[PATCH v1 1/6] lib: add crypt subsystem

Simon Glass sjg at chromium.org
Thu Apr 29 18:10:25 CEST 2021


Hi Steffen,

On Mon, 26 Apr 2021 at 05:19, Steffen Jaeckel
<jaeckel-floss at eyet-services.de> wrote:
>
> Add the basic functionality required to support the standard crypt
> format.
> The files crypt-sha256.c and crypt-sha512.c originate from libxcrypt and
> their formatting is therefor retained.
> The integration is done via a crypt_compare() function in crypt.c.
>
> ```
> libxcrypt $ git describe --long --always --all
> tags/v4.4.17-0-g6b110bc
> ```
>
> Signed-off-by: Steffen Jaeckel <jaeckel-floss at eyet-services.de>
> ---
>
> Changes in v1:
> Added unit-tests of crypt_compare()
> Wrapped crypt functions to encapsulate errno
>
>  include/crypt.h          |  13 ++
>  lib/Kconfig              |   1 +
>  lib/Makefile             |   1 +
>  lib/crypt/Kconfig        |  29 ++++
>  lib/crypt/Makefile       |  10 ++
>  lib/crypt/alg-sha256.h   |  17 ++
>  lib/crypt/alg-sha512.h   |  17 ++
>  lib/crypt/crypt-port.h   |  28 ++++
>  lib/crypt/crypt-sha256.c | 313 +++++++++++++++++++++++++++++++++++++
>  lib/crypt/crypt-sha512.c | 328 +++++++++++++++++++++++++++++++++++++++
>  lib/crypt/crypt.c        |  73 +++++++++
>  test/Kconfig             |   9 ++
>  test/lib/Makefile        |   1 +
>  test/lib/test_crypt.c    |  44 ++++++
>  14 files changed, 884 insertions(+)
>  create mode 100644 include/crypt.h
>  create mode 100644 lib/crypt/Kconfig
>  create mode 100644 lib/crypt/Makefile
>  create mode 100644 lib/crypt/alg-sha256.h
>  create mode 100644 lib/crypt/alg-sha512.h
>  create mode 100644 lib/crypt/crypt-port.h
>  create mode 100644 lib/crypt/crypt-sha256.c
>  create mode 100644 lib/crypt/crypt-sha512.c
>  create mode 100644 lib/crypt/crypt.c
>  create mode 100644 test/lib/test_crypt.c

Reviewed-by: Simon Glass <sjg at chromium.org>

nits below

>
> diff --git a/include/crypt.h b/include/crypt.h
> new file mode 100644
> index 0000000000..e0be2832ff
> --- /dev/null
> +++ b/include/crypt.h
> @@ -0,0 +1,13 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/* Copyright (C) 2020 Steffen Jaeckel <jaeckel-floss at eyet-services.de> */
> +
> +/**
> + * Compare should with the processed passphrase.
> + *
> + * @should      The crypt-style string to compare against
> + * @passphrase  The plaintext passphrase
> + * @equal       Pointer to an int where the result is stored
> + *                 '0' = unequal
> + *                 '1' = equal

Can this be a return value from the function? true/false

> + */
> +void crypt_compare(const char *should, const char *passphrase, int *equal);
> diff --git a/lib/Kconfig b/lib/Kconfig
> index 6d2d41de30..c7c0b87ec7 100644
> --- a/lib/Kconfig
> +++ b/lib/Kconfig
> @@ -297,6 +297,7 @@ config AES
>
>  source lib/rsa/Kconfig
>  source lib/crypto/Kconfig
> +source lib/crypt/Kconfig
>
>  config TPM
>         bool "Trusted Platform Module (TPM) Support"
> diff --git a/lib/Makefile b/lib/Makefile
> index 6825671955..f0d91986b1 100644
> --- a/lib/Makefile
> +++ b/lib/Makefile
> @@ -65,6 +65,7 @@ obj-$(CONFIG_FIT_SIGNATURE) += hash-checksum.o
>  obj-$(CONFIG_SHA1) += sha1.o
>  obj-$(CONFIG_SHA256) += sha256.o
>  obj-$(CONFIG_SHA512_ALGO) += sha512.o
> +obj-$(CONFIG_CRYPT_PW) += crypt/
>
>  obj-$(CONFIG_$(SPL_)ZLIB) += zlib/
>  obj-$(CONFIG_$(SPL_)ZSTD) += zstd/
> diff --git a/lib/crypt/Kconfig b/lib/crypt/Kconfig
> new file mode 100644
> index 0000000000..6f828cefd6
> --- /dev/null
> +++ b/lib/crypt/Kconfig
> @@ -0,0 +1,29 @@
> +config CRYPT_PW
> +       bool "Add crypt support for password-based unlock"
> +       help
> +         Enable support for crypt-style hashed passphrases.
> +         This will then be used as the mechanism of choice to
> +         verify whether the entered password to unlock the
> +         console is correct or not.
> +         To make it fully functional, one has also to enable
> +         CONFIG_AUTOBOOT_KEYED and CONFIG_AUTOBOOT_ENCRYPTION

So should CRYPT_PW depend on one or both of those?

