pool/shim
SHA256
2
0
Fork 1
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
d7945289e5
shim/shim-mokmanager-new-pw-hash.patch

219 lines
6.9 KiB
Diff
Raw Normal View History

Accepting request 148684 from Base:System the preboot loader for UEFI secureboot OBS-URL: https://build.opensuse.org/request/show/148684 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/shim?expand=0&rev=1
2013-01-17 10:43:06 +01:00
From 6e816e3e0f8b2013c1bccd67ec27db10ccaabc67 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin <glin@suse.com>
Date: Tue, 15 Jan 2013 18:01:41 +0800
Subject: [PATCH 2/2] Support new password hash
Old password hash: sha256sum(key_list + password)
New password hash: salt + sha256sum(salt + password)
---
MokManager.c | 91 ++++++++++++++++++++++++++++++++++++++++++----------------
1 file changed, 67 insertions(+), 24 deletions(-)
diff --git a/MokManager.c b/MokManager.c
index 97588cb..be2a764 100644
--- a/MokManager.c
+++ b/MokManager.c
@@ -19,6 +19,9 @@
#define CERT_STRING L"Select an X509 certificate to enroll:\n\n"
#define HASH_STRING L"Select a file to trust:\n\n"
+#define SALT_LEN 16
+#define AUTH_LEN (SALT_LEN + SHA256_DIGEST_SIZE)
+
struct menu_item {
CHAR16 *text;
INTN (* callback)(void *data, void *data2, void *data3);
@@ -648,23 +651,30 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
- UINT8 auth[SHA256_DIGEST_SIZE];
- UINTN auth_size;
+ UINT8 data[AUTH_LEN], *auth, *salt;
+ UINTN auth_size = AUTH_LEN;
UINT32 attributes;
if (authenticate) {
- auth_size = SHA256_DIGEST_SIZE;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokAuth",
&shim_lock_guid,
- &attributes, &auth_size, auth);
+ &attributes, &auth_size, data);
- if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) {
+ if (efi_status != EFI_SUCCESS ||
+ (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) {
Print(L"Failed to get MokAuth %d\n", efi_status);
return efi_status;
}
- efi_status = match_password(MokNew, MokNewSize, auth, NULL);
+ if (auth_size == AUTH_LEN) {
+ salt = data;
+ auth = data + SALT_LEN;
+ efi_status = match_password(salt, SALT_LEN, auth, NULL);
+ } else {
+ auth = data;
+ efi_status = match_password(MokNew, MokNewSize, auth, NULL);
+ }
if (efi_status != EFI_SUCCESS)
return EFI_ACCESS_DENIED;
}
@@ -842,8 +852,8 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
- UINT8 auth[SHA256_DIGEST_SIZE];
- UINTN auth_size = SHA256_DIGEST_SIZE;
+ UINT8 data[AUTH_LEN], *auth, *salt;;
+ UINTN auth_size = AUTH_LEN;
UINT32 attributes;
void *MokListData = NULL;
UINTN MokListDataSize = 0;
@@ -853,14 +863,22 @@ static EFI_STATUS delete_keys (void *MokDel, UINTN MokDelSize)
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth",
&shim_lock_guid,
- &attributes, &auth_size, auth);
+ &attributes, &auth_size, data);
- if (efi_status != EFI_SUCCESS || auth_size != SHA256_DIGEST_SIZE) {
+ if (efi_status != EFI_SUCCESS ||
+ (auth_size != SHA256_DIGEST_SIZE && auth_size != AUTH_LEN)) {
Print(L"Failed to get MokDelAuth %d\n", efi_status);
return efi_status;
}
- efi_status = match_password(MokDel, MokDelSize, auth, NULL);
+ if (auth_size == AUTH_LEN) {
+ salt = data;
+ auth = data + SALT_LEN;
+ efi_status = match_password(salt, SALT_LEN, auth, NULL);
+ } else {
+ auth = data;
+ efi_status = match_password(MokDel, MokDelSize, auth, NULL);
+ }
if (efi_status != EFI_SUCCESS)
return EFI_ACCESS_DENIED;
@@ -1052,20 +1070,29 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) {
