LM
/
u-boot
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

ADD: [nrhw18] netmodule password check support 

BugzID: 54601
This commit is contained in:
Marcel Reichmuth 2018-12-06 15:58:08 +01:00
parent e0c3093625
commit 7235cc2554
7 changed files with 451 additions and 3 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

99
common/main.c
View File

@ -13,6 +13,11 @@
#include <console.h>
#include <version.h>
#include <fs.h>
#include <u-boot/md5.h>
#include <malloc.h>
#include <crypt.h>
DECLARE_GLOBAL_DATA_PTR;
/*
@ -20,6 +25,93 @@ DECLARE_GLOBAL_DATA_PTR;
*/
__weak void show_boot_progress(int val) {}
#ifdef CONFIG_NM_LOGIN
/****************************************************************************
* check if ubootpwd exists in data partition and perform a login,
* otherwise continue booting
*/
int login (void)
{
#define PASS_LEN 256
char stored[PASS_LEN];
char buf[PASS_LEN], entered[32];
int res, i, tries;
int legacy_md5 = 0;
loff_t actread;
puts("\nautoboot has been stopped, press 'e' to enter: ");
for (i=0; i<=4096; i++) {
buf[0] = getc();
if (buf[0] == 'e' || buf[0] == '\n') {
puts("e");
break;
}
if (i == 4096) return 0;
}
puts("\n");
memset(stored, 0x0, sizeof(stored));
if (fs_set_blk_dev("mmc", "0:3", FS_TYPE_EXT) != 0) {
puts("Error, can not set blk devicet");
return 1;
}
res = fs_read("/root/boot/bootpass", (ulong)stored, 0, sizeof(stored), &actread);
if ((res!=0) || (actread <= 0)) {
/* no file or hash found */
puts("Login succeeded\n\n");
return 1;
} else if (actread == 16) {
legacy_md5 = 1;
}
for (tries = 1; ; tries++) {
puts("\nEnter password: ");
buf[0] = 0;
for (i=0; i<PASS_LEN; i++) {
buf[i] = getc();
if (buf[i] == '\r' || buf[i] == '\n') {
buf[i] = 0;
break;
}
}
buf[PASS_LEN-1] = 0;
if (strlen(buf) > 0) {
puts("\n");
if (legacy_md5) {
md5((unsigned char*) buf, strlen(buf), (unsigned char *)entered);
if (memcmp(stored, entered, 16) == 0) {
break;
}
} else {
char *cp = sha_crypt(buf, stored);
if (memcmp(cp, stored, actread) == 0) {
free(cp);
break;
}
free(cp);
}
puts("Login incorrect\n");
if (tries == 3) {
return 0;
}
}
}
/* succeeded */
puts("Login succeeded\n\n");
return 1;
}
#endif /* CONFIG_NM_LOGIN */
/****************************************************************************/
static void run_preboot_environment_command(void)
{
#ifdef CONFIG_PREBOOT
@ -65,6 +157,13 @@ void main_loop(void)
autoboot_command(s);
#ifdef CONFIG_NM_LOGIN
if (!login()) {
puts ("Login failed, resetting...\n");
do_reset (NULL, 0, 0, NULL);
}
#endif
cli_loop();
panic("No CLI available");
}

3
fs/fs.c
View File

@ -405,9 +405,6 @@ int fs_read(const char *filename, ulong addr, loff_t offset, loff_t len,
ret = info->read(filename, buf, offset, len, actread);
unmap_sysmem(buf);
/* If we requested a specific number of bytes, check we got it */
if (ret == 0 && len && *actread != len)
printf("** %s shorter than offset + len **\n", filename);
fs_close();
return ret;

5
include/configs/armada-385-nbhw18-v2.h
View File

@ -89,6 +89,11 @@
#define CONFIG_SYS_ALT_MEMTEST
#ifndef CONFIG_SPL_BUILD
#define CONFIG_NM_LOGIN
#define CONFIG_CRYPT
#define CONFIG_SUPPORT_EMMC_RPMB
#define KERNEL_ADDR "0x01000000"
#define LOAD_ADDR "0x03000000"
#define FDT_ADDR "0x02000000"

6
include/crypt.h Executable file
View File

@ -0,0 +1,6 @@
#ifndef _CRYPT_H
#define _CRYPT_H
extern char * sha_crypt(const char *key, const char *salt);
#endif /* _CRYPT_H */

11
lib/Kconfig
View File

@ -54,6 +54,17 @@ config REGEX
regex support to some commands, for example "env grep" and
"setexpr".
config NM_LOGIN
bool "Enable NetModule login"
help
If this variable is defined, U-Boot asks for the admin password
before entering the shell.
config CRYPT
bool "Enable SHA crypto api"
help
If this variable is defined, the SHA crypto API is compiled in.
config LIB_RAND
bool "Pseudo-random library support "
help

