Hello community,
here is the log from the commit of package mokutil for openSUSE:Factory checked in at 2013-01-20 14:40:09
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/mokutil (Old)
and /work/SRC/openSUSE:Factory/.mokutil.new (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "mokutil", Maintainer is "GLin@suse.com"
Changes:
--------
--- /work/SRC/openSUSE:Factory/mokutil/mokutil.changes 2013-01-17 09:49:22.000000000 +0100
+++ /work/SRC/openSUSE:Factory/.mokutil.new/mokutil.changes 2013-01-20 14:40:10.000000000 +0100
@@ -1,0 +2,6 @@
+Fri Jan 18 10:05:27 UTC 2013 - glin@suse.com
+
+- Update mokutil-support-new-pw-hash.patch to extend the password
+ hash format
+
+-------------------------------------------------------------------
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ mokutil-support-new-pw-hash.patch ++++++
--- /var/tmp/diff_new_pack.hZhBtY/_old 2013-01-20 14:40:11.000000000 +0100
+++ /var/tmp/diff_new_pack.hZhBtY/_new 2013-01-20 14:40:11.000000000 +0100
@@ -1,7 +1,7 @@
From bd29992e580e9a48dc698e2e108c73b51a98f05f Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Wed, 9 Jan 2013 15:44:42 +0800
-Subject: [PATCH 1/9] Use getopt() to parse options
+Subject: [PATCH 01/10] Use getopt() to parse options
---
src/mokutil.c | 259 +++++++++++++++++++++++++++------------------------------
@@ -350,7 +350,7 @@
From 32a919cd2ca89ea0dfcc7644c05a3cf88cbb13c4 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Wed, 9 Jan 2013 17:37:30 +0800
-Subject: [PATCH 2/9] Adopt new password hash format
+Subject: [PATCH 02/10] Adopt new password hash format
old format: MokNew + sha256sum(MokNew + password)
new format: salt + sha256sum(salt + password)
@@ -555,7 +555,7 @@
From 326082d300337b347ae2cc42808ce905dd92eb3b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Wed, 9 Jan 2013 17:59:01 +0800
-Subject: [PATCH 3/9] Close the key file
+Subject: [PATCH 03/10] Close the key file
---
src/mokutil.c | 2 ++
@@ -581,7 +581,7 @@
From 97d977246991f750827764fb48662c8be4b40f78 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Thu, 10 Jan 2013 17:07:36 +0800
-Subject: [PATCH 4/9] Get rid of misused while statement
+Subject: [PATCH 04/10] Get rid of misused while statement
---
src/mokutil.c | 4 ++--
@@ -616,7 +616,7 @@
From ca1978555253562c4ad39ff8b050cbbbe485474b Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Thu, 10 Jan 2013 17:24:58 +0800
-Subject: [PATCH 5/9] Read the password hash from the file
+Subject: [PATCH 05/10] Read the password hash from the file
---
src/mokutil.c | 158 ++++++++++++++++++++++++++++++++++++++++++++++-----------
@@ -916,7 +916,7 @@
From c45ffc0d42c0564cf817a1682c0cbd5be164197d Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Thu, 10 Jan 2013 18:29:17 +0800
-Subject: [PATCH 6/9] Add a new command to generate the password hash
+Subject: [PATCH 06/10] Add a new command to generate the password hash
---
src/mokutil.c | 69 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++-
@@ -1053,7 +1053,7 @@
From ba347d456e80101b7c4306e7b30465c47c0fbea6 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Tue, 15 Jan 2013 16:14:32 +0800
-Subject: [PATCH 7/9] Amend help
+Subject: [PATCH 07/10] Amend help
---
src/mokutil.c | 59 ++++++++++++++++++++++-----------------------------------
@@ -1136,7 +1136,7 @@
From f1a1c7abd8fde13afcb5196c599c662109936d49 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Tue, 15 Jan 2013 17:48:04 +0800
-Subject: [PATCH 8/9] New commands to revoke the import or delete request
+Subject: [PATCH 08/10] New commands to revoke the import or delete request
---
src/mokutil.c | 58 +++++++++++++++++++++++++++++++++++----------------------
@@ -1254,7 +1254,7 @@
From 5cd7872982361be10755e3c8e7ecf228da92e164 Mon Sep 17 00:00:00 2001
From: Gary Ching-Pang Lin
Date: Wed, 16 Jan 2013 15:12:28 +0800
-Subject: [PATCH 9/9] Apply stricter permissions to some variables
+Subject: [PATCH 09/10] Apply stricter permissions to some variables
The UEFI variables which contain the password or the password hash
should not be accessed by normal users.
