/* * GRUB -- GRand Unified Bootloader * Copyright (C) 2009 Free Software Foundation, Inc. * * GRUB is free software: you can redistribute it and/or modify * it under the terms of the GNU General Public License as published by * the Free Software Foundation, either version 3 of the License, or * (at your option) any later version. * * GRUB is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with GRUB. If not, see . */ #include #include #include #include #include #include #include #include #include GRUB_MOD_LICENSE ("GPLv3+"); static grub_dl_t my_mod; struct pbkdf2_password { grub_uint8_t *salt; grub_size_t saltlen; unsigned int c; grub_uint8_t *expected; grub_size_t buflen; }; static grub_err_t check_password (const char *user, const char *entered, void *pin) { grub_uint8_t *buf; struct pbkdf2_password *pass = pin; gcry_err_code_t err; buf = grub_malloc (pass->buflen); if (!buf) return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY); err = grub_crypto_pbkdf2 (GRUB_MD_SHA512, (grub_uint8_t *) entered, grub_strlen (entered), pass->salt, pass->saltlen, pass->c, buf, pass->buflen); if (err) { grub_free (buf); return grub_crypto_gcry_error (err); } if (grub_crypto_memcmp (buf, pass->expected, pass->buflen) != 0) return GRUB_ACCESS_DENIED; grub_auth_authenticate (user); return GRUB_ERR_NONE; } static inline int hex2val (char hex) { if ('0' <= hex && hex <= '9') return hex - '0'; if ('a' <= hex && hex <= 'f') return hex - 'a' + 10; if ('A' <= hex && hex <= 'F') return hex - 'A' + 10; return -1; } static grub_err_t grub_cmd_password (grub_command_t cmd __attribute__ ((unused)), int argc, char **args) { grub_err_t err; char *ptr, *ptr2; grub_uint8_t *ptro; struct pbkdf2_password *pass; if (argc != 2) return grub_error (GRUB_ERR_BAD_ARGUMENT, N_("two arguments expected")); if (grub_memcmp (args[1], "grub.pbkdf2.sha512.", sizeof ("grub.pbkdf2.sha512.") - 1) != 0) return grub_error (GRUB_ERR_BAD_ARGUMENT, "incorrect PBKDF2 password"); ptr = args[1] + sizeof ("grub.pbkdf2.sha512.") - 1; pass = grub_malloc (sizeof (*pass)); if (!pass) return grub_errno; pass->c = grub_strtoul (ptr, &ptr, 0); if (*ptr != '.') { grub_free (pass); return grub_error (GRUB_ERR_BAD_ARGUMENT, "incorrect PBKDF2 password"); } ptr++; ptr2 = grub_strchr (ptr, '.'); if (!ptr2 || ((ptr2 - ptr) & 1) || grub_strlen (ptr2 + 1) & 1) { grub_free (pass); return grub_error (GRUB_ERR_BAD_ARGUMENT, "incorrect PBKDF2 password"); } pass->saltlen = (ptr2 - ptr) >> 1; pass->buflen = grub_strlen (ptr2 + 1) >> 1; ptro = pass->salt = grub_malloc (pass->saltlen); if (!ptro) { grub_free (pass); return grub_errno; } while (ptr < ptr2) { int hex1, hex2; hex1 = hex2val (*ptr); ptr++; hex2 = hex2val (*ptr); ptr++; if (hex1 < 0 || hex2 < 0) { grub_free (pass->salt); grub_free (pass); return grub_error (GRUB_ERR_BAD_ARGUMENT, "incorrect PBKDF2 password"); } *ptro = (hex1 << 4) | hex2; ptro++; } ptro = pass->expected = grub_malloc (pass->buflen); if (!ptro) { grub_free (pass->salt); grub_free (pass); return grub_errno; } ptr = ptr2 + 1; ptr2 += grub_strlen (ptr2); while (ptr < ptr2) { int hex1, hex2; hex1 = hex2val (*ptr); ptr++; hex2 = hex2val (*ptr); ptr++; if (hex1 < 0 || hex2 < 0) { grub_free (pass->expected); grub_free (pass->salt); grub_free (pass); return grub_error (GRUB_ERR_BAD_ARGUMENT, "incorrect PBKDF2 password"); } *ptro = (hex1 << 4) | hex2; ptro++; } err = grub_auth_register_authentication (args[0], check_password, pass); if (err) { grub_free (pass); return err; } grub_dl_ref (my_mod); return GRUB_ERR_NONE; } static grub_command_t cmd; GRUB_MOD_INIT(password_pbkdf2) { my_mod = mod; cmd = grub_register_command ("password_pbkdf2", grub_cmd_password, N_("USER PBKDF2_PASSWORD"), N_("Set user password (PBKDF2). ")); } GRUB_MOD_FINI(password_pbkdf2) { grub_unregister_command (cmd); }