From ce105bafe3516b94793411b21e231812f0617e30 Mon Sep 17 00:00:00 2001
From: ChubbyAnt <55145771+ChubbyAnt@users.noreply.github.com>
Date: Mon, 16 Sep 2019 17:05:17 -0400
Subject: [PATCH] Change to SHA512
---
Common/DtaHashPwd.cpp | 4 +-
Common/DtaHashPwd.h | 4 +-
Common/pbkdf2/sha1.c | 150 ----------------------------------------
Common/pbkdf2/sha1.h | 91 ------------------------
LinuxPBA/LinuxPBA.cpp | 6 +-
README.md | 6 +-
windows/CLI/CLI.sln | 4 +-
windows/CLI/CLI.vcxproj | 4 +-
8 files changed, 15 insertions(+), 254 deletions(-)
delete mode 100644 Common/pbkdf2/sha1.c
delete mode 100644 Common/pbkdf2/sha1.h
diff --git a/Common/DtaHashPwd.cpp b/Common/DtaHashPwd.cpp
index 19973935..e33d7585 100644
--- a/Common/DtaHashPwd.cpp
+++ b/Common/DtaHashPwd.cpp
@@ -28,7 +28,7 @@ along with sedutil. If not, see .
extern "C" {
#include "pbkdf2.h"
-#include "sha1.h"
+#include "sha2.h"
}
using namespace std;
@@ -54,7 +54,7 @@ void DtaHashPassword(vector &hash, char * password, vector sal
salt.data(), salt.size(),
iter,
hash.data(), hash.size(),
- &cf_sha1);
+ &cf_sha512);
// gc_pbkdf2_sha1(password, strnlen(password, 256), (const char *)salt.data(), salt.size(), iter,
// (char *)hash.data(), hash.size());
diff --git a/Common/DtaHashPwd.h b/Common/DtaHashPwd.h
index 3815f7c6..d17ae7c3 100644
--- a/Common/DtaHashPwd.h
+++ b/Common/DtaHashPwd.h
@@ -33,7 +33,7 @@ using namespace std;
* @param device the device where the password is to be used
*/
void DtaHashPwd(vector &hash, char * password, DtaDev * device);
-/** Hash a passwor using the PBDKF2 function
+/** Hash a passwor using the PBDKF2 function
*
* @param hash Field where hash returned
* @param password password to be hashed
@@ -42,6 +42,6 @@ void DtaHashPwd(vector &hash, char * password, DtaDev * device);
* @param hashsize size of hash to be returned
*/
void DtaHashPassword(vector &hash, char * password, vector salt,
- unsigned int iter = 75000, uint8_t hashsize = 32);
+ unsigned int iter = 500000, uint8_t hashsize = 32);
/** Test the hshing function using publicly available test cased and report */
int TestPBKDF2();
diff --git a/Common/pbkdf2/sha1.c b/Common/pbkdf2/sha1.c
deleted file mode 100644
index 8b7d02fe..00000000
--- a/Common/pbkdf2/sha1.c
+++ /dev/null
@@ -1,150 +0,0 @@
-/*
- * cifra - embedded cryptography library
- * Written in 2014 by Joseph Birr-Pixton
- *
- * To the extent possible under law, the author(s) have dedicated all
- * copyright and related and neighboring rights to this software to the
- * public domain worldwide. This software is distributed without any
- * warranty.
- *
- * You should have received a copy of the CC0 Public Domain Dedication
- * along with this software. If not, see
- * .
- */
-
-#include
-
-#include "sha1.h"
-#include "blockwise.h"
-#include "bitops.h"
-#include "handy.h"
-#include "tassert.h"
-
-void cf_sha1_init(cf_sha1_context *ctx)
-{
- memset(ctx, 0, sizeof *ctx);
- ctx->H[0] = 0x67452301;
- ctx->H[1] = 0xefcdab89;
- ctx->H[2] = 0x98badcfe;
- ctx->H[3] = 0x10325476;
- ctx->H[4] = 0xc3d2e1f0;
-}
-
-static void sha1_update_block(void *vctx, const uint8_t *inp)
-{
- cf_sha1_context *ctx = vctx;
-
- /* This is a 16-word window into the whole W array. */
- uint32_t W[16];
-
- uint32_t a = ctx->H[0],
- b = ctx->H[1],
- c = ctx->H[2],
- d = ctx->H[3],
- e = ctx->H[4],
- Wt;
-
- for (size_t t = 0; t < 80; t++)
- {
- /* For W[0..16] we process the input into W.
- * For W[16..79] we compute the next W value:
- *
- * W[t] = (W[t - 3] ^ W[t - 8] ^ W[t - 14] ^ W[t - 16]) <<< 1
- *
- * But all W indices are reduced mod 16 into our window.
