Re: [PATCH v1 1/6] lib: add crypt subsystem

Hi Steffen,

On Mon, 26 Apr 2021 at 05:19, Steffen Jaeckel jaeckel-floss@eyet-services.de wrote:

Add the basic functionality required to support the standard crypt format. The files crypt-sha256.c and crypt-sha512.c originate from libxcrypt and their formatting is therefor retained. The integration is done via a crypt_compare() function in crypt.c.

libxcrypt $ git describe --long --always --all
tags/v4.4.17-0-g6b110bc

Signed-off-by: Steffen Jaeckel jaeckel-floss@eyet-services.de

Changes in v1: Added unit-tests of crypt_compare() Wrapped crypt functions to encapsulate errno

include/crypt.h | 13 ++ lib/Kconfig | 1 + lib/Makefile | 1 + lib/crypt/Kconfig | 29 ++++ lib/crypt/Makefile | 10 ++ lib/crypt/alg-sha256.h | 17 ++ lib/crypt/alg-sha512.h | 17 ++ lib/crypt/crypt-port.h | 28 ++++ lib/crypt/crypt-sha256.c | 313 +++++++++++++++++++++++++++++++++++++ lib/crypt/crypt-sha512.c | 328 +++++++++++++++++++++++++++++++++++++++ lib/crypt/crypt.c | 73 +++++++++ test/Kconfig | 9 ++ test/lib/Makefile | 1 + test/lib/test_crypt.c | 44 ++++++ 14 files changed, 884 insertions(+) create mode 100644 include/crypt.h create mode 100644 lib/crypt/Kconfig create mode 100644 lib/crypt/Makefile create mode 100644 lib/crypt/alg-sha256.h create mode 100644 lib/crypt/alg-sha512.h create mode 100644 lib/crypt/crypt-port.h create mode 100644 lib/crypt/crypt-sha256.c create mode 100644 lib/crypt/crypt-sha512.c create mode 100644 lib/crypt/crypt.c create mode 100644 test/lib/test_crypt.c

Reviewed-by: Simon Glass sjg@chromium.org

nits below

diff --git a/include/crypt.h b/include/crypt.h new file mode 100644 index 0000000000..e0be2832ff --- /dev/null +++ b/include/crypt.h @@ -0,0 +1,13 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* Copyright (C) 2020 Steffen Jaeckel jaeckel-floss@eyet-services.de */

+/**

• • Compare should with the processed passphrase.
• • @should The crypt-style string to compare against
• • @passphrase The plaintext passphrase
• • @equal Pointer to an int where the result is stored

• •             '0' = unequal
    

• •             '1' = equal
    

Can this be a return value from the function? true/false

• */

+void crypt_compare(const char *should, const char *passphrase, int *equal); diff --git a/lib/Kconfig b/lib/Kconfig index 6d2d41de30..c7c0b87ec7 100644 --- a/lib/Kconfig +++ b/lib/Kconfig @@ -297,6 +297,7 @@ config AES

source lib/rsa/Kconfig source lib/crypto/Kconfig +source lib/crypt/Kconfig

config TPM bool "Trusted Platform Module (TPM) Support" diff --git a/lib/Makefile b/lib/Makefile index 6825671955..f0d91986b1 100644 --- a/lib/Makefile +++ b/lib/Makefile @@ -65,6 +65,7 @@ obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o obj-$(CONFIG_SHA1) += sha1.o obj-$(CONFIG_SHA256) += sha256.o obj-$(CONFIG_SHA512_ALGO) += sha512.o +obj-$(CONFIG_CRYPT_PW) += crypt/

obj-$(CONFIG_$(SPL_)ZLIB) += zlib/ obj-$(CONFIG_$(SPL_)ZSTD) += zstd/ diff --git a/lib/crypt/Kconfig b/lib/crypt/Kconfig new file mode 100644 index 0000000000..6f828cefd6 --- /dev/null +++ b/lib/crypt/Kconfig @@ -0,0 +1,29 @@ +config CRYPT_PW

•   bool "Add crypt support for password-based unlock"
  

•   help
  

•     Enable support for crypt-style hashed passphrases.
  

•     This will then be used as the mechanism of choice to
  

•     verify whether the entered password to unlock the
  

•     console is correct or not.
  

•     To make it fully functional, one has also to enable
  

•     CONFIG_AUTOBOOT_KEYED and CONFIG_AUTOBOOT_ENCRYPTION
  

So should CRYPT_PW depend on one or both of those?

+if CRYPT_PW

+config CRYPT_PW_SHA256

•   bool "Provide sha256crypt"
  

•   select SHA256
  

•   select SHA256_ALGO
  

•   help
  

•     Enables support for the sha256crypt password-hashing algorithm.
  

•     The prefix is "$5$".
  

+config CRYPT_PW_SHA512

•   bool "Provide sha512crypt"
  

•   select SHA512
  

•   select SHA512_ALGO
  

•   help
  

•     Enables support for the sha512crypt password-hashing algorithm.
  

