2 * GCRYPT crypto backend implementation
4 * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2010-2021 Milan Broz
7 * This file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this file; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #include "crypto_backend_internal.h"
29 static int crypto_backend_initialised = 0;
30 static int crypto_backend_secmem = 1;
31 static int crypto_backend_whirlpool_bug = -1;
32 static char version[64];
49 struct crypt_cipher_kernel kernel;
56 const char *gcrypt_name;
60 * Test for wrong Whirlpool variant,
61 * Ref: https://lists.gnupg.org/pipermail/gcrypt-devel/2014-January/002889.html
63 static void crypt_hash_test_whirlpool_bug(void)
66 char buf[2] = "\0\0", hash_out1[64], hash_out2[64];
69 if (crypto_backend_whirlpool_bug >= 0)
72 crypto_backend_whirlpool_bug = 0;
73 if (crypt_hash_init(&h, "whirlpool"))
77 if ((r = crypt_hash_write(h, &buf[0], 2)) ||
78 (r = crypt_hash_final(h, hash_out1, 64))) {
79 crypt_hash_destroy(h);
83 /* Split buf (crypt_hash_final resets hash state) */
84 if ((r = crypt_hash_write(h, &buf[0], 1)) ||
85 (r = crypt_hash_write(h, &buf[1], 1)) ||
86 (r = crypt_hash_final(h, hash_out2, 64))) {
87 crypt_hash_destroy(h);
91 crypt_hash_destroy(h);
93 if (memcmp(hash_out1, hash_out2, 64))
94 crypto_backend_whirlpool_bug = 1;
97 int crypt_backend_init(void)
101 if (crypto_backend_initialised)
104 if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
105 if (!gcry_check_version (GCRYPT_REQ_VERSION)) {
109 /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
110 * it drops all privileges during secure memory initialisation.
111 * For now, the only workaround is to disable secure memory in gcrypt.
112 * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
113 * and it locks its memory space anyway.
116 gcry_control (GCRYCTL_DISABLE_SECMEM);
117 crypto_backend_secmem = 0;
120 gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
121 gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
122 gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
124 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
127 crypto_backend_initialised = 1;
128 crypt_hash_test_whirlpool_bug();
130 r = snprintf(version, sizeof(version), "gcrypt %s%s%s",
131 gcry_check_version(NULL),
132 crypto_backend_secmem ? "" : ", secmem disabled",
133 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "");
134 if (r < 0 || (size_t)r >= sizeof(version))
140 void crypt_backend_destroy(void)
142 if (crypto_backend_initialised)
143 gcry_control(GCRYCTL_TERM_SECMEM);
145 crypto_backend_initialised = 0;
148 const char *crypt_backend_version(void)
150 return crypto_backend_initialised ? version : "";
153 uint32_t crypt_backend_flags(void)
158 static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
160 const char *hash_name = name;
162 static struct hash_alg hash_algs[] = {
163 { "blake2b-160", "blake2b_160" },
164 { "blake2b-256", "blake2b_256" },
165 { "blake2b-384", "blake2b_384" },
166 { "blake2b-512", "blake2b_512" },
167 { "blake2s-128", "blake2s_128" },
168 { "blake2s-160", "blake2s_160" },
169 { "blake2s-224", "blake2s_224" },
170 { "blake2s-256", "blake2s_256" },
176 /* "whirlpool_gcryptbug" is out shortcut to flawed whirlpool
177 * in libgcrypt < 1.6.0 */
178 if (!strcasecmp(name, "whirlpool_gcryptbug")) {
179 #if GCRYPT_VERSION_NUMBER >= 0x010601
181 *flags |= GCRY_MD_FLAG_BUGEMU1;
183 hash_name = "whirlpool";
187 while (hash_algs[i].name) {
188 if (!strcasecmp(name, hash_algs[i].name)) {
189 hash_name = hash_algs[i].gcrypt_name;
199 int crypt_hash_size(const char *name)
203 assert(crypto_backend_initialised);
205 hash_id = gcry_md_map_name(crypt_hash_compat_name(name, NULL));
209 return gcry_md_get_algo_dlen(hash_id);
212 int crypt_hash_init(struct crypt_hash **ctx, const char *name)
214 struct crypt_hash *h;
215 unsigned int flags = 0;
217 assert(crypto_backend_initialised);
219 h = malloc(sizeof(*h));
223 h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
229 if (gcry_md_open(&h->hd, h->hash_id, flags)) {
234 h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
239 static void crypt_hash_restart(struct crypt_hash *ctx)
241 gcry_md_reset(ctx->hd);
244 int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
246 gcry_md_write(ctx->hd, buffer, length);
250 int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
254 if (length > (size_t)ctx->hash_len)
257 hash = gcry_md_read(ctx->hd, ctx->hash_id);
261 memcpy(buffer, hash, length);
262 crypt_hash_restart(ctx);
267 void crypt_hash_destroy(struct crypt_hash *ctx)
269 gcry_md_close(ctx->hd);
270 memset(ctx, 0, sizeof(*ctx));
275 int crypt_hmac_size(const char *name)
277 return crypt_hash_size(name);
280 int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
281 const void *key, size_t key_length)