1
lib/Makefile
View File

@ -21,6 +21,7 @@ obj-$(CONFIG_ARCH_AT91) += at91/
obj-$(CONFIG_AES) += aes.o
obj-y += charset.o
obj-$(CONFIG_USB_TTY) += circbuf.o
obj-$(CONFIG_CRYPT) += crypt.o
obj-y += crc7.o
obj-y += crc8.o
obj-y += crc16.o

329
lib/crypt.c Executable file
View File

@ -0,0 +1,329 @@
#include <common.h>
#include <u-boot/sha256.h>
#include <malloc.h>
#include <linux/types.h>
/* The crypt source code was ported from busybox sources pw_crypt */
/* Used by pw_encrypt_XXX.c */
static const uint8_t ascii64[] = "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
static char*
to64(char *s, unsigned v, int n)
{
while (--n >= 0) {
*s++ = ascii64[v & 0x3f];
v >>= 6;
}
return s;
}
/* SHA256 and SHA512-based Unix crypt implementation.
* Released into the Public Domain by Ulrich Drepper <drepper@redhat.com>.
*/
/* Prefix for optional rounds specification. */
static const char str_rounds[] = "rounds=%u$";
/* Maximum salt string length. */
#define SALT_LEN_MAX 16
/* Default number of rounds if not explicitly specified. */
#define ROUNDS_DEFAULT 5000
/* Minimum number of rounds. */
#define ROUNDS_MIN 1000
/* Maximum number of rounds. */
#define ROUNDS_MAX 999999999
char *sha_crypt(const char *key_data, const char *salt_data)
{
void (*sha_begin)(void *ctx);
void (*sha_hash)(void *ctx, const void *buffer, size_t len);
void* (*sha_end)( void *ctx, void *resbuf);
int _32or64;
char *result, *resptr;
/* btw, sha256 needs [32] and uint32_t only */
unsigned char alt_result[64] __attribute__((__aligned__(__alignof__(uint64_t))));
unsigned char temp_result[64] __attribute__((__aligned__(__alignof__(uint64_t))));
union {
sha256_context x;
#if 0
sha512_ctx_t y;
#endif
} ctx;
union {
sha256_context x;
#if 0
sha512_ctx_t y;
#endif
} alt_ctx;
unsigned salt_len;
unsigned key_len;
unsigned cnt;
unsigned rounds;
char *cp;
char is_sha512;
char *tmp;
/* Analyze salt, construct already known part of result */
cnt = strlen(salt_data) + 1 + 43 + 1;
is_sha512 = salt_data[1];
if (is_sha512 == '6') {
printf("SHA-512 is not supported yet");
return 0;
/* cnt += 43; */
}
result = resptr = malloc(cnt); /* will provide NUL terminator */
memset(result, 0, cnt);
*resptr++ = '$';
*resptr++ = is_sha512;
*resptr++ = '$';
rounds = ROUNDS_DEFAULT;
salt_data += 3;
if (strncmp(salt_data, str_rounds, 7) == 0) {
/* 7 == strlen("rounds=") */
char *endp;
cnt = simple_strtoul(salt_data + 7, &endp, 10);
if (*endp == '$') {
salt_data = endp + 1;
rounds = cnt;
if (rounds < ROUNDS_MIN)
rounds = ROUNDS_MIN;
if (rounds > ROUNDS_MAX)
rounds = ROUNDS_MAX;
/* add "rounds=NNNNN$" to result */
resptr += sprintf(resptr, str_rounds, rounds);
}
}
{
char *salt_end = strchr(salt_data, '$');
if (salt_end != 0) {
salt_len = salt_end - salt_data;
}
else {
salt_len = strnlen(salt_data, SALT_LEN_MAX);
}
}
// salt_len = (int)strchrnul(salt_data, '$') - (int)salt_data;
if (salt_len > SALT_LEN_MAX)
salt_len = SALT_LEN_MAX;
/* xstrdup assures suitable alignment; also we will use it
as a scratch space later. */
tmp = malloc(strnlen(salt_data, 128));
memcpy(tmp, salt_data, strnlen(salt_data, 128));
salt_data = tmp;
//salt_data = xstrndup(salt_data, salt_len);
/* add "salt$" to result */
strcpy(resptr, salt_data);
resptr += salt_len;
*resptr++ = '$';
/* key data doesn't need much processing */
key_len = strlen(key_data);
tmp = malloc(strnlen(key_data, 256));
memcpy(tmp, key_data, strnlen(key_data, 256));
key_data = tmp;
// key_data = xstrdup(key_data);
