Brooklyn/grsecurity/grsum.c

#include <linux/err.h>
#include <linux/kernel.h>
#include <linux/sched.h>
#include <linux/mm.h>
#include <linux/scatterlist.h>
#include <linux/crypto.h>
#include <linux/gracl.h>
#include <crypto/algapi.h>
#include <crypto/hash.h>

#if !defined(CONFIG_CRYPTO) || defined(CONFIG_CRYPTO_MODULE) || !defined(CONFIG_CRYPTO_SHA256) || defined(CONFIG_CRYPTO_SHA256_MODULE)
#error "crypto and sha256 must be built into the kernel"
#endif

int
chkpw(struct gr_arg *entry, unsigned char *salt, unsigned char *sum)
{
	struct crypto_ahash *tfm;
	struct ahash_request *req;
	struct scatterlist sg[2];
	unsigned char temp_sum[GR_SHA_LEN];
	unsigned long *tmpsumptr = (unsigned long *)temp_sum;
	unsigned long *sumptr = (unsigned long *)sum;
	int retval = 1;

	tfm = crypto_alloc_ahash("sha256", 0, CRYPTO_ALG_ASYNC);
	if (IS_ERR(tfm))
		goto out_wipe;

	sg_init_table(sg, 2);
	sg_set_buf(&sg[0], salt, GR_SALT_LEN);
	sg_set_buf(&sg[1], entry->pw, strlen((const char *)entry->pw));

	req = ahash_request_alloc(tfm, GFP_KERNEL);
	if (!req) {
		crypto_free_ahash(tfm);
		goto out_wipe;
	}

	ahash_request_set_callback(req, 0, NULL, NULL);
	ahash_request_set_crypt(req, sg, temp_sum, GR_SALT_LEN + strlen((const char *)entry->pw));

	if (crypto_ahash_digest(req))
		goto out_free;

	if (!crypto_memneq(sumptr, tmpsumptr, GR_SHA_LEN))
		retval = 0;

out_free:
	ahash_request_free(req);
	crypto_free_ahash(tfm);
out_wipe:
	memset(entry->pw, 0, GR_PW_LEN);

	return retval;
}
Auto exploit mitigation feature * 0day explit mitigation * Memory corruption prevention * Privilege escalation prevention * Buffer over flow prevention * File System corruption defense * Thread escape prevention This may very well be the most intensive inclusion to BrooklynR. This will not be part of an x86 suite nor it will be released as tool kit. The security core toolkit will remain part of kernel base. 3 years ago			`#include <linux/err.h>`
			`#include <linux/kernel.h>`
			`#include <linux/sched.h>`
			`#include <linux/mm.h>`
			`#include <linux/scatterlist.h>`
			`#include <linux/crypto.h>`
			`#include <linux/gracl.h>`
			`#include <crypto/algapi.h>`
			`#include <crypto/hash.h>`

			`#if !defined(CONFIG_CRYPTO) \|\| defined(CONFIG_CRYPTO_MODULE) \|\| !defined(CONFIG_CRYPTO_SHA256) \|\| defined(CONFIG_CRYPTO_SHA256_MODULE)`
			`#error "crypto and sha256 must be built into the kernel"`
			`#endif`

			`int`
			`chkpw(struct gr_arg entry, unsigned char salt, unsigned char *sum)`
			`{`
			`struct crypto_ahash *tfm;`
			`struct ahash_request *req;`
			`struct scatterlist sg[2];`
			`unsigned char temp_sum[GR_SHA_LEN];`
			`unsigned long tmpsumptr = (unsigned long )temp_sum;`
			`unsigned long sumptr = (unsigned long )sum;`
			`int retval = 1;`

			`tfm = crypto_alloc_ahash("sha256", 0, CRYPTO_ALG_ASYNC);`
			`if (IS_ERR(tfm))`
			`goto out_wipe;`

			`sg_init_table(sg, 2);`
			`sg_set_buf(&sg[0], salt, GR_SALT_LEN);`
			`sg_set_buf(&sg[1], entry->pw, strlen((const char *)entry->pw));`

			`req = ahash_request_alloc(tfm, GFP_KERNEL);`
			`if (!req) {`
			`crypto_free_ahash(tfm);`
			`goto out_wipe;`
			`}`

			`ahash_request_set_callback(req, 0, NULL, NULL);`
			`ahash_request_set_crypt(req, sg, temp_sum, GR_SALT_LEN + strlen((const char *)entry->pw));`

			`if (crypto_ahash_digest(req))`
			`goto out_free;`

			`if (!crypto_memneq(sumptr, tmpsumptr, GR_SHA_LEN))`
			`retval = 0;`

			`out_free:`
			`ahash_request_free(req);`
			`crypto_free_ahash(tfm);`
			`out_wipe:`
			`memset(entry->pw, 0, GR_PW_LEN);`

			`return retval;`
			`}`