@@ -1340,3 +1340,340 @@
--
1.7.10.4
+
+From 47645170396e2800980044c7054bcd1078bbba93 Mon Sep 17 00:00:00 2001
+From: Gary Ching-Pang Lin
+Date: Fri, 18 Jan 2013 17:47:04 +0800
+Subject: [PATCH 10/10] Extend the password hash format
+
+Several new fields were added to support hash from /etc/shadow.
+
+[Hash Method][Interation Count][Salt Size][Salt][hash]
+
+Besides, the salt is hashed with the 8-bit char password instead of
+an efi_char16_t password array.
+---
+ src/PasswordHash.h | 33 ++++++++++++++++
+ src/mokutil.c | 106 +++++++++++++++++++++++++++++-----------------------
+ 2 files changed, 93 insertions(+), 46 deletions(-)
+ create mode 100644 src/PasswordHash.h
+
+diff --git a/src/PasswordHash.h b/src/PasswordHash.h
+new file mode 100644
+index 0000000..2aeded6
+--- /dev/null
++++ b/src/PasswordHash.h
+@@ -0,0 +1,33 @@
++#ifndef __PASSWORD_HASH_H__
++#define __PASSWORD_HASH_H__
++
++#include
++
++#define PASSWORD_HASH_SIZE 88
++
++/* The max salt size (in bits) */
++#define T_DES_SALT_MAX 12
++#define E_BSI_DES_SALT_MAX 24
++#define MD5_SALT_MAX 48
++#define SHA256_SALT_MAX 96
++#define SHA512_SALT_MAX 96
++#define BLOWFISH_SALT_MAX 128
++
++enum HashMethod {
++ Tranditional_DES = 0,
++ Extend_BSDI_DES,
++ MD5_BASED,
++ SHA256_BASED,
++ SHA512_BASED,
++ BLOWFISH_BASED
++};
++
++typedef struct {
++ uint16_t method;
++ uint32_t iter_count;
++ uint16_t salt_size;
++ uint8_t salt[16];
++ uint8_t hash[64];
++} __attribute__ ((packed)) pw_hash_t;
++
++#endif /* __PASSWORD_HASH_H__ */
+diff --git a/src/mokutil.c b/src/mokutil.c
+index c1a0ffc..38039b9 100644
+--- a/src/mokutil.c
++++ b/src/mokutil.c
+@@ -13,6 +13,7 @@
+
+ #include "efi.h"
+ #include "signature.h"
++#include "PasswordHash.h"
+
+ #define SHIM_LOCK_GUID \
+ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23)
+@@ -20,8 +21,6 @@ EFI_GUID (0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b,
+ #define PASSWORD_MAX 16
+ #define PASSWORD_MIN 8
+
+-#define SALT_SIZE 16
+-
+ #define HELP 0x1
+ #define LIST_ENROLLED 0x2
+ #define LIST_NEW 0x4
+@@ -359,37 +358,35 @@ error:
+ return ret;
+ }
+
+-static void
+-generate_salt (uint8_t salt[], unsigned int salt_len)
++static unsigned int
++generate_salt (uint8_t salt[], unsigned int max_size, unsigned int min_size)
+ {
++ unsigned int salt_len = max_size / 8;
+ int i;
+
+ srand (time (NULL));
+
+ for (i = 0; i < salt_len; i++)
+ salt[i] = rand() % 256;
++
++ return max_size;
+ }
+
+ static int
+ generate_hash (void *salt, unsigned int salt_len, char *password,
+ int pw_len, uint8_t *auth)
+ {
+- efi_char16_t efichar_pass[PASSWORD_MAX+1];
+- unsigned long efichar_len;
+ SHA256_CTX ctx;
+
+ if (!password || !auth)
+ return -1;
+
+- efichar_len = efichar_from_char (efichar_pass, password,
+- (PASSWORD_MAX+1)*sizeof(efi_char16_t));
+-
+ SHA256_Init (&ctx);
+
+ if (salt)
+ SHA256_Update (&ctx, salt, salt_len);
+
+- SHA256_Update (&ctx, efichar_pass, efichar_len);
++ SHA256_Update (&ctx, password, pw_len);
+
+ SHA256_Final (auth, &ctx);
+
+@@ -412,7 +409,7 @@ char_to_int (const char c)
+ }
+
+ static int
+-read_hex_array (const char *string, char *out, int len)
++read_hex_array (const char *string, uint8_t *out, unsigned int len)
