/*
 *  GRUB  --  GRand Unified Bootloader
 *  Copyright (C) 2009  Free Software Foundation, Inc.
 *
 *  GRUB is free software: you can redistribute it and/or modify
 *  it under the terms of the GNU General Public License as published by
 *  the Free Software Foundation, either version 3 of the License, or
 *  (at your option) any later version.
 *
 *  GRUB is distributed in the hope that it will be useful,
 *  but WITHOUT ANY WARRANTY; without even the implied warranty of
 *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
 *  GNU General Public License for more details.
 *
 *  You should have received a copy of the GNU General Public License
 *  along with GRUB.  If not, see <http://www.gnu.org/licenses/>.
 */

#include <grub/auth.h>
#include <grub/crypto.h>
#include <grub/list.h>
#include <grub/mm.h>
#include <grub/misc.h>
#include <grub/env.h>
#include <grub/normal.h>
#include <grub/dl.h>
#include <grub/i18n.h>

static grub_dl_t my_mod;

struct pbkdf2_password
{
  grub_uint8_t *salt;
  grub_size_t saltlen;
  unsigned int c;
  grub_uint8_t *expected;
  grub_size_t buflen;
};

static grub_err_t
check_password (const char *user, const char *entered, void *pin)
{
  grub_uint8_t *buf;
  struct pbkdf2_password *pass = pin;
  gcry_err_code_t err;

  buf = grub_malloc (pass->buflen);
  if (!buf)
    return grub_crypto_gcry_error (GPG_ERR_OUT_OF_MEMORY);

  err = grub_crypto_pbkdf2 (GRUB_MD_SHA512, (grub_uint8_t *) entered,
			    grub_strlen (entered),
			    pass->salt, pass->saltlen, pass->c,
			    buf, pass->buflen);
  if (err)
    {
      grub_free (buf);
      return grub_crypto_gcry_error (err);
    }

  if (grub_crypto_memcmp (buf, pass->expected, pass->buflen) != 0)
    return GRUB_ACCESS_DENIED;

  grub_auth_authenticate (user);

  return GRUB_ERR_NONE;
}

static inline int
hex2val (char hex)
{
  if ('0' <= hex && hex <= '9')
    return hex - '0';
  if ('a' <= hex && hex <= 'f')
    return hex - 'a' + 10;
  if ('A' <= hex && hex <= 'F')
    return hex - 'A' + 10;
  return -1;
}

static grub_err_t
grub_cmd_password (grub_command_t cmd __attribute__ ((unused)),
		   int argc, char **args)
{
  grub_err_t err;
  char *ptr, *ptr2;
  grub_uint8_t *ptro;
  struct pbkdf2_password *pass;

  if (argc != 2)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, "Two arguments expected.");

  if (grub_memcmp (args[1], "grub.pbkdf2.sha512.",
		   sizeof ("grub.pbkdf2.sha512.") - 1) != 0)
    return grub_error (GRUB_ERR_BAD_ARGUMENT, "Incorrect PBKDF2 password.");

  ptr = args[1] + sizeof ("grub.pbkdf2.sha512.") - 1;

  pass = grub_malloc (sizeof (*pass));
  if (!pass)
    return grub_errno;

  pass->c = grub_strtoul (ptr, &ptr, 0);
  if (*ptr != '.')
    {
      grub_free (pass);
      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Incorrect PBKDF2 password.");
    }
  ptr++;

  ptr2 = grub_strchr (ptr, '.');
  if (!ptr2 || ((ptr2 - ptr) & 1) || grub_strlen (ptr2 + 1) & 1)
    {
      grub_free (pass);
      return grub_error (GRUB_ERR_BAD_ARGUMENT, "Incorrect PBKDF2 password.");
    }

  pass->saltlen = (ptr2 - ptr) >> 1;
  pass->buflen = grub_strlen (ptr2 + 1) >> 1;
  ptro = pass->salt = grub_malloc (pass->saltlen);
  if (!ptro)
    {
      grub_free (pass);
      return grub_errno;
    }
  while (ptr < ptr2)
    {
      int hex1, hex2;
      hex1 = hex2val (*ptr);
      ptr++;
      hex2 = hex2val (*ptr);
      ptr++;
      if (hex1 < 0 || hex2 < 0)
	{
	  grub_free (pass->salt);
	  grub_free (pass);
	  return grub_error (GRUB_ERR_BAD_ARGUMENT,
			     "Incorrect PBKDF2 password.");
	}

      *ptro = (hex1 << 4) | hex2;
      ptro++;
    }

  ptro = pass->expected = grub_malloc (pass->buflen);
  if (!ptro)
    {
      grub_free (pass->salt);
      grub_free (pass);
      return grub_errno;
    }
  ptr = ptr2 + 1;
  ptr2 += grub_strlen (ptr2); 
  while (ptr < ptr2)
    {
      int hex1, hex2;
      hex1 = hex2val (*ptr);
      ptr++;
      hex2 = hex2val (*ptr);
      ptr++;
      if (hex1 < 0 || hex2 < 0)
	{
	  grub_free (pass->expected);
	  grub_free (pass->salt);
	  grub_free (pass);
	  return grub_error (GRUB_ERR_BAD_ARGUMENT,
			     "Incorrect PBKDF2 password.");
	}

      *ptro = (hex1 << 4) | hex2;
      ptro++;
    }

  err = grub_auth_register_authentication (args[0], check_password, pass);
  if (err)
    {
      grub_free (pass);
      return err;
    }
  grub_dl_ref (my_mod);
  return GRUB_ERR_NONE;
}

static grub_command_t cmd;

GRUB_MOD_INIT(password_pbkdf2)
{
  my_mod = mod;
  cmd = grub_register_command ("password_pbkdf2", grub_cmd_password,
			       N_("USER PBKDF2_PASSWORD"),
			       N_("Set user password (PBKDF2). "));
}

GRUB_MOD_FINI(password_pbkdf2)
{
  grub_unregister_command (cmd);
}