aboutsummaryrefslogtreecommitdiff
path: root/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
diff options
context:
space:
mode:
authorAlyssa Rosenzweig <alyssa@rosenzweig.io>2017-06-01 00:34:38 +0000
committerGogs <gogitservice@gmail.com>2017-06-01 00:34:38 +0000
commit6d272ca425c10385e540781aa7208416559a46f5 (patch)
tree2e4399b205406529b152139f208ed30c1729fda9 /resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
parentf52e2a5172f78fc8d3d9b7ec1e228f414fe443b0 (diff)
parente8e19e88869ecdcbb3afbdcdb17bb5bac819a58f (diff)
downloadlibrebootfr-6d272ca425c10385e540781aa7208416559a46f5.tar.gz
librebootfr-6d272ca425c10385e540781aa7208416559a46f5.zip
Merge branch 'payloads/x86/updates-20170430' of libreboot/libreboot into master
Diffstat (limited to 'resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch')
-rw-r--r--resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch329
1 files changed, 0 insertions, 329 deletions
diff --git a/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch b/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
deleted file mode 100644
index 538f4aef..00000000
--- a/resources/grub/patch/grub.johnlane.ie/0003-Cryptomount-luks-allow-multiple-passphrase-attempts.patch
+++ /dev/null
@@ -1,329 +0,0 @@
-From f39e8ee5696f15860c73b07e652a8b59fcc834c7 Mon Sep 17 00:00:00 2001
-From: John Lane <john@lane.uk.net>
-Date: Fri, 26 Jun 2015 13:49:58 +0100
-Subject: [PATCH 04/10] Cryptomount luks allow multiple passphrase attempts
-
----
- grub-core/disk/luks.c | 278 ++++++++++++++++++++++++++------------------------
- 1 file changed, 143 insertions(+), 135 deletions(-)
-
-diff --git a/grub-core/disk/luks.c b/grub-core/disk/luks.c
-index 5882368..11e437e 100644
---- a/grub-core/disk/luks.c
-+++ b/grub-core/disk/luks.c
-@@ -321,10 +321,10 @@ configure_ciphers (grub_disk_t disk, const char *check_uuid,
-
- static grub_err_t
- luks_recover_key (grub_disk_t source,
-- grub_cryptodisk_t dev,
-- grub_file_t hdr,
-- grub_uint8_t *keyfile_bytes,
-- grub_size_t keyfile_bytes_size)
-+ grub_cryptodisk_t dev,
-+ grub_file_t hdr,
-+ grub_uint8_t *keyfile_bytes,
-+ grub_size_t keyfile_bytes_size)
- {
- struct grub_luks_phdr header;
- grub_size_t keysize;
-@@ -339,6 +339,7 @@ luks_recover_key (grub_disk_t source,
- grub_size_t max_stripes = 1;
- char *tmp;
- grub_uint32_t sector;
-+ unsigned attempts = 2;
-
- err = GRUB_ERR_NONE;
-
-@@ -361,151 +362,158 @@ luks_recover_key (grub_disk_t source,
-
- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
- if (grub_be_to_cpu32 (header.keyblock[i].active) == LUKS_KEY_ENABLED
-- && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
-+ && grub_be_to_cpu32 (header.keyblock[i].stripes) > max_stripes)
- max_stripes = grub_be_to_cpu32 (header.keyblock[i].stripes);
-
- split_key = grub_malloc (keysize * max_stripes);
- if (!split_key)
- return grub_errno;
-
-- if (keyfile_bytes)
-+ while (attempts)
- {
-- /* Use bytestring from key file as passphrase */
-- passphrase = keyfile_bytes;
-- passphrase_length = keyfile_bytes_size;
-- }
-- else
-- {
-- /* Get the passphrase from the user. */
-- tmp = NULL;
-- if (source->partition)
-- tmp = grub_partition_get_name (source->partition);
-- grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
-- source->partition ? "," : "", tmp ? : "", dev->uuid);
-- grub_free (tmp);
-- if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
-+ if (keyfile_bytes)
- {
-- grub_free (split_key);
-- return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-- }
--
-- passphrase = (grub_uint8_t *)interactive_passphrase;
-- passphrase_length = grub_strlen (interactive_passphrase);
--
-- }
--
-- /* Try to recover master key from each active keyslot. */
-- for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
-- {
-- gcry_err_code_t gcry_err;
-- grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
-- grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
--
-- /* Check if keyslot is enabled. */
-- if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
-- continue;
--
-- grub_dprintf ("luks", "Trying keyslot %d\n", i);
--
-- /* Calculate the PBKDF2 of the user supplied passphrase. */
-- gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-- passphrase_length,
-- header.keyblock[i].passwordSalt,
-- sizeof (header.keyblock[i].passwordSalt),
-- grub_be_to_cpu32 (header.keyblock[i].
