From 5abe73ab8177f0d831ff04ca67a8ed92ef09ca8b Mon Sep 17 00:00:00 2001 From: Gary Ching-Pang Lin Date: Thu, 20 Dec 2012 17:02:35 +0800 Subject: [PATCH] Add a general function for password matching --- MokManager.c | 148 ++++++++++++++++++++------------------------------- 1 file changed, 57 insertions(+), 91 deletions(-) diff --git a/MokManager.c b/MokManager.c index 7d6650e..ffe37ff 100644 --- a/MokManager.c +++ b/MokManager.c @@ -558,17 +558,61 @@ done: return status; } +static EFI_STATUS match_password (void *Data, UINTN DataSize, + UINT8 auth[SHA256_DIGEST_SIZE], + CHAR16 *prompt) +{ + EFI_STATUS efi_status; + UINT8 hash[SHA256_DIGEST_SIZE]; + CHAR16 password[PASSWORD_MAX]; + UINT32 pw_length; + UINT8 fail_count = 0; + + while (fail_count < 3) { + if (prompt) { + Print(L"%s", prompt); + } else { + Print(L"Password: "); + } + get_line(&pw_length, password, PASSWORD_MAX, 0); + + if (pw_length < PASSWORD_MIN || pw_length > PASSWORD_MAX) { + Print(L"Invalid password length\n"); + fail_count++; + continue; + } + + efi_status = compute_pw_hash(Data, DataSize, password, + pw_length, hash); + + if (efi_status != EFI_SUCCESS) { + Print(L"Unable to generate password hash\n"); + fail_count++; + continue; + } + + if (CompareMem(auth, hash, SHA256_DIGEST_SIZE) != 0) { + Print(L"Password doesn't match\n"); + fail_count++; + continue; + } + + break; + } + + if (fail_count >= 3) + return EFI_ACCESS_DENIED; + + return EFI_SUCCESS; +} + static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - UINT8 hash[SHA256_DIGEST_SIZE]; UINT8 auth[SHA256_DIGEST_SIZE]; UINTN auth_size; UINT32 attributes; - CHAR16 password[PASSWORD_MAX]; - UINT32 pw_length; - UINT8 fail_count = 0; if (authenticate) { auth_size = SHA256_DIGEST_SIZE; @@ -582,32 +626,8 @@ static EFI_STATUS store_keys (void *MokNew, UINTN MokNewSize, int authenticate) return efi_status; } - while (fail_count < 3) { - Print(L"Password(%d-%d characters): ", - PASSWORD_MIN, PASSWORD_MAX); - get_line(&pw_length, password, PASSWORD_MAX, 0); - - if (pw_length < 8) { - Print(L"At least %d characters for the password\n", - PASSWORD_MIN); - } - - efi_status = compute_pw_hash(MokNew, MokNewSize, password, - pw_length, hash); - - if (efi_status != EFI_SUCCESS) { - return efi_status; - } - - if (CompareMem(auth, hash, SHA256_DIGEST_SIZE) != 0) { - Print(L"Password doesn't match\n"); - fail_count++; - } else { - break; - } - } - - if (fail_count >= 3) + efi_status = match_password(MokNew, MokNewSize, auth, NULL); + if (efi_status != EFI_SUCCESS) return EFI_ACCESS_DENIED; } @@ -819,9 +839,7 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; UINTN MokPWSize = (UINTN)data2; - UINT8 fail_count = 0; UINT8 hash[SHA256_DIGEST_SIZE]; - CHAR16 password[PASSWORD_MAX]; UINT32 length; CHAR16 line[1]; @@ -849,34 +867,8 @@ static INTN mok_pw_prompt (void *MokPW, void *data2, void *data3) { return 0; } - while (fail_count < 3) { - Print(L"Confirm MOK passphrase: "); - get_line(&length, password, PASSWORD_MAX, 0); - - if ((length < PASSWORD_MIN) || (length > PASSWORD_MAX)) { - Print(L"Invalid password length\n"); - fail_count++; - continue; - } - - efi_status = compute_pw_hash(NULL, 0, password, length, hash); - - if (efi_status != EFI_SUCCESS) { - Print(L"Unable to generate password hash\n"); - fail_count++; - continue; - } - - if (CompareMem(MokPW, hash, SHA256_DIGEST_SIZE) != 0) { - Print(L"Password doesn't match\n"); - fail_count++; - continue; - } - - break; - } - - if (fail_count >= 3) { + efi_status = match_password(NULL, 0, MokPW, L"Confirm MOK passphrase: "); + if (efi_status != EFI_SUCCESS) { Print(L"Password limit reached\n"); return -1; } @@ -1483,12 +1475,8 @@ static BOOLEAN verify_pw(void) { EFI_GUID shim_lock_guid = SHIM_LOCK_GUID; EFI_STATUS efi_status; - CHAR16 password[PASSWORD_MAX]; - UINT8 fail_count = 0; - UINT8 hash[SHA256_DIGEST_SIZE]; UINT8 pwhash[SHA256_DIGEST_SIZE]; UINTN size = SHA256_DIGEST_SIZE; - UINT32 length; UINT32 attributes; efi_status = uefi_call_wrapper(RT->GetVariable, 5, L"MokPWStore", @@ -1508,35 +1496,13 @@ static BOOLEAN verify_pw(void) uefi_call_wrapper(ST->ConOut->ClearScreen, 1, ST->ConOut); - while (fail_count < 3) { - Print(L"Enter MOK password: "); - get_line(&length, password, PASSWORD_MAX, 0); - - if (length < PASSWORD_MIN || length > PASSWORD_MAX) { - Print(L"Invalid password length\n"); - fail_count++; - continue; - } - - efi_status = compute_pw_hash(NULL, 0, password, length, hash); - - if (efi_status != EFI_SUCCESS) { - Print(L"Unable to generate password hash\n"); - fail_count++; - continue; - } - - if (CompareMem(pwhash, hash, SHA256_DIGEST_SIZE) != 0) { - Print(L"Password doesn't match\n"); - fail_count++; - continue; - } - - return TRUE; + efi_status = match_password(NULL, 0, pwhash, L"Enter MOK password: "); + if (efi_status != EFI_SUCCESS) { + Print(L"Password limit reached\n"); + return FALSE; } - Print(L"Password limit reached\n"); - return FALSE; + return TRUE; } static EFI_STATUS enter_mok_menu(EFI_HANDLE image_handle, void *MokNew,