•     The prefix is "$6$".
  

+endif diff --git a/lib/crypt/Makefile b/lib/crypt/Makefile new file mode 100644 index 0000000000..290231064c --- /dev/null +++ b/lib/crypt/Makefile @@ -0,0 +1,10 @@ +# SPDX-License-Identifier: GPL-2.0+ +# +# Copyright (c) 2013, Google Inc. +# +# (C) Copyright 2000-2007 +# Wolfgang Denk, DENX Software Engineering, wd@denx.de.

+obj-$(CONFIG_CRYPT_PW) += crypt.o +obj-$(CONFIG_CRYPT_PW_SHA256) += crypt-sha256.o +obj-$(CONFIG_CRYPT_PW_SHA512) += crypt-sha512.o diff --git a/lib/crypt/alg-sha256.h b/lib/crypt/alg-sha256.h new file mode 100644 index 0000000000..e4b29c9f31 --- /dev/null +++ b/lib/crypt/alg-sha256.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* Copyright (C) 2020 Steffen Jaeckel jaeckel-floss@eyet-services.de */

+#ifndef USE_HOSTCC +#include "common.h" +#else +#include <string.h> +#endif

+#include "u-boot/sha256.h"

+#define INCLUDE_sha256crypt 1

+#define SHA256_CTX sha256_context +#define SHA256_Init sha256_starts +#define SHA256_Update(c, i, l) sha256_update(c, (const void *)i, l) +#define SHA256_Final(b, c) sha256_finish(c, b) diff --git a/lib/crypt/alg-sha512.h b/lib/crypt/alg-sha512.h new file mode 100644 index 0000000000..93b6109fae --- /dev/null +++ b/lib/crypt/alg-sha512.h @@ -0,0 +1,17 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* Copyright (C) 2020 Steffen Jaeckel jaeckel-floss@eyet-services.de */

+#ifndef USE_HOSTCC +#include "common.h" +#else +#include <string.h> +#endif

+#include "u-boot/sha512.h"

+#define INCLUDE_sha512crypt 1

+#define SHA512_CTX sha512_context +#define SHA512_Init sha512_starts +#define SHA512_Update(c, i, l) sha512_update(c, (const void *)i, l) +#define SHA512_Final(b, c) sha512_finish(c, b) diff --git a/lib/crypt/crypt-port.h b/lib/crypt/crypt-port.h new file mode 100644 index 0000000000..680ffe9349 --- /dev/null +++ b/lib/crypt/crypt-port.h @@ -0,0 +1,28 @@ +/* SPDX-License-Identifier: GPL-2.0+ */ +/* Copyright (C) 2020 Steffen Jaeckel jaeckel-floss@eyet-services.de */

+#include <linux/types.h> +#include <vsprintf.h>

+#define NO_GENSALT +#define CRYPT_OUTPUT_SIZE 384 +#define ALG_SPECIFIC_SIZE 8192

+#define ARG_UNUSED(x) (x)

+#define static_assert(a, b) _Static_assert(a, b)

+#define strtoul(cp, endp, base) simple_strtoul(cp, endp, base)

+extern const unsigned char ascii64[65];

+#define b64t ((const char *)ascii64)

+void crypt_sha256crypt_rn(const char *phrase, size_t phr_size,

•                     const char *setting, size_t ARG_UNUSED(set_size),
  

•                     uint8_t *output, size_t out_size, void *scratch,
  

•                     size_t scr_size);
  

+void crypt_sha512crypt_rn(const char *phrase, size_t phr_size,

•                     const char *setting, size_t ARG_UNUSED(set_size),
  

•                     uint8_t *output, size_t out_size, void *scratch,
  

•                     size_t scr_size);
  

diff --git a/lib/crypt/crypt-sha256.c b/lib/crypt/crypt-sha256.c new file mode 100644 index 0000000000..37127d41e1 --- /dev/null +++ b/lib/crypt/crypt-sha256.c @@ -0,0 +1,313 @@ +/* One way encryption based on the SHA256-based Unix crypt implementation.

• • Written by Ulrich Drepper <drepper at redhat.com> in 2007 [1].
• • Modified by Zack Weinberg <zackw at panix.com> in 2017, 2018.
• • Composed by Björn Esser <besser82 at fedoraproject.org> in 2018.
• • Modified by Björn Esser <besser82 at fedoraproject.org> in 2020.
• • Modified by Steffen Jaeckel <jaeckel-floss at eyet-services.de> in 2020.
• • To the extent possible under law, the named authors have waived all
• • copyright and related or neighboring rights to this work.
• • See https://creativecommons.org/publicdomain/zero/1.0/ for further
• • details.
• • This file is a modified except from [2], lines 648 up to 909.
• • [1] https://www.akkadia.org/drepper/sha-crypt.html
• • [2] https://www.akkadia.org/drepper/SHA-crypt.txt

Can you add SPDX to the new files?

[..]