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
UINTN MokPWSize = (UINTN)data2;
- UINT8 hash[SHA256_DIGEST_SIZE];
+ UINT8 hash[AUTH_LEN], *auth, *salt;
+ UINT8 clear = 0;
UINT32 length;
CHAR16 line[1];
- if (MokPWSize != SHA256_DIGEST_SIZE) {
+ if (MokPWSize != SHA256_DIGEST_SIZE && MokPWSize != AUTH_LEN) {
Print(L"Invalid MokPW variable contents\n");
return -1;
}
uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut);
- SetMem(hash, SHA256_DIGEST_SIZE, 0);
+ SetMem(hash, AUTH_LEN, 0);
+
+ if (MokPWSize == AUTH_LEN) {
+ if (CompareMem(MokPW, hash, AUTH_LEN) == 0)
+ clear = 1;
+ } else {
+ if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0)
+ clear = 1;
+ }
- if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) == 0) {
+ if (clear) {
Print(L"Clear MOK password? (y/n): ");
do {
@@ -1080,7 +1107,14 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) {
return 0;
}
- efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: ");
+ if (MokPWSize == AUTH_LEN) {
+ salt = MokPW;
+ auth = MokPW + SALT_LEN;
+ efi_status = match_password(salt, SALT_LEN, auth, L"Confirm MOK passphrase: ");
+ } else {
+ efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: ");
+ }
+
if (efi_status != EFI_SUCCESS) {
Print(L"Password limit reached\n");
return -1;
@@ -1691,8 +1725,8 @@ static BOOLEAN verify_pw(void)
{
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
EFI_STATUS efi_status;
- UINT8 pwhash[SHA256_DIGEST_SIZE];
- UINTN size = SHA256_DIGEST_SIZE;
+ UINT8 pwhash[AUTH_LEN], *auth, *salt;
+ UINTN size = AUTH_LEN;
UINT32 attributes;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore",
@@ -1704,7 +1738,8 @@ static BOOLEAN verify_pw(void)
* known value, so there's no safety advantage in failing to validate
* purely because of a failure to read the variable
*/
- if (efi_status != EFI_SUCCESS)
+ if (efi_status != EFI_SUCCESS ||
+ (size != SHA256_DIGEST_SIZE && size != AUTH_LEN))
return TRUE;
if (attributes & EFI_VARIABLE_RUNTIME_ACCESS)
@@ -1712,7 +1747,13 @@ static BOOLEAN verify_pw(void)
uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut);
- efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: ");
+ if (size == AUTH_LEN) {
+ salt = pwhash;
+ auth = pwhash + SALT_LEN;
+ efi_status = match_password(salt, SALT_LEN, auth, L"Enter MOK password: ");
+ } else {
+ efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: ");
+ }
if (efi_status != EFI_SUCCESS) {
Print(L"Password limit reached\n");
return FALSE;
@@ -1733,8 +1774,8 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
UINTN menucount = 3, i = 0;
EFI_STATUS efi_status;
EFI_GUID shim_lock_guid = SHIM_LOCK_GUID;
- UINT8 auth[SHA256_DIGEST_SIZE];
- UINTN auth_size = SHA256_DIGEST_SIZE;
+ UINT8 auth[AUTH_LEN];
+ UINTN auth_size = AUTH_LEN;
UINT32 attributes;
if (verify_pw() == FALSE)
@@ -1744,14 +1785,16 @@ static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle,
&shim_lock_guid,
&attributes, &auth_size, auth);
- if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE))
+ if ((efi_status == EFI_SUCCESS) &&
+ (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN))
MokAuth = 1;
efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokDelAuth",
&shim_lock_guid,
&attributes, &auth_size, auth);
- if ((efi_status == EFI_SUCCESS) && (auth_size == SHA256_DIGEST_SIZE))
+ if ((efi_status == EFI_SUCCESS) &&
+ (auth_size == SHA256_DIGEST_SIZE || auth_size == AUTH_LEN))
MokDelAuth = 1;
if (MokNew || MokAuth)
--
1.7.10.4
Reference in New Issue Copy Permalink