loading…
Reference in a new issue