diff options
| -rw-r--r-- | hal_internal.h | 3 | ||||
| -rw-r--r-- | last_gasp_pin_internal.h | 6 | ||||
| -rw-r--r-- | rpc_misc.c | 22 | ||||
| -rwxr-xr-x | utils/last_gasp_default_pin | 2 |
4 files changed, 23 insertions, 10 deletions
diff --git a/hal_internal.h b/hal_internal.h index 0c38c00..bd8e97d 100644 --- a/hal_internal.h +++ b/hal_internal.h @@ -316,6 +316,9 @@ typedef struct { } hal_ks_keydb_t; +extern hal_error_t hal_set_pin_default_iterations(const hal_client_handle_t client, + const uint32_t iterations); + /* * Internal functions within the keystore implementation. Think of * these as concrete methods for the keystore API subclassed onto diff --git a/last_gasp_pin_internal.h b/last_gasp_pin_internal.h index 96dc879..bbcac76 100644 --- a/last_gasp_pin_internal.h +++ b/last_gasp_pin_internal.h @@ -3,7 +3,7 @@ */ static const hal_ks_pin_t hal_last_gasp_pin = { - 100000, - {0xb8, 0x47, 0xcb, 0x83, 0xdd, 0x93, 0xf7, 0xd7, 0x53, 0x3f, 0xcb, 0xae, 0xc2, 0x19, 0xcd, 0xb9, 0x4e, 0x9d, 0x4e, 0x71, 0x30, 0xcd, 0x01, 0x05, 0x87, 0x6d, 0xa7, 0x03, 0x8d, 0x46, 0x36, 0xf1, 0xcf, 0x55, 0x1f, 0x36, 0x22, 0x9d, 0xc3, 0x18, 0xcd, 0x43, 0x49, 0x14, 0x0b, 0x79, 0x85, 0xf9, 0xd0, 0xa5, 0xb0, 0x9f, 0x43, 0x95, 0xf8, 0xae, 0x01, 0xa0, 0x82, 0xaf, 0xc6, 0xf2, 0x8f, 0xf4}, - {0x37, 0x6e, 0x15, 0x14, 0x5a, 0xd4, 0x35, 0xaf, 0x1c, 0x81, 0xc2, 0x80, 0x97, 0x18, 0x8d, 0x81} + 10000, + {0x06, 0xe2, 0x10, 0x7b, 0xb8, 0x40, 0xb5, 0x90, 0x33, 0xc8, 0xdb, 0xcc, 0xde, 0x3e, 0xb0, 0x33, 0x2b, 0x7c, 0x60, 0x7c, 0xb4, 0x52, 0xb1, 0x43, 0xa2, 0x20, 0x71, 0xdd, 0xbc, 0x95, 0x92, 0x04, 0xe6, 0x51, 0x90, 0xda, 0x6e, 0x2b, 0x6d, 0x8c, 0xb8, 0x63, 0x8d, 0x59, 0xad, 0xc5, 0xae, 0x6c, 0xf5, 0x7c, 0x75, 0x5e, 0x38, 0x72, 0x06, 0xc5, 0xa9, 0x3b, 0xaa, 0xe9, 0x64, 0x6e, 0xb1, 0x1a}, + {0x40, 0x49, 0xe4, 0xb6, 0x18, 0x0e, 0xe2, 0xbf, 0x3b, 0x22, 0xc8, 0xfe, 0xeb, 0xef, 0x09, 0x81} }; @@ -85,6 +85,8 @@ typedef struct { #define HAL_PIN_DEFAULT_ITERATIONS 20000 #endif +static uint32_t hal_pin_default_iterations = HAL_PIN_DEFAULT_ITERATIONS; + #ifndef HAL_STATIC_CLIENT_STATE_BLOCKS #define HAL_STATIC_CLIENT_STATE_BLOCKS 10 #endif @@ -135,7 +137,7 @@ static hal_error_t login(const hal_client_handle_t client, return err; uint8_t buf[sizeof(p->pin)]; - const uint32_t iterations = p->iterations == 0 ? HAL_PIN_DEFAULT_ITERATIONS : p->iterations; + const uint32_t iterations = p->iterations == 0 ? hal_pin_default_iterations : p->iterations; if ((err = hal_pbkdf2(NULL, hal_hash_sha256, (const uint8_t *) pin, pin_len, p->salt, sizeof(p->salt), buf, sizeof(buf), iterations)) != HAL_OK) @@ -210,11 +212,7 @@ static hal_error_t set_pin(const hal_client_handle_t client, hal_ks_pin_t p = *pp; - /* - * Another all-zeros vs all-ones disagreement between drivers. - */ - if (p.iterations == 0x00000000 || p.iterations == 0xffffffff) - p.iterations = HAL_PIN_DEFAULT_ITERATIONS; + p.iterations = hal_pin_default_iterations; if ((err = hal_get_random(NULL, p.salt, sizeof(p.salt))) != HAL_OK || (err = hal_pbkdf2(NULL, hal_hash_sha256, @@ -227,6 +225,18 @@ static hal_error_t set_pin(const hal_client_handle_t client, return HAL_OK; } +hal_error_t hal_set_pin_default_iterations(const hal_client_handle_t client, + const uint32_t iterations) +{ + if ((is_logged_in(client, HAL_USER_WHEEL) != HAL_OK) && + (is_logged_in(client, HAL_USER_SO) != HAL_OK)) + return HAL_ERROR_FORBIDDEN; + + /* should probably store this in flash somewhere */ + hal_pin_default_iterations = (iterations == 0) ? HAL_PIN_DEFAULT_ITERATIONS : iterations; + return HAL_OK; +} + const hal_rpc_misc_dispatch_t hal_rpc_local_misc_dispatch = { set_pin, login, diff --git a/utils/last_gasp_default_pin b/utils/last_gasp_default_pin index 2d09db1..50d822f 100755 --- a/utils/last_gasp_default_pin +++ b/utils/last_gasp_default_pin @@ -54,7 +54,7 @@ parser.add_argument("-p", "--pin", help = "PIN plaintext before PBKDF2 processing") parser.add_argument("-i", "--iterations", type = int, - default = 100000, + default = 10000, help = "PBKDF2 iteration count") parser.add_argument("-d", "--derived-key-length", type = int, |