Re: [PATCH 1/5] lib: add crypt subsystem
Hi Steffen, On Wed, 21 Apr 2021 at 20:21, Steffen Jaeckel wrote: > > Hi Simon, > > thanks for taking the time to review. > > On 4/21/21 9:14 AM, Simon Glass wrote: > > On Tue, 13 Apr 2021 at 10:16, Steffen Jaeckel > > wrote: > >> > >> Add the basic functionality required to support the standard crypt > >> format. > >> The files crypt-sha256.c and crypt-sha512.c originate from libxcrypt and > >> their formatting is therefor retained. > >> The integration is done via a crypt_compare() function in crypt.c. > >> > >> ``` > >> libxcrypt $ git describe --long --always --all > >> tags/v4.4.17-0-g6b110bc > >> ``` > >> > >> Signed-off-by: Steffen Jaeckel > >> --- > >> > >> include/crypt.h | 13 ++ > >> lib/Kconfig | 1 + > >> lib/Makefile | 1 + > >> lib/crypt/Kconfig| 29 > >> lib/crypt/Makefile | 10 ++ > >> lib/crypt/alg-sha256.h | 17 ++ > >> lib/crypt/alg-sha512.h | 17 ++ > >> lib/crypt/crypt-port.h | 28 > >> lib/crypt/crypt-sha256.c | 313 + > >> lib/crypt/crypt-sha512.c | 328 +++ > >> lib/crypt/crypt.c| 73 + > >> 11 files changed, 830 insertions(+) > >> create mode 100644 include/crypt.h > >> create mode 100644 lib/crypt/Kconfig > >> create mode 100644 lib/crypt/Makefile > >> create mode 100644 lib/crypt/alg-sha256.h > >> create mode 100644 lib/crypt/alg-sha512.h > >> create mode 100644 lib/crypt/crypt-port.h > >> create mode 100644 lib/crypt/crypt-sha256.c > >> create mode 100644 lib/crypt/crypt-sha512.c > >> create mode 100644 lib/crypt/crypt.c > > > > This seems to use errno - is that necessary? Also are there any simple > > unit tests we could usefully bring over? > > Regarding errno - that's the way how libxcrypt works internally, I'm not > sure whether we should really touch this ... the default crypt_alg_rn() > function has a void return type, so either we have to keep using errno > or we have to change the return type... Well you could add a wrapper function for U-Boot which returns errno, then make errno a static int in the library. > > Regarding unit tests - good idea, I'll have a look. Regards, Simon
Re: [PATCH 1/5] lib: add crypt subsystem
Hi Simon, thanks for taking the time to review. On 4/21/21 9:14 AM, Simon Glass wrote: > On Tue, 13 Apr 2021 at 10:16, Steffen Jaeckel > wrote: >> >> Add the basic functionality required to support the standard crypt >> format. >> The files crypt-sha256.c and crypt-sha512.c originate from libxcrypt and >> their formatting is therefor retained. >> The integration is done via a crypt_compare() function in crypt.c. >> >> ``` >> libxcrypt $ git describe --long --always --all >> tags/v4.4.17-0-g6b110bc >> ``` >> >> Signed-off-by: Steffen Jaeckel >> --- >> >> include/crypt.h | 13 ++ >> lib/Kconfig | 1 + >> lib/Makefile | 1 + >> lib/crypt/Kconfig| 29 >> lib/crypt/Makefile | 10 ++ >> lib/crypt/alg-sha256.h | 17 ++ >> lib/crypt/alg-sha512.h | 17 ++ >> lib/crypt/crypt-port.h | 28 >> lib/crypt/crypt-sha256.c | 313 + >> lib/crypt/crypt-sha512.c | 328 +++ >> lib/crypt/crypt.c| 73 + >> 11 files changed, 830 insertions(+) >> create mode 100644 include/crypt.h >> create mode 100644 lib/crypt/Kconfig >> create mode 100644 lib/crypt/Makefile >> create mode 100644 lib/crypt/alg-sha256.h >> create mode 100644 lib/crypt/alg-sha512.h >> create mode 100644 lib/crypt/crypt-port.h >> create mode 100644 lib/crypt/crypt-sha256.c >> create mode 100644 lib/crypt/crypt-sha512.c >> create mode 100644 lib/crypt/crypt.c > > This seems to use errno - is that necessary? Also are there any simple > unit tests we could usefully bring over? Regarding errno - that's the way how libxcrypt works internally, I'm not sure whether we should really touch this ... the default crypt_alg_rn() function has a void return type, so either we have to keep using errno or we have to change the return type... Regarding unit tests - good idea, I'll have a look.