283 struct crypt_hmac *h;
284 unsigned int flags = GCRY_MD_FLAG_HMAC;
286 assert(crypto_backend_initialised);
288 h = malloc(sizeof(*h));
292 h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
298 if (gcry_md_open(&h->hd, h->hash_id, flags)) {
303 if (gcry_md_setkey(h->hd, key, key_length)) {
304 gcry_md_close(h->hd);
309 h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
314 static void crypt_hmac_restart(struct crypt_hmac *ctx)
316 gcry_md_reset(ctx->hd);
319 int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
321 gcry_md_write(ctx->hd, buffer, length);
325 int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
329 if (length > (size_t)ctx->hash_len)
332 hash = gcry_md_read(ctx->hd, ctx->hash_id);
336 memcpy(buffer, hash, length);
337 crypt_hmac_restart(ctx);
342 void crypt_hmac_destroy(struct crypt_hmac *ctx)
344 gcry_md_close(ctx->hd);
345 memset(ctx, 0, sizeof(*ctx));
350 int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
353 case CRYPT_RND_NORMAL:
354 gcry_randomize(buffer, length, GCRY_STRONG_RANDOM);
359 gcry_randomize(buffer, length, GCRY_VERY_STRONG_RANDOM);
365 static int pbkdf2(const char *hash,
366 const char *password, size_t password_length,
367 const char *salt, size_t salt_length,
368 char *key, size_t key_length,
371 const char *hash_name = crypt_hash_compat_name(hash, NULL);
373 #if USE_INTERNAL_PBKDF2
374 return pkcs5_pbkdf2(hash_name, password, password_length, salt, salt_length,
375 iterations, key_length, key, 0);
376 #else /* USE_INTERNAL_PBKDF2 */
377 int hash_id = gcry_md_map_name(hash_name);
382 if (gcry_kdf_derive(password, password_length, GCRY_KDF_PBKDF2, hash_id,
383 salt, salt_length, iterations, key_length, key))
387 #endif /* USE_INTERNAL_PBKDF2 */
391 int crypt_pbkdf(const char *kdf, const char *hash,
392 const char *password, size_t password_length,
393 const char *salt, size_t salt_length,
394 char *key, size_t key_length,
395 uint32_t iterations, uint32_t memory, uint32_t parallel)
400 if (!strcmp(kdf, "pbkdf2"))
401 return pbkdf2(hash, password, password_length, salt, salt_length,
402 key, key_length, iterations);
403 else if (!strncmp(kdf, "argon2", 6))
404 return argon2(kdf, password, password_length, salt, salt_length,
405 key, key_length, iterations, memory, parallel);
410 static int _cipher_init(gcry_cipher_hd_t *hd, const char *name,
411 const char *mode, const void *buffer, size_t length)
413 int cipher_id, mode_id;
415 cipher_id = gcry_cipher_map_name(name);
416 if (cipher_id == GCRY_CIPHER_MODE_NONE)
419 if (!strcmp(mode, "ecb"))
420 mode_id = GCRY_CIPHER_MODE_ECB;
421 else if (!strcmp(mode, "cbc"))
422 mode_id = GCRY_CIPHER_MODE_CBC;
423 #if HAVE_DECL_GCRY_CIPHER_MODE_XTS
424 else if (!strcmp(mode, "xts"))
425 mode_id = GCRY_CIPHER_MODE_XTS;
430 if (gcry_cipher_open(hd, cipher_id, mode_id, 0))
433 if (gcry_cipher_setkey(*hd, buffer, length)) {
434 gcry_cipher_close(*hd);
441 int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
442 const char *mode, const void *key, size_t key_length)
444 struct crypt_cipher *h;
447 h = malloc(sizeof(*h));
451 if (!_cipher_init(&h->u.hd, name, mode, key, key_length)) {
452 h->use_kernel = false;
457 r = crypt_cipher_init_kernel(&h->u.kernel, name, mode, key, key_length);
463 h->use_kernel = true;
468 void crypt_cipher_destroy(struct crypt_cipher *ctx)
471 crypt_cipher_destroy_kernel(&ctx->u.kernel);
473 gcry_cipher_close(ctx->u.hd);
477 int crypt_cipher_encrypt(struct crypt_cipher *ctx,
478 const char *in, char *out, size_t length,
479 const char *iv, size_t iv_length)
482 return crypt_cipher_encrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
484 if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
487 if (gcry_cipher_encrypt(ctx->u.hd, out, length, in, length))
493 int crypt_cipher_decrypt(struct crypt_cipher *ctx,
494 const char *in, char *out, size_t length,
495 const char *iv, size_t iv_length)
498 return crypt_cipher_decrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
500 if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
503 if (gcry_cipher_decrypt(ctx->u.hd, out, length, in, length))
509 bool crypt_cipher_kernel_only(struct crypt_cipher *ctx)
511 return ctx->use_kernel;
514 int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
515 const char *in, char *out, size_t length,
516 const char *iv, size_t iv_length,
517 const char *tag, size_t tag_length)
519 #ifdef GCRY_CCM_BLOCK_LEN
524 if (gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CCM, 0))
527 if (gcry_cipher_setkey(hd, key, key_length))
530 if (gcry_cipher_setiv(hd, iv, iv_length))
536 if (gcry_cipher_ctl(hd, GCRYCTL_SET_CCM_LENGTHS, l, sizeof(l)))
539 if (gcry_cipher_decrypt(hd, out, length, in, length))
542 if (gcry_cipher_checktag(hd, tag, tag_length))
547 gcry_cipher_close(hd);