- */
- if (t < 16)
- {
- W[t] = Wt = read32_be(inp);
- inp += 4;
- } else {
- Wt = W[(t - 3) % 16] ^ W[(t - 8) % 16] ^ W[(t - 14) % 16] ^ W[(t - 16) % 16];
- Wt = rotl32(Wt, 1);
- W[t % 16] = Wt;
- }
-
- uint32_t f, k;
-
- if (t <= 19)
- {
- f = (b & c) | (~b & d);
- k = 0x5a827999;
- } else if (t <= 39) {
- f = b ^ c ^ d;
- k = 0x6ed9eba1;
- } else if (t <= 59) {
- f = (b & c) | (b & d) | (c & d);
- k = 0x8f1bbcdc;
- } else {
- f = b ^ c ^ d;
- k = 0xca62c1d6;
- }
-
- uint32_t temp = rotl32(a, 5) + f + e + k + Wt;
- e = d;
- d = c;
- c = rotl32(b, 30);
- b = a;
- a = temp;
- }
-
- ctx->H[0] += a;
- ctx->H[1] += b;
- ctx->H[2] += c;
- ctx->H[3] += d;
- ctx->H[4] += e;
-
- ctx->blocks++;
-}
-
-void cf_sha1_update(cf_sha1_context *ctx, const void *data, size_t nbytes)
-{
- cf_blockwise_accumulate(ctx->partial, &ctx->npartial, sizeof ctx->partial,
- data, nbytes,
- sha1_update_block, ctx);
-}
-
-void cf_sha1_digest(const cf_sha1_context *ctx, uint8_t hash[CF_SHA1_HASHSZ])
-{
- cf_sha1_context ours = *ctx;
- cf_sha1_digest_final(&ours, hash);
-}
-
-void cf_sha1_digest_final(cf_sha1_context *ctx, uint8_t hash[CF_SHA1_HASHSZ])
-{
- uint64_t digested_bytes = ctx->blocks;
- digested_bytes = digested_bytes * CF_SHA1_BLOCKSZ + ctx->npartial;
- uint64_t digested_bits = digested_bytes * 8;
-
- size_t padbytes = CF_SHA1_BLOCKSZ - ((digested_bytes + 8) % CF_SHA1_BLOCKSZ);
-
- /* Hash 0x80 00 ... block first. */
- cf_blockwise_acc_pad(ctx->partial, &ctx->npartial, sizeof ctx->partial,
- 0x80, 0x00, 0x00, padbytes,
- sha1_update_block, ctx);
-
- /* Now hash length. */
- uint8_t buf[8];
- write64_be(digested_bits, buf);
- cf_sha1_update(ctx, buf, 8);
-
- /* We ought to have got our padding calculation right! */
- assert(ctx->npartial == 0);
-
- write32_be(ctx->H[0], hash + 0);
- write32_be(ctx->H[1], hash + 4);
- write32_be(ctx->H[2], hash + 8);
- write32_be(ctx->H[3], hash + 12);
- write32_be(ctx->H[4], hash + 16);
-
- memset(ctx, 0, sizeof *ctx);
-}
-
-const cf_chash cf_sha1 = {
- .hashsz = CF_SHA1_HASHSZ,
- .blocksz = CF_SHA1_BLOCKSZ,
- .init = (cf_chash_init) cf_sha1_init,
- .update = (cf_chash_update) cf_sha1_update,
- .digest = (cf_chash_digest) cf_sha1_digest
-};
-
diff --git a/Common/pbkdf2/sha1.h b/Common/pbkdf2/sha1.h
deleted file mode 100644
index 4ca0e91c..00000000
--- a/Common/pbkdf2/sha1.h
+++ /dev/null
@@ -1,91 +0,0 @@
-/*
- * cifra - embedded cryptography library
- * Written in 2014 by Joseph Birr-Pixton
- *
- * To the extent possible under law, the author(s) have dedicated all
- * copyright and related and neighboring rights to this software to the
- * public domain worldwide. This software is distributed without any
- * warranty.
- *
- * You should have received a copy of the CC0 Public Domain Dedication
- * along with this software. If not, see
- * .
- */
-
-#ifndef SHA1_H
-#define SHA1_H
-
-#include
-#include
-
-#include "chash.h"
-
-/**
- * SHA1
- * ====
- *
- * You shouldn't use this for anything new.
- */
-
-/* .. c:macro:: CF_SHA1_HASHSZ
- * The output size of SHA1: 20 bytes. */
-#define CF_SHA1_HASHSZ 20
-
-/* .. c:macro:: CF_SHA1_BLOCKSZ
- * The block size of SHA1: 64 bytes. */
-#define CF_SHA1_BLOCKSZ 64
-
-/* .. c:type:: cf_sha1_context
- * Incremental SHA1 hashing context.
- *
- * .. c:member:: cf_sha1_context.H
- * Intermediate values.
- *
- * .. c:member:: cf_sha1_context.partial
- * Unprocessed input.
- *
- * .. c:member:: cf_sha1_context.npartial
- * Number of bytes of unprocessed input.
- *
- * .. c:member:: cf_sha1_context.blocks
- * Number of full blocks processed.
- */
-typedef struct
-{
- uint32_t H[5]; /* State. */
- uint8_t partial[CF_SHA1_BLOCKSZ]; /* Partial block of input. */
- uint32_t blocks; /* Number of full blocks processed into H. */
- size_t npartial; /* Number of bytes in prefix of partial. */
-} cf_sha1_context;
-
-/* .. c:function:: $DECL
- * Sets up `ctx` ready to hash a new message.