Re: [PATCH 1/5] lib: add crypt subsystem
On Tue, 13 Apr 2021 at 10:16, Steffen Jaeckel wrote: > > Add the basic functionality required to support the standard crypt > format. > The files crypt-sha256.c and crypt-sha512.c originate from libxcrypt and > their formatting is therefor retained. > The integration is done via a crypt_compare() function in crypt.c. > > ``` > libxcrypt $ git describe --long --always --all > tags/v4.4.17-0-g6b110bc > ``` > > Signed-off-by: Steffen Jaeckel > --- > > include/crypt.h | 13 ++ > lib/Kconfig | 1 + > lib/Makefile | 1 + > lib/crypt/Kconfig| 29 > lib/crypt/Makefile | 10 ++ > lib/crypt/alg-sha256.h | 17 ++ > lib/crypt/alg-sha512.h | 17 ++ > lib/crypt/crypt-port.h | 28 > lib/crypt/crypt-sha256.c | 313 + > lib/crypt/crypt-sha512.c | 328 +++ > lib/crypt/crypt.c| 73 + > 11 files changed, 830 insertions(+) > create mode 100644 include/crypt.h > create mode 100644 lib/crypt/Kconfig > create mode 100644 lib/crypt/Makefile > create mode 100644 lib/crypt/alg-sha256.h > create mode 100644 lib/crypt/alg-sha512.h > create mode 100644 lib/crypt/crypt-port.h > create mode 100644 lib/crypt/crypt-sha256.c > create mode 100644 lib/crypt/crypt-sha512.c > create mode 100644 lib/crypt/crypt.c This seems to use errno - is that necessary? Also are there any simple unit tests we could usefully bring over? Regards, Simon
[PATCH 1/5] lib: add crypt subsystem
Add the basic functionality required to support the standard crypt format. The files crypt-sha256.c and crypt-sha512.c originate from libxcrypt and their formatting is therefor retained. The integration is done via a crypt_compare() function in crypt.c. ``` libxcrypt $ git describe --long --always --all tags/v4.4.17-0-g6b110bc ``` Signed-off-by: Steffen Jaeckel --- include/crypt.h | 13 ++ lib/Kconfig | 1 + lib/Makefile | 1 + lib/crypt/Kconfig| 29 lib/crypt/Makefile | 10 ++ lib/crypt/alg-sha256.h | 17 ++ lib/crypt/alg-sha512.h | 17 ++ lib/crypt/crypt-port.h | 28 lib/crypt/crypt-sha256.c | 313 + lib/crypt/crypt-sha512.c | 328 +++ lib/crypt/crypt.c| 73 + 11 files changed, 830 insertions(+) create mode 100644 include/crypt.h create mode 100644 lib/crypt/Kconfig create mode 100644 lib/crypt/Makefile create mode 100644 lib/crypt/alg-sha256.h create mode 100644 lib/crypt/alg-sha512.h create mode 100644 lib/crypt/crypt-port.h create mode 100644 lib/crypt/crypt-sha256.c create mode 100644 lib/crypt/crypt-sha512.c create mode 100644 lib/crypt/crypt.c diff --git a/include/crypt.h b/include/crypt.h new file mode 100644 index 00..e0be2832ff --- /dev/null +++ b/include/crypt.h @@ -0,0 +1,13 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* Copyright (C) 2020 Steffen Jaeckel */ + +/** + * Compare should with the processed passphrase. + * + * @should The crypt-style string to compare against + * @passphrase The plaintext passphrase + * @equal Pointer to an int where the result is stored + * '0' = unequal + * '1' = equal + */ +void crypt_compare(const char *should, const char *passphrase, int *equal); diff --git a/lib/Kconfig b/lib/Kconfig index 80ff2443cb..99a4e1a5a7 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -297,6 +297,7 @@ config AES source lib/rsa/Kconfig source lib/crypto/Kconfig +source lib/crypt/Kconfig config TPM bool "Trusted Platform Module (TPM) Support" diff --git a/lib/Makefile b/lib/Makefile index c42d4e1233..ab78f32eb1 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -64,6 +64,7 @@ obj-$(CONFIG_$(SPL_)RSA) += rsa/ obj-$(CONFIG_SHA1) += sha1.o obj-$(CONFIG_SHA256) += sha256.o obj-$(CONFIG_SHA512_ALGO) += sha512.o +obj-$(CONFIG_CRYPT_PW) += crypt/ obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ diff --git a/lib/crypt/Kconfig b/lib/crypt/Kconfig new file mode 100644 index 00..6f828cefd6 --- /dev/null +++ b/lib/crypt/Kconfig @@ -0,0 +1,29 @@ +config CRYPT_PW + bool "Add crypt support for password-based unlock" + help + Enable support for crypt-style hashed passphrases. + This will then be used as the mechanism of choice to + verify whether the entered password to unlock the + console is correct or not. + To make it fully functional, one has also to enable + CONFIG_AUTOBOOT_KEYED and CONFIG_AUTOBOOT_ENCRYPTION + +if CRYPT_PW + +config CRYPT_PW_SHA256 + bool "Provide sha256crypt" + select SHA256 + select SHA256_ALGO + help + Enables support for the sha256crypt password-hashing algorithm. + The prefix is "$5$". + +config CRYPT_PW_SHA512 + bool "Provide sha512crypt" + select SHA512 + select SHA512_ALGO + help + Enables support for the sha512crypt password-hashing algorithm. + The prefix is "$6$". + +endif diff --git a/lib/crypt/Makefile b/lib/crypt/Makefile new file mode 100644 index 00..290231064c --- /dev/null +++ b/lib/crypt/Makefile @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: GPL-2.0+ +# +# Copyright (c) 2013, Google Inc. +# +# (C) Copyright 2000-2007 +# Wolfgang Denk, DENX Software Engineering, w...@denx.de. + +obj-$(CONFIG_CRYPT_PW) += crypt.o +obj-$(CONFIG_CRYPT_PW_SHA256) += crypt-sha256.o +obj-$(CONFIG_CRYPT_PW_SHA512) += crypt-sha512.o diff --git a/lib/crypt/alg-sha256.h b/lib/crypt/alg-sha256.h new file mode 100644 index 00..e4b29c9f31 --- /dev/null +++ b/lib/crypt/alg-sha256.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* Copyright (C) 2020 Steffen Jaeckel */ + +#ifndef USE_HOSTCC +#include "common.h" +#else +#include +#endif + +#include "u-boot/sha256.h" + +#define INCLUDE_sha256crypt 1 + +#define SHA256_CTX sha256_context +#define SHA256_Init sha256_starts +#define SHA256_Update(c, i, l) sha256_update(c, (const void *)i, l) +#define SHA256_Final(b, c) sha256_finish(c, b) diff --git a/lib/crypt/alg-sha512.h b/lib/crypt/alg-sha512.h new file mode 100644 index 00..93b6109fae --- /dev/null +++ b/lib/crypt/alg-sha512.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* Copyright (C) 2020 Steffen Jaeckel */ + +#ifndef USE_HOSTCC +#include "common.h" +#else +#include +#endif + +#include "u-boot/sha512.h" + +#define