Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Updated digest commands to include SHA-2 support, hash strings, perfo… #94

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Updated digest commands to include SHA-2 support, hash strings, perfo… #94

wants to merge 1 commit into from

Conversation

chilinux
Copy link

@chilinux chilinux commented Aug 23, 2019
edited
Loading

This PR adds the following:

  • SHA-2 family of digests (sha224sum, sha256sum, sha384sum and sha512sum)
  • Multi-round rehashing support
  • Hashing of strings (instead of only images)
  • Apply result of the data last hashed to the configuration settings as hash:string
  • Apply the length of the data last hashed to the configuration settings as hashlen:int32

It is also backward compatible with hashing one or more images as have been available in md5sum and sha1sum previous to the PR. The major difference is it will write or overwrite hash and hashlen with the last of the multiple images successfully hashed.

Without this PR, the hash functions seem to only provide a way to manually verify the digest results. With this the resulting digest string and the length of the image can both automatically be confirmed by the ipxe script.

Also consider the following situation, a company creates an ipxe efi module were they want it to go to an ipxe shell when DHCP fails. However, the company policy requires a password be verified to provide the shell access and also requires the password not be easy to extract even if the efi module is examined with a debugger.

This PR would allow a script such as this to be used:

#!ipxe
dhcp || goto dhcpfail
... normal tasks ...
:dhcpfail
prompt DHCP has failed, press a key to login for shell access
:loginshell
login
iseq ${username:string} ipxeadmin || goto loginshell
set salt:string 3cbc63d0c64482c666d4dfb0516eed35
md5sum --rounds 1000000 --str ${salt:string}${password:string}
iseq ${hash:string} 1577df1969a3b8f0188496804645c406 || goto loginshell
shell

Please feel free to let me know if there is problem with my code or even if there is problems with the concept I am trying to achieve with the code.

Thanks

@chilinux
Updated digest commands to include SHA-2 support, hash strings, perfo…
ce09351 
…rm multi-round hashing and apply the result in the configuration settings
@Scarjit
Copy link

Scarjit commented Aug 21, 2023

Would be incredible usefull for us.
We currently require the user to have two "passwords" for installation (one is send by iPXE to our matchbox server to select the correct config) and later we use the 2nd one to decrypt the config.

With this change we would be able to to use 1 password (hashed for selecting the correct config, and as it for decryption)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@chilinux @Scarjit