/* Which flavor of SHAnnn ops to use? */
sha_begin = (void*)sha256_starts;
sha_hash = (void*)sha256_update;
sha_end = (void*)sha256_finish;
_32or64 = 32;
/* Not supported */
#if 0
if (is_sha512 == '6') {
sha_begin = (void*)sha512_begin;
sha_hash = (void*)sha512_hash;
sha_end = (void*)sha512_end;
_32or64 = 64;
}
#endif
/* Add KEY, SALT. */
sha_begin(&ctx);
sha_hash(&ctx, key_data, key_len);
sha_hash(&ctx, salt_data, salt_len);
/* Compute alternate SHA sum with input KEY, SALT, and KEY.
The final result will be added to the first context. */
sha_begin(&alt_ctx);
sha_hash(&alt_ctx, key_data, key_len);
sha_hash(&alt_ctx, salt_data, salt_len);
sha_hash(&alt_ctx, key_data, key_len);
sha_end(&alt_ctx, alt_result);
/* Add result of this to the other context. */
/* Add for any character in the key one byte of the alternate sum. */
for (cnt = key_len; cnt > _32or64; cnt -= _32or64)
sha_hash(&ctx, alt_result, _32or64);
sha_hash(&ctx, alt_result, cnt);
/* Take the binary representation of the length of the key and for every
1 add the alternate sum, for every 0 the key. */
for (cnt = key_len; cnt != 0; cnt >>= 1)
if ((cnt & 1) != 0)
sha_hash(&ctx, alt_result, _32or64);
else
sha_hash(&ctx, key_data, key_len);
/* Create intermediate result. */
sha_end(&ctx, alt_result);
/* Start computation of P byte sequence. */
/* For every character in the password add the entire password. */
sha_begin(&alt_ctx);
for (cnt = 0; cnt < key_len; ++cnt)
sha_hash(&alt_ctx, key_data, key_len);
sha_end(&alt_ctx, temp_result);
/* NB: past this point, raw key_data is not used anymore */
/* Create byte sequence P. */
#define p_bytes key_data /* reuse the buffer as it is of the key_len size */
cp = p_bytes; /* was: ... = alloca(key_len); */
for (cnt = key_len; cnt >= _32or64; cnt -= _32or64) {
cp = memcpy(cp, temp_result, _32or64);
cp += _32or64;
}
memcpy(cp, temp_result, cnt);
/* Start computation of S byte sequence. */
/* For every character in the password add the entire password. */
sha_begin(&alt_ctx);
for (cnt = 0; cnt < 16 + alt_result[0]; ++cnt)
sha_hash(&alt_ctx, salt_data, salt_len);
sha_end(&alt_ctx, temp_result);
/* NB: past this point, raw salt_data is not used anymore */
/* Create byte sequence S. */
#define s_bytes salt_data /* reuse the buffer as it is of the salt_len size */
cp = s_bytes; /* was: ... = alloca(salt_len); */
for (cnt = salt_len; cnt >= _32or64; cnt -= _32or64) {
cp = memcpy(cp, temp_result, _32or64);
cp += _32or64;
}
memcpy(cp, temp_result, cnt);
/* Repeatedly run the collected hash value through SHA to burn
CPU cycles. */
for (cnt = 0; cnt < rounds; ++cnt) {
sha_begin(&ctx);
/* Add key or last result. */
if ((cnt & 1) != 0)
sha_hash(&ctx, p_bytes, key_len);
else
sha_hash(&ctx, alt_result, _32or64);
/* Add salt for numbers not divisible by 3. */
if (cnt % 3 != 0)
sha_hash(&ctx, s_bytes, salt_len);
/* Add key for numbers not divisible by 7. */
if (cnt % 7 != 0)
sha_hash(&ctx, p_bytes, key_len);
/* Add key or last result. */
if ((cnt & 1) != 0)
sha_hash(&ctx, alt_result, _32or64);
else
sha_hash(&ctx, p_bytes, key_len);
sha_end(&ctx, alt_result);
}
/* Append encrypted password to result buffer */
//TODO: replace with something like
// bb_uuencode(cp, src, length, bb_uuenc_tbl_XXXbase64);
#define b64_from_24bit(B2, B1, B0, N) \
do { \
unsigned w = ((B2) << 16) | ((B1) << 8) | (B0); \
resptr = to64(resptr, w, N); \
} while (0)
if (is_sha512 == '5') {
unsigned i = 0;
unsigned j = 10;
unsigned k = 20;
/* strange swap of one byte (see below why) */