- */
-extern void cf_sha1_init(cf_sha1_context *ctx);
-
-/* .. c:function:: $DECL
- * Hashes `nbytes` at `data`. Copies the data if there isn't enough to make
- * a full block.
- */
-extern void cf_sha1_update(cf_sha1_context *ctx, const void *data, size_t nbytes);
-
-/* .. c:function:: $DECL
- * Finishes the hash operation, writing `CF_SHA1_HASHSZ` bytes to `hash`.
- *
- * This leaves `ctx` unchanged.
- */
-extern void cf_sha1_digest(const cf_sha1_context *ctx, uint8_t hash[CF_SHA1_HASHSZ]);
-
-/* .. c:function:: $DECL
- * Finishes the hash operation, writing `CF_SHA1_HASHSZ` bytes to `hash`.
- *
- * This destroys `ctx`, but uses less stack than :c:func:`cf_sha1_digest`.
- */
-extern void cf_sha1_digest_final(cf_sha1_context *ctx, uint8_t hash[CF_SHA1_HASHSZ]);
-
-/* .. c:var:: cf_sha1
- * Abstract interface to SHA1. See :c:type:`cf_chash` for more information.
- */
-extern const cf_chash cf_sha1;
-
-#endif
diff --git a/LinuxPBA/LinuxPBA.cpp b/LinuxPBA/LinuxPBA.cpp
index 84b12297..9497e99c 100644
--- a/LinuxPBA/LinuxPBA.cpp
+++ b/LinuxPBA/LinuxPBA.cpp
@@ -36,11 +36,11 @@ int main(int argc, char** argv) {
CLog::Level() = CLog::FromInt(0);
LOG(D4) << "Legacy PBA start" << endl;
// system ("tput clear");
- printf("DTA LINUX Pre Boot Authorization \n");
- string p = GetPassPhrase("Please enter pass-phrase to unlock OPAL drives: ");
+ printf("Boot Authorization \n");
+ string p = GetPassPhrase("Password: ");
UnlockSEDs((char *)p.c_str());
if (strcmp(p.c_str(), "debug")) {
- printf("Starting OS \n");
+ printf("\n Access granted. Starting the system... \n");
sync();
reboot(RB_AUTOBOOT);
}
diff --git a/README.md b/README.md
index 682321c7..07042b2c 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,8 @@
-Intel and AMD Ryzen: This SEDutil fork includes supprt for intel and AMD Ryzen systems
+Intel and AMD Ryzen: This SEDutil fork includes support for intel and AMD Ryzen systems with SHA-512 password authentication
+
+Note: This version of SEDutil is not compatible with SHA-1 versions of SEDutil
This software is Copyright 2014-2017 Bright Plaza Inc.
@@ -107,7 +109,7 @@ The various recovery and boot images will be located in the `images` directory.
## Testing
-I have only tested the boot images/release files on a HP x360 Envy AMD 3700u with a Samsung EVO 970 Plus 2TB NVMe drive. My testing has also focused only on the 64 bit UEFI images. While the other variants might work, you should exercise caution, and if possible, test the release on a computer with data that is expendable.
+This version has only been verified to boot on a HP x360 Envy AMD 3700u with a Samsung EVO 970 Plus 2TB NVMe drive. My testing has also focused only on the 64 bit UEFI images. While the other variants might work, you should exercise caution, and if possible, test the release on a computer with data that is expendable.
Follow the instructions here:
https://github.com/Drive-Trust-Alliance/sedutil/wiki/Encrypting-your-drive
diff --git a/windows/CLI/CLI.sln b/windows/CLI/CLI.sln
index 915c5850..1729b816 100644
--- a/windows/CLI/CLI.sln
+++ b/windows/CLI/CLI.sln
@@ -13,8 +13,8 @@ Global
Release|x86 = Release|x86
EndGlobalSection
GlobalSection(ProjectConfigurationPlatforms) = postSolution
- {267E9D28-7245-4182-9740-F386F4299E83}.Debug|x64.ActiveCfg = Debug|x64
- {267E9D28-7245-4182-9740-F386F4299E83}.Debug|x64.Build.0 = Debug|x64
+ {267E9D28-7245-4182-9740-F386F4299E83}.Debug|x64.ActiveCfg = Release|x64
+ {267E9D28-7245-4182-9740-F386F4299E83}.Debug|x64.Build.0 = Release|x64
{267E9D28-7245-4182-9740-F386F4299E83}.Debug|x86.ActiveCfg = Debug|Win32
{267E9D28-7245-4182-9740-F386F4299E83}.Debug|x86.Build.0 = Debug|Win32
{267E9D28-7245-4182-9740-F386F4299E83}.Release|x64.ActiveCfg = Release|x64
diff --git a/windows/CLI/CLI.vcxproj b/windows/CLI/CLI.vcxproj
index 767fe2fd..c94e5b03 100644
--- a/windows/CLI/CLI.vcxproj
+++ b/windows/CLI/CLI.vcxproj
@@ -43,7 +43,7 @@
-
+
@@ -70,7 +70,7 @@
-
+