-- passwordIterations),
-- digest, keysize);
--
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- grub_dprintf ("luks", "PBKDF2 done\n");
--
-- gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
-- length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
--
-- /* Read and decrypt the key material from the disk. */
-- if (hdr)
-- {
-- grub_file_seek (hdr, sector * 512);
-- if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
-- err = GRUB_ERR_READ_ERROR;
-+ /* Use bytestring from key file as passphrase */
-+ passphrase = keyfile_bytes;
-+ passphrase_length = keyfile_bytes_size;
-+ keyfile_bytes = NULL; /* use it only once */
- }
- else
-- err = grub_disk_read (source, sector, 0, length, split_key);
-- if (err)
-- {
-- grub_free (split_key);
-- return err;
-- }
--
-- gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- /* Merge the decrypted key material to get the candidate master key. */
-- gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
-- grub_be_to_cpu32 (header.keyblock[i].stripes));
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- grub_dprintf ("luks", "candidate key recovered\n");
--
-- /* Calculate the PBKDF2 of the candidate master key. */
-- gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
-- grub_be_to_cpu32 (header.keyBytes),
-- header.mkDigestSalt,
-- sizeof (header.mkDigestSalt),
-- grub_be_to_cpu32
-- (header.mkDigestIterations),
-- candidate_digest,
-- sizeof (candidate_digest));
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
--
-- /* Compare the calculated PBKDF2 to the digest stored
-- in the header to see if it's correct. */
-- if (grub_memcmp (candidate_digest, header.mkDigest,
-- sizeof (header.mkDigest)) != 0)
-- {
-- grub_dprintf ("luks", "bad digest\n");
-- continue;
-- }
-+ {
-+ /* Get the passphrase from the user. */
-+ tmp = NULL;
-+ if (source->partition)
-+ tmp = grub_partition_get_name (source->partition);
-+ grub_printf_ (N_("Enter passphrase for %s%s%s (%s): "), source->name,
-+ source->partition ? "," : "", tmp ? : "", dev->uuid);
-+ grub_free (tmp);
-+ if (!grub_password_get (interactive_passphrase, MAX_PASSPHRASE))
-+ {
-+ grub_free (split_key);
-+ return grub_error (GRUB_ERR_BAD_ARGUMENT, "Passphrase not supplied");
-+ }
-+
-+ passphrase = (grub_uint8_t *)interactive_passphrase;
-+ passphrase_length = grub_strlen (interactive_passphrase);
-
-- /* TRANSLATORS: It's a cryptographic key slot: one element of an array
-- where each element is either empty or holds a key. */
-- grub_printf_ (N_("Slot %d opened\n"), i);
-+ }
-
-- /* Set the master key. */
-- gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
-- if (gcry_err)
-- {
-- grub_free (split_key);
-- return grub_crypto_gcry_error (gcry_err);
-- }
-+ /* Try to recover master key from each active keyslot. */
-+ for (i = 0; i < ARRAY_SIZE (header.keyblock); i++)
-+ {
-+ gcry_err_code_t gcry_err;
-+ grub_uint8_t candidate_key[GRUB_CRYPTODISK_MAX_KEYLEN];
-+ grub_uint8_t digest[GRUB_CRYPTODISK_MAX_KEYLEN];
-+
-+ /* Check if keyslot is enabled. */
-+ if (grub_be_to_cpu32 (header.keyblock[i].active) != LUKS_KEY_ENABLED)
-+ continue;
-+
-+ grub_dprintf ("luks", "Trying keyslot %d\n", i);
-+
-+ /* Calculate the PBKDF2 of the user supplied passphrase. */
-+ gcry_err = grub_crypto_pbkdf2 (dev->hash, (grub_uint8_t *) passphrase,
-+ passphrase_length,
-+ header.keyblock[i].passwordSalt,
-+ sizeof (header.keyblock[i].passwordSalt),
-+ grub_be_to_cpu32 (header.keyblock[i].