unsigned char alt_result_31 = alt_result[31];
alt_result[31] = alt_result[1];
while (1) {
b64_from_24bit(alt_result[i], alt_result[j], alt_result[k], 4);
if (i == 9)
break;
i += 21; i = (((i >> 4) & 2) + i) & 0x1f;
j += 21; j = (((j >> 4) & 2) + j) & 0x1f;
k += 21; k = (((k >> 4) & 2) + k) & 0x1f;
}
b64_from_24bit(0, alt_result_31, alt_result[30], 3);
/* was:
b64_from_24bit(alt_result[0], alt_result[10], alt_result[20], 4);
b64_from_24bit(alt_result[21], alt_result[1], alt_result[11], 4);
...............................^^^^^^^^^^^^^ why [1] and not [31]?
b64_from_24bit(alt_result[12], alt_result[22], alt_result[2], 4);
b64_from_24bit(alt_result[3], alt_result[13], alt_result[23], 4);
b64_from_24bit(alt_result[24], alt_result[4], alt_result[14], 4);
b64_from_24bit(alt_result[15], alt_result[25], alt_result[5], 4);
b64_from_24bit(alt_result[6], alt_result[16], alt_result[26], 4);
b64_from_24bit(alt_result[27], alt_result[7], alt_result[17], 4);
b64_from_24bit(alt_result[18], alt_result[28], alt_result[8], 4);
b64_from_24bit(alt_result[9], alt_result[19], alt_result[29], 4);
b64_from_24bit(0, alt_result[31], alt_result[30], 3);
*/
} else {
unsigned i = 0;
unsigned j = 21;
unsigned k = 42;
while (1) {
b64_from_24bit(alt_result[i], alt_result[j], alt_result[k], 4);
if (i == 62)
break;
i += 22; i = ((i >> 6) + i) & 0x3f;
j += 22; j = ((j >> 6) + j) & 0x3f;
k += 22; k = ((k >> 6) + k) & 0x3f;
}
b64_from_24bit(0, 0, alt_result[63], 2);
/* was:
b64_from_24bit(alt_result[0], alt_result[21], alt_result[42], 4);
b64_from_24bit(alt_result[22], alt_result[43], alt_result[1], 4);
b64_from_24bit(alt_result[44], alt_result[2], alt_result[23], 4);
b64_from_24bit(alt_result[3], alt_result[24], alt_result[45], 4);
b64_from_24bit(alt_result[25], alt_result[46], alt_result[4], 4);
b64_from_24bit(alt_result[47], alt_result[5], alt_result[26], 4);
b64_from_24bit(alt_result[6], alt_result[27], alt_result[48], 4);
b64_from_24bit(alt_result[28], alt_result[49], alt_result[7], 4);
b64_from_24bit(alt_result[50], alt_result[8], alt_result[29], 4);
b64_from_24bit(alt_result[9], alt_result[30], alt_result[51], 4);
b64_from_24bit(alt_result[31], alt_result[52], alt_result[10], 4);
b64_from_24bit(alt_result[53], alt_result[11], alt_result[32], 4);
b64_from_24bit(alt_result[12], alt_result[33], alt_result[54], 4);
b64_from_24bit(alt_result[34], alt_result[55], alt_result[13], 4);
b64_from_24bit(alt_result[56], alt_result[14], alt_result[35], 4);
b64_from_24bit(alt_result[15], alt_result[36], alt_result[57], 4);
b64_from_24bit(alt_result[37], alt_result[58], alt_result[16], 4);
b64_from_24bit(alt_result[59], alt_result[17], alt_result[38], 4);
b64_from_24bit(alt_result[18], alt_result[39], alt_result[60], 4);
b64_from_24bit(alt_result[40], alt_result[61], alt_result[19], 4);
b64_from_24bit(alt_result[62], alt_result[20], alt_result[41], 4);
b64_from_24bit(0, 0, alt_result[63], 2);
*/
}
/* *resptr = '\0'; - xzalloc did it */
#undef b64_from_24bit
/* Clear the buffer for the intermediate result so that people
attaching to processes or reading core dumps cannot get any
information. */
memset(temp_result, 0, sizeof(temp_result));
memset(alt_result, 0, sizeof(alt_result));
memset(&ctx, 0, sizeof(ctx));
memset(&alt_ctx, 0, sizeof(alt_ctx));
memset(key_data, 0, key_len); /* also p_bytes */
memset(salt_data, 0, salt_len); /* also s_bytes */
free(key_data);
free(salt_data);
#undef p_bytes
#undef s_bytes
return result;
}