+ {
+ int i, digit_1, digit_2;
+
+@@ -422,17 +419,18 @@ read_hex_array (const char *string, char *out, int len)
+ if (digit_1 < 0 || digit_2 < 0)
+ return -1;
+
+- out[i] = (char)digit_1 * 16 + (char)digit_2;
++ out[i] = (uint8_t)digit_1 * 16 + (uint8_t)digit_2;
+ }
+
+ return 0;
+ }
+
+ static int
+-get_hash_from_file (const char *file, void *salt, void *hash)
++get_hash_from_file (const char *file, pw_hash_t *pw_hash)
+ {
+ FILE *fptr;
+- char salt_string[2*SALT_SIZE];
++ unsigned int method, iter_count, salt_size;
++ char salt_string[2*(SHA256_SALT_MAX/8)];
+ char hash_string[2*SHA256_DIGEST_LENGTH];
+
+ fptr = fopen (file, "r");
+@@ -441,19 +439,24 @@ get_hash_from_file (const char *file, void *salt, void *hash)
+ return -1;
+ }
+
+- memset (salt_string, 0, 2*SALT_SIZE);
++ memset (salt_string, 0, 2*(SHA256_SALT_MAX/8));
+ memset (hash_string, 0, 2*SHA256_DIGEST_LENGTH);
+
+- fscanf (fptr, "%32c.%64c", salt_string, hash_string);
++ fscanf (fptr, "%x.%x.%x.%24c.%64c", &method, &iter_count, &salt_size,
++ salt_string, hash_string);
+
+ fclose (fptr);
+
+- if (read_hex_array (salt_string, salt, SALT_SIZE) < 0) {
++ pw_hash->method = (uint16_t)method;
++ pw_hash->iter_count = (uint32_t)iter_count;
++ pw_hash->salt_size = (uint16_t)salt_size;
++
++ if (read_hex_array (salt_string, pw_hash->salt, salt_size/8) < 0) {
+ fprintf (stderr, "Corrupted salt\n");
+ return -1;
+ }
+
+- if (read_hex_array (hash_string, hash, SHA256_DIGEST_LENGTH) < 0) {
++ if (read_hex_array (hash_string, pw_hash->hash, SHA256_DIGEST_LENGTH) < 0) {
+ fprintf (stderr, "Corrupted hash\n");
+ return -1;
+ }
+@@ -467,13 +470,16 @@ update_request (void *new_list, int list_len, uint8_t import,
+ {
+ efi_variable_t var;
+ const char *req_name, *auth_name;
+- uint8_t salt[SALT_SIZE];
+- uint8_t hash[SHA256_DIGEST_LENGTH];
+- uint8_t auth[SALT_SIZE + SHA256_DIGEST_LENGTH];
++ pw_hash_t pw_hash;
+ char *password = NULL;
+ int pw_len;
+ int ret = -1;
+
++ bzero (&pw_hash, sizeof(pw_hash_t));
++ pw_hash.method = SHA256_BASED;
++ pw_hash.iter_count = 1;
++ pw_hash.salt_size = SHA256_SALT_MAX;
++
+ if (import) {
+ req_name = "MokNew";
+ auth_name = "MokAuth";
+@@ -483,7 +489,7 @@ update_request (void *new_list, int list_len, uint8_t import,
+ }
+
+ if (hash_file) {
+- if (get_hash_from_file (hash_file, salt, hash) < 0) {
++ if (get_hash_from_file (hash_file, &pw_hash) < 0) {
+ fprintf (stderr, "Failed to read hash\n");
+ goto error;
+ }
+@@ -493,14 +499,13 @@ update_request (void *new_list, int list_len, uint8_t import,
+ goto error;
+ }
+
+- generate_salt (salt, SALT_SIZE);
+- if (generate_hash (salt, SALT_SIZE, password, pw_len, hash) < 0) {
++ generate_salt (pw_hash.salt, SHA256_SALT_MAX, 0);
++ if (generate_hash (pw_hash.salt, SHA256_SALT_MAX/8, password,
++ pw_len, pw_hash.hash) < 0) {
+ fprintf (stderr, "Couldn't generate hash\n");
+ goto error;
+ }
+ }
+- memcpy (auth, salt, SALT_SIZE);
+- memcpy (auth + SALT_SIZE, hash, SHA256_DIGEST_LENGTH);
+
+ if (new_list) {
+ /* Write MokNew*/
+@@ -522,9 +527,9 @@ update_request (void *new_list, int list_len, uint8_t import,
+ test_and_delete_var (req_name);
+ }
+
+- /* Write MokAuth */