-+ passwordIterations),
-+ digest, keysize);
-+
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ grub_dprintf ("luks", "PBKDF2 done\n");
-+
-+ gcry_err = grub_cryptodisk_setkey (dev, digest, keysize);
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ sector = grub_be_to_cpu32 (header.keyblock[i].keyMaterialOffset);
-+ length = (keysize * grub_be_to_cpu32 (header.keyblock[i].stripes));
-+
-+ /* Read and decrypt the key material from the disk. */
-+ if (hdr)
-+ {
-+ grub_file_seek (hdr, sector * 512);
-+ if (grub_file_read (hdr, split_key, length) != (grub_ssize_t)length)
-+ err = GRUB_ERR_READ_ERROR;
-+ }
-+ else
-+ err = grub_disk_read (source, sector, 0, length, split_key);
-+ if (err)
-+ {
-+ grub_free (split_key);
-+ return err;
-+ }
-+
-+ gcry_err = grub_cryptodisk_decrypt (dev, split_key, length, 0);
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ /* Merge the decrypted key material to get the candidate master key. */
-+ gcry_err = AF_merge (dev->hash, split_key, candidate_key, keysize,
-+ grub_be_to_cpu32 (header.keyblock[i].stripes));
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ grub_dprintf ("luks", "candidate key recovered\n");
-+
-+ /* Calculate the PBKDF2 of the candidate master key. */
-+ gcry_err = grub_crypto_pbkdf2 (dev->hash, candidate_key,
-+ grub_be_to_cpu32 (header.keyBytes),
-+ header.mkDigestSalt,
-+ sizeof (header.mkDigestSalt),
-+ grub_be_to_cpu32
-+ (header.mkDigestIterations),
-+ candidate_digest,
-+ sizeof (candidate_digest));
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-+
-+ /* Compare the calculated PBKDF2 to the digest stored
-+ in the header to see if it's correct. */
-+ if (grub_memcmp (candidate_digest, header.mkDigest,
-+ sizeof (header.mkDigest)) != 0)
-+ {
-+ grub_dprintf ("luks", "bad digest\n");
-+ continue;
-+ }
-+
-+ /* TRANSLATORS: It's a cryptographic key slot: one element of an array
-+ where each element is either empty or holds a key. */
-+ grub_printf_ (N_("Slot %d opened\n"), i);
-+
-+ /* Set the master key. */
-+ gcry_err = grub_cryptodisk_setkey (dev, candidate_key, keysize);
-+ if (gcry_err)
-+ {
-+ grub_free (split_key);
-+ return grub_crypto_gcry_error (gcry_err);
-+ }
-
-- grub_free (split_key);
-+ grub_free (split_key);
-
-- return GRUB_ERR_NONE;
-+ return GRUB_ERR_NONE;
-+ }
-+ grub_printf_ (N_("Failed to decrypt master key.\n"));
-+ if (--attempts) grub_printf_ (N_("%u attempt%s remaining.\n"), attempts,
-+ (attempts==1) ? "" : "s");
- }
-
- grub_free (split_key);
---
-1.9.1
-