!nshlib: Require explicit fixed login password at build time#3557
!nshlib: Require explicit fixed login password at build time#3557Abhishekmishra2808 wants to merge 1 commit into
Conversation
2b8eb4f to
a5ffd53
Compare
a5ffd53 to
a7a4722
Compare
a7a4722 to
7ab3fa7
Compare
|
Thanks for this work. One suggestion: the NuttX kernel already provides CRYPTO_PBKDF2_HMAC_SHA256 (defined in Would it be possible for fsutils/passwd to use the kernel capability directly via /dev/crypto ioctl, rather than introducing a new apps/crypto/pbkdf2 module? The PBKDF2 logic already lives in the kernel — the app layer only needs to open /dev/crypto, call CIOCGSESSION with CRYPTO_PBKDF2_HMAC_SHA256, then CIOCCRYPT. This would avoid duplicating the implementation and keep apps/crypto/ clean. |
|
Thanks for the review @ThePassionate I'll remove apps/crypto/pbkdf2 and have fsutils/passwd use kernel PBKDF2 via /dev/crypto. The host build tool tools/mkpasswd.c (nuttx PR) will keep a standalone implementation since it runs on the build machine. |
7ab3fa7 to
c507e40
Compare
Migrate passwd encrypt/verify to PBKDF2 modular crypt format using kernel cryptodev (CRYPTO_PBKDF2_HMAC_SHA256 via /dev/crypto). Add passwd_pbkdf2 wrapper, base64url helpers, complexity validation, and pbkdf2_test for RFC 6070 vector coverage. FSUTILS_PASSWD selects CRYPTO, ALLOW_BSD_COMPONENTS, and CRYPTO_CRYPTODEV so existing sim defconfigs keep building. Change NSH_LOGIN_USERNAME default to root and remove fixed-login password defaults. BREAKING CHANGE: TEA-encoded /etc/passwd entries no longer verify. Regenerate each entry after upgrading. Pair with the nuttx host mkpasswd changes in apache/nuttx#19209. Boards must enable the appropriate software or hardware crypto backend for PBKDF2 at runtime. When CONFIG_NSH_LOGIN_FIXED=y, set CONFIG_NSH_LOGIN_PASSWORD in the board defconfig or menuconfig; there is no default password. Signed-off-by: Abhishek Mishra <mishra.abhishek2808@gmail.com>
c507e40 to
98a4b57
Compare
it's more simple to convert host tool from c to python, since we don't need compile the tool and could support more OS. |
| default n | ||
| select CRYPTO | ||
| select ALLOW_BSD_COMPONENTS | ||
| select CRYPTO_CRYPTODEV |
There was a problem hiding this comment.
let's use depends on or skip PBKDF2-HMAC-SHA256 if crypto isn't enabled
There was a problem hiding this comment.
Can we make NSH_CONSOLE_LOGIN depend on FSUTILS_PASSWD / cryptodev so login always uses PBKDF2, and treat NSH_LOGIN_FIXED as an explicit opt-in for legacy boards only?
| config FSUTILS_PASSWD_KEY4 | ||
| hex "Encryption key value 4" | ||
| default 0x9abcdef0 | ||
| config FSUTILS_PASSWD_PBKDF2_ITERATIONS |
| /* RFC 4648 section 5 base64url alphabet (no padding). */ | ||
|
|
||
| #define RNG90_MAX_BYTES 32 | ||
| static const char g_base64url[] = |
There was a problem hiding this comment.
should we call netutils/codecs/base64.c?
| 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87 | ||
| }; | ||
|
|
||
| static const struct pbkdf2_vector_s g_vectors[] = |
There was a problem hiding this comment.
should we move pdkdf2 to testing/drivers/crypto/pbkdf2.c
| @@ -0,0 +1,287 @@ | |||
| /**************************************************************************** | |||
| * apps/testing/pbkdf2/pbkdf2_test.c | |||
There was a problem hiding this comment.
move to testing/crypto/passwd
Previously C was chosen to avoid a Python dependency. If maintainers prefer Python for Windows/CI simplicity, I can switch the nuttx PR to mkpasswd.py before merge |

Summary
This PR is the nuttx-apps companion to apache/nuttx#19209, which adds the host
mkpasswdtool and ROMFS/etc/passwdbuild integration. Here, runtime password handling moves from reversible TEA to one-way PBKDF2-HMAC-SHA256 using a modular crypt string stored in/etc/passwd. The change addsapps/crypto/pbkdf2with a small self-contained SHA-256 and HMAC implementation (Mbed TLS PKCS5 is used when available), rewritespasswd_encryptandpasswd_verifywith shared base64url helpers and password complexity checks, and addspbkdf2_testfor RFC 6070 SHA-256 vector coverage. The round-trip portion of that test is skipped automatically when the passwd file is read-only or whenDEV_URANDOMis not enabled. NSH also changes the default fixed-login username torootand removes insecure fixed-login password defaults.BREAKING CHANGE: TEA-encoded
/etc/passwdentries no longer verify after this upgrade. Every entry must be regenerated with NSHpasswdoruseraddonce both nuttx and nuttx-apps are updated. IfCONFIG_NSH_LOGIN_FIXED=yis used,CONFIG_NSH_LOGIN_PASSWORDmust be set explicitly in the board defconfig or menuconfig; there is no default password.Impact
This change modifies existing password file behavior and is not backward compatible with TEA-encoded hashes. Users must regenerate stored passwords. The build flow itself is unchanged in nuttx-apps; the ROMFS build-time password prompt lives in the paired nuttx PR. Documentation updates are included in that nuttx PR rather than here.
Testing
Testing was done on
sim:loginwith NSH console login against a build-time PBKDF2 hash, and login succeeded.Login was also verified on ESP32-C3 using the
esp32c3-devkit:loginconfiguration over USB serial. Check- apache/nuttx#19209pbkdf2_testpassed the RFC 6070 SHA-256 vectors onsim:login, and the passwd encrypt/verify round-trip passed with a writable passwd path at/tmp/passwd, readonly disabled, andDEV_URANDOMenabled.