Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion fsutils/passwd/CMakeLists.txt
Original file line number Diff line number Diff line change
Expand Up @@ -23,7 +23,8 @@
if(CONFIG_FSUTILS_PASSWD)
set(CSRCS)

list(APPEND CSRCS passwd_verify.c passwd_find.c passwd_encrypt.c)
list(APPEND CSRCS passwd_verify.c passwd_find.c passwd_encrypt.c
passwd_pbkdf2.c)

if(NOT CONFIG_FSUTILS_PASSWD_READONLY)
list(
Expand Down
38 changes: 20 additions & 18 deletions fsutils/passwd/Kconfig
Original file line number Diff line number Diff line change
Expand Up @@ -6,8 +6,19 @@
config FSUTILS_PASSWD
bool "Password file support"
default n
depends on CRYPTO_CRYPTODEV
depends on NETUTILS_CODECS
depends on CODECS_BASE64
---help---
Enables support for /etc/passwd file access routines
Enables support for /etc/passwd file access routines.

Requires CONFIG_CRYPTO=y, CRYPTO_CRYPTODEV (and
ALLOW_BSD_COMPONENTS), plus NETUTILS_CODECS/CODECS_BASE64 for
base64url hash encoding.

NOTE: Password hashes use PBKDF2-HMAC-SHA256 (modular crypt format).
Existing TEA-encrypted /etc/passwd entries are NOT compatible and
must be regenerated.

if FSUTILS_PASSWD

Expand All @@ -23,23 +34,14 @@ config FSUTILS_PASSWD_IOBUFFER_SIZE
int "Allocated I/O buffer size"
default 512

config FSUTILS_PASSWD_KEY1
hex "Encryption key value 1"
default 0
config FSUTILS_PASSWD_PBKDF2_ITERATIONS
int "Default PBKDF2 iteration count for new passwords"
default 10000
range 1000 200000
---help---
Leave at 0 if random key generation is enabled under Board
Selection. Otherwise set all four keys to unique non-zero values.

config FSUTILS_PASSWD_KEY2
hex "Encryption key value 2"
default 0

config FSUTILS_PASSWD_KEY3
hex "Encryption key value 3"
default 0

config FSUTILS_PASSWD_KEY4
hex "Encryption key value 4"
default 0
Number of PBKDF2-HMAC-SHA256 iterations applied when setting a new
password. Higher values slow brute-force attacks but also increase
login latency on low-MHz MCUs. The iteration count is stored in each
hash string, so changing this option only affects newly-set passwords.

endif # FSUTILS_PASSWD
1 change: 1 addition & 0 deletions fsutils/passwd/Makefile
Original file line number Diff line number Diff line change
Expand Up @@ -26,6 +26,7 @@ include $(APPDIR)/Make.defs

ifeq ($(CONFIG_FSUTILS_PASSWD),y)
CSRCS += passwd_verify.c passwd_find.c passwd_encrypt.c
CSRCS += passwd_pbkdf2.c
ifneq ($(CONFIG_FSUTILS_PASSWD_READONLY),y)
CSRCS += passwd_adduser.c passwd_deluser.c passwd_update.c passwd_append.c
CSRCS += passwd_delete.c passwd_lock.c
Expand Down
26 changes: 14 additions & 12 deletions fsutils/passwd/passwd.h
Original file line number Diff line number Diff line change
Expand Up @@ -36,17 +36,18 @@
* Pre-processor Definitions
****************************************************************************/

#define MAX_ENCRYPTED 48 /* Maximum size of a password (encrypted, ASCII) */
#define MAX_USERNAME 48 /* Maximum size of a username */
#define MAX_RECORD (MAX_USERNAME + MAX_ENCRYPTED + 1)
/* MCF format: $pbkdf2-sha256$<iter>$<salt>$<hash> */

/* The TEA incryption algorithm generates 8 bytes of encrypted data per
* 8 bytes of unencrypted data. The encrypted presentation is base64 which
* is 8-bits of ASCII for each 6 bits of data. That is a 3-to-4 expansion
* ratio. MAX_ENCRYPTED must be a multiple of 8 bytes.
*/
#define PASSWD_MCF_PREFIX "$pbkdf2-sha256$"
#define PASSWD_SALT_BYTES 16
#define PASSWD_HASH_BYTES 32

#define MAX_PASSWORD (3 * MAX_ENCRYPTED / 4)
/* 15 + 6 + 1 + 22 + 1 + 43 = 88 bytes for default parameters */

#define MAX_ENCRYPTED 96
#define MAX_USERNAME 48
#define MAX_RECORD (MAX_USERNAME + MAX_ENCRYPTED + 1)
#define MAX_PASSWORD 256

/****************************************************************************
* Public Types
Expand All @@ -55,7 +56,7 @@
struct passwd_s
{
off_t offset; /* File offset (start of record) */
char encrypted[MAX_ENCRYPTED + 1]; /* Encrtyped password in file */
char encrypted[MAX_ENCRYPTED + 1]; /* Password hash in file */
};

/****************************************************************************
Expand Down Expand Up @@ -94,10 +95,11 @@ void passwd_unlock(FAR sem_t *sem);
* Name: passwd_encrypt
*
* Description:
* Encrypt a password. Currently uses the Tiny Encryption Algorithm.
* Hash a password with PBKDF2-HMAC-SHA256 and encode the result in modular
* crypt format for storage in /etc/passwd.
*
* Input Parameters:
* password -- The password string to be encrypted
* password -- The password string to be hashed
*
* Returned Value:
* Zero (OK) is returned on success; a negated errno value is returned on
Expand Down
Loading
Loading