> +
> +if CRYPT_PW
> +
> +config CRYPT_PW_SHA256
> +       bool "Provide sha256crypt"
> +       select SHA256
> +       select SHA256_ALGO
> +       help
> +         Enables support for the sha256crypt password-hashing algorithm.
> +         The prefix is "$5$".
> +
> +config CRYPT_PW_SHA512
> +       bool "Provide sha512crypt"
> +       select SHA512
> +       select SHA512_ALGO
> +       help
> +         Enables support for the sha512crypt password-hashing algorithm.
> +         The prefix is "$6$".
> +
> +endif
> diff --git a/lib/crypt/Makefile b/lib/crypt/Makefile
> new file mode 100644
> index 0000000000..290231064c
> --- /dev/null
> +++ b/lib/crypt/Makefile
> @@ -0,0 +1,10 @@
> +# SPDX-License-Identifier: GPL-2.0+
> +#
> +# Copyright (c) 2013, Google Inc.
> +#
> +# (C) Copyright 2000-2007
> +# Wolfgang Denk, DENX Software Engineering, wd at denx.de.
> +
> +obj-$(CONFIG_CRYPT_PW) += crypt.o
> +obj-$(CONFIG_CRYPT_PW_SHA256) += crypt-sha256.o
> +obj-$(CONFIG_CRYPT_PW_SHA512) += crypt-sha512.o
> diff --git a/lib/crypt/alg-sha256.h b/lib/crypt/alg-sha256.h
> new file mode 100644
> index 0000000000..e4b29c9f31
> --- /dev/null
> +++ b/lib/crypt/alg-sha256.h
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/* Copyright (C) 2020 Steffen Jaeckel <jaeckel-floss at eyet-services.de> */
> +
> +#ifndef USE_HOSTCC
> +#include "common.h"
> +#else
> +#include <string.h>
> +#endif
> +
> +#include "u-boot/sha256.h"
> +
> +#define INCLUDE_sha256crypt 1
> +
> +#define SHA256_CTX sha256_context
> +#define SHA256_Init sha256_starts
> +#define SHA256_Update(c, i, l) sha256_update(c, (const void *)i, l)
> +#define SHA256_Final(b, c) sha256_finish(c, b)
> diff --git a/lib/crypt/alg-sha512.h b/lib/crypt/alg-sha512.h
> new file mode 100644
> index 0000000000..93b6109fae
> --- /dev/null
> +++ b/lib/crypt/alg-sha512.h
> @@ -0,0 +1,17 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/* Copyright (C) 2020 Steffen Jaeckel <jaeckel-floss at eyet-services.de> */
> +
> +#ifndef USE_HOSTCC
> +#include "common.h"
> +#else
> +#include <string.h>
> +#endif
> +
> +#include "u-boot/sha512.h"
> +
> +#define INCLUDE_sha512crypt 1
> +
> +#define SHA512_CTX sha512_context
> +#define SHA512_Init sha512_starts
> +#define SHA512_Update(c, i, l) sha512_update(c, (const void *)i, l)
> +#define SHA512_Final(b, c) sha512_finish(c, b)
> diff --git a/lib/crypt/crypt-port.h b/lib/crypt/crypt-port.h
> new file mode 100644
> index 0000000000..680ffe9349
> --- /dev/null
> +++ b/lib/crypt/crypt-port.h
> @@ -0,0 +1,28 @@
> +/* SPDX-License-Identifier: GPL-2.0+ */
> +/* Copyright (C) 2020 Steffen Jaeckel <jaeckel-floss at eyet-services.de> */
> +
> +#include <linux/types.h>
> +#include <vsprintf.h>
> +
> +#define NO_GENSALT
> +#define CRYPT_OUTPUT_SIZE 384
> +#define ALG_SPECIFIC_SIZE 8192
> +
> +#define ARG_UNUSED(x) (x)
> +
> +#define static_assert(a, b) _Static_assert(a, b)
> +
> +#define strtoul(cp, endp, base) simple_strtoul(cp, endp, base)
> +
> +extern const unsigned char ascii64[65];
> +
> +#define b64t ((const char *)ascii64)
> +
> +void crypt_sha256crypt_rn(const char *phrase, size_t phr_size,
> +                         const char *setting, size_t ARG_UNUSED(set_size),
> +                         uint8_t *output, size_t out_size, void *scratch,
> +                         size_t scr_size);
> +void crypt_sha512crypt_rn(const char *phrase, size_t phr_size,
> +                         const char *setting, size_t ARG_UNUSED(set_size),
> +                         uint8_t *output, size_t out_size, void *scratch,
> +                         size_t scr_size);
> diff --git a/lib/crypt/crypt-sha256.c b/lib/crypt/crypt-sha256.c
> new file mode 100644
> index 0000000000..37127d41e1
> --- /dev/null
> +++ b/lib/crypt/crypt-sha256.c
> @@ -0,0 +1,313 @@
> +/* One way encryption based on the SHA256-based Unix crypt implementation.
> + *
> + * Written by Ulrich Drepper <drepper at redhat.com> in 2007 [1].
> + * Modified by Zack Weinberg <zackw at panix.com> in 2017, 2018.
> + * Composed by Björn Esser <besser82 at fedoraproject.org> in 2018.
> + * Modified by Björn Esser <besser82 at fedoraproject.org> in 2020.
> + * Modified by Steffen Jaeckel <jaeckel-floss at eyet-services.de> in 2020.
> + * To the extent possible under law, the named authors have waived all
> + * copyright and related or neighboring rights to this work.
> + *
> + * See https://creativecommons.org/publicdomain/zero/1.0/ for further
> + * details.
> + *
> + * This file is a modified except from [2], lines 648 up to 909.
> + *
> + * [1]  https://www.akkadia.org/drepper/sha-crypt.html
> + * [2]  https://www.akkadia.org/drepper/SHA-crypt.txt

Can you add SPDX to the new files?

[..]


More information about the U-Boot mailing list