diff options
Diffstat (limited to 'common/ccd_config.c')
-rw-r--r-- | common/ccd_config.c | 24 |
1 files changed, 17 insertions, 7 deletions
diff --git a/common/ccd_config.c b/common/ccd_config.c index 12e88689ad..d87842a055 100644 --- a/common/ccd_config.c +++ b/common/ccd_config.c @@ -236,7 +236,8 @@ static int raw_has_password(void) * @param digest Pointer to a CCD_PASSWORD_DIGEST_SIZE buffer * @param password The password to digest */ -static void ccd_password_digest(uint8_t *digest, const char *password) +static enum ec_error_list ccd_password_digest(uint8_t *digest, + const char *password) { struct sha256_ctx sha; uint8_t *unique_id; @@ -244,11 +245,13 @@ static void ccd_password_digest(uint8_t *digest, const char *password) unique_id_len = system_get_chip_unique_id(&unique_id); - SHA256_hw_init(&sha); + if (DCRYPTO_hw_sha256_init(&sha) != DCRYPTO_OK) + return EC_ERROR_HW_INTERNAL; SHA256_update(&sha, config.password_salt, sizeof(config.password_salt)); SHA256_update(&sha, unique_id, unique_id_len); SHA256_update(&sha, password, strlen(password)); memcpy(digest, SHA256_final(&sha)->b8, CCD_PASSWORD_DIGEST_SIZE); + return EC_SUCCESS; } /** @@ -258,7 +261,7 @@ static void ccd_password_digest(uint8_t *digest, const char *password) * @return EC_SUCCESS, EC_ERROR_BUSY if too soon since last attempt, or * EC_ERROR_ACCESS_DENIED if mismatch. */ -static int raw_check_password(const char *password) +static enum ec_error_list raw_check_password(const char *password) { /* * Time of last password attempt; initialized to 0 at boot. Yes, we're @@ -272,6 +275,7 @@ static int raw_check_password(const char *password) uint8_t digest[CCD_PASSWORD_DIGEST_SIZE]; uint32_t t; + enum ec_error_list result; /* If no password is set, match only an empty password */ if (!raw_has_password()) @@ -284,7 +288,9 @@ static int raw_check_password(const char *password) last_password_time = t; /* Calculate the digest of the password */ - ccd_password_digest(digest, password); + result = ccd_password_digest(digest, password); + if (result != EC_SUCCESS) + return result; if (safe_memcmp(digest, config.password_digest, sizeof(config.password_digest))) @@ -312,19 +318,23 @@ static void raw_reset_password(void) * @param password New password; must be non-empty * @return EC_SUCCESS if successful */ -static int raw_set_password(const char *password) +static enum ec_error_list raw_set_password(const char *password) { + enum ec_error_list result; + /* Get a new salt */ if (!fips_rand_bytes(config.password_salt, sizeof(config.password_salt))) return EC_ERROR_HW_INTERNAL; /* Update the password digest */ - ccd_password_digest(config.password_digest, password); + result = ccd_password_digest(config.password_digest, password); + if (result != EC_SUCCESS) + return result; /* Track whether we were opened when we set the password */ raw_set_flag(CCD_FLAG_PASSWORD_SET_WHEN_UNLOCKED, - ccd_state == CCD_STATE_UNLOCKED); + ccd_state == CCD_STATE_UNLOCKED); return EC_SUCCESS; } |