+- var.Data = auth;
+- var.DataSize = SHA256_DIGEST_LENGTH + SALT_SIZE;
++ /* Write MokAuth or MokDelAuth */
++ var.Data = (void *)&pw_hash;
++ var.DataSize = PASSWORD_HASH_SIZE;
+ var.VariableName = auth_name;
+
+ var.VendorGuid = SHIM_LOCK_GUID;
+@@ -848,15 +853,18 @@ static int
+ set_password (const char *hash_file)
+ {
+ efi_variable_t var;
+- uint8_t salt[SALT_SIZE];
+- uint8_t hash[SHA256_DIGEST_LENGTH];
+- uint8_t auth[SHA256_DIGEST_LENGTH + SALT_SIZE];
++ pw_hash_t pw_hash;
+ char *password = NULL;
+ int pw_len;
+ int ret = -1;
+
++ bzero (&pw_hash, sizeof(pw_hash_t));
++ pw_hash.method = SHA256_BASED;
++ pw_hash.iter_count = 1;
++ pw_hash.salt_size = SHA256_SALT_MAX;
++
+ if (hash_file) {
+- if (get_hash_from_file (hash_file, salt, hash) < 0) {
++ if (get_hash_from_file (hash_file, &pw_hash) < 0) {
+ fprintf (stderr, "Failed to read hash\n");
+ goto error;
+ }
+@@ -866,17 +874,16 @@ set_password (const char *hash_file)
+ goto error;
+ }
+
+- generate_salt (salt, SALT_SIZE);
+- if (generate_hash (salt, SALT_SIZE, password, pw_len, hash) < 0) {
++ generate_salt (pw_hash.salt, SHA256_SALT_MAX, 0);
++ if (generate_hash (pw_hash.salt, SHA256_SALT_MAX/8, password,
++ pw_len, pw_hash.hash) < 0) {
+ fprintf (stderr, "Couldn't generate hash\n");
+ goto error;
+ }
+ }
+- memcpy (auth, salt, SALT_SIZE);
+- memcpy (auth + SALT_SIZE, hash, SHA256_DIGEST_LENGTH);
+
+- var.Data = auth;
+- var.DataSize = SHA256_DIGEST_LENGTH + SALT_SIZE;
++ var.Data = (void *)&pw_hash;
++ var.DataSize = PASSWORD_HASH_SIZE;
+ var.VariableName = "MokPW";
+
+ var.VendorGuid = SHIM_LOCK_GUID;
+@@ -1044,11 +1051,15 @@ reset_moks (const char *hash_file)
+ static int
+ generate_pw_hash (const char *input_pw)
+ {
+- uint8_t salt[SALT_SIZE];
+- uint8_t hash[SHA256_DIGEST_LENGTH];
++ pw_hash_t pw_hash;
+ char *password = NULL;
+ int pw_len, i, ret = -1;
+
++ bzero (&pw_hash, sizeof(pw_hash_t));
++ pw_hash.method = SHA256_BASED;
++ pw_hash.iter_count = 1;
++ pw_hash.salt_size = SHA256_SALT_MAX;
++
+ if (input_pw) {
+ pw_len = strlen (input_pw);
+ if (pw_len > PASSWORD_MAX || pw_len < PASSWORD_MIN) {
+@@ -1070,19 +1081,22 @@ generate_pw_hash (const char *input_pw)
+ }
+ }
+
+- generate_salt (salt, SALT_SIZE);
+- if (generate_hash (salt, SALT_SIZE, password, pw_len, hash) < 0) {
++ generate_salt (pw_hash.salt, SHA256_SALT_MAX, 0);
++ if (generate_hash (pw_hash.salt, SHA256_SALT_MAX/8, password,
++ pw_len, pw_hash.hash) < 0) {
+ fprintf (stderr, "Couldn't generate hash\n");
+ goto error;
+ }
+
+ /* Print the salt and hash */
+- for (i = 0; i < SALT_SIZE; i++) {
+- printf ("%x%x", salt[i]/16, salt[i]%16);
++ printf ("%x.%x.%x.", pw_hash.method, pw_hash.iter_count,
++ pw_hash.salt_size);
++ for (i = 0; i < (SHA256_SALT_MAX/8); i++) {
++ printf ("%x%x", pw_hash.salt[i]/16, pw_hash.salt[i]%16);
+ }
+ putchar ('.');
+ for (i = 0; i < SHA256_DIGEST_LENGTH; i++)
+- printf ("%x%x", hash[i]/16, hash[i]%16);
++ printf ("%x%x", pw_hash.hash[i]/16, pw_hash.hash[i]%16);
+ putchar ('\n');
+
+ ret = 0;
+--
+1.7.10.4
+
--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@opensuse.org
For additional commands, e-mail: opensuse-commit+help@opensuse.org