2 * GCRYPT crypto backend implementation
4 * Copyright (C) 2010-2023 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2010-2023 Milan Broz
7 * This file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this file; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 #include "crypto_backend_internal.h"
28 static int crypto_backend_initialised = 0;
29 static int crypto_backend_secmem = 1;
30 static int crypto_backend_whirlpool_bug = -1;
31 static char version[64];
48 struct crypt_cipher_kernel kernel;
55 const char *gcrypt_name;
59 * Test for wrong Whirlpool variant,
60 * Ref: https://lists.gnupg.org/pipermail/gcrypt-devel/2014-January/002889.html
62 static void crypt_hash_test_whirlpool_bug(void)
65 char buf[2] = "\0\0", hash_out1[64], hash_out2[64];
68 if (crypto_backend_whirlpool_bug >= 0)
71 crypto_backend_whirlpool_bug = 0;
72 if (crypt_hash_init(&h, "whirlpool"))
76 if ((r = crypt_hash_write(h, &buf[0], 2)) ||
77 (r = crypt_hash_final(h, hash_out1, 64))) {
78 crypt_hash_destroy(h);
82 /* Split buf (crypt_hash_final resets hash state) */
83 if ((r = crypt_hash_write(h, &buf[0], 1)) ||
84 (r = crypt_hash_write(h, &buf[1], 1)) ||
85 (r = crypt_hash_final(h, hash_out2, 64))) {
86 crypt_hash_destroy(h);
90 crypt_hash_destroy(h);
92 if (memcmp(hash_out1, hash_out2, 64))
93 crypto_backend_whirlpool_bug = 1;
96 int crypt_backend_init(bool fips __attribute__((unused)))
100 if (crypto_backend_initialised)
103 if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
104 if (!gcry_check_version (GCRYPT_REQ_VERSION)) {
108 /* If gcrypt compiled to support POSIX 1003.1e capabilities,
109 * it drops all privileges during secure memory initialisation.
110 * For now, the only workaround is to disable secure memory in gcrypt.
111 * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
112 * and it locks its memory space anyway.
115 gcry_control (GCRYCTL_DISABLE_SECMEM);
116 crypto_backend_secmem = 0;
119 gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
120 gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
121 gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
123 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
126 crypto_backend_initialised = 1;
127 crypt_hash_test_whirlpool_bug();
129 r = snprintf(version, sizeof(version), "gcrypt %s%s%s",
130 gcry_check_version(NULL),
131 crypto_backend_secmem ? "" : ", secmem disabled",
132 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : "");
133 if (r < 0 || (size_t)r >= sizeof(version))
139 void crypt_backend_destroy(void)
141 if (crypto_backend_initialised)
142 gcry_control(GCRYCTL_TERM_SECMEM);
144 crypto_backend_initialised = 0;
147 const char *crypt_backend_version(void)
149 return crypto_backend_initialised ? version : "";
152 uint32_t crypt_backend_flags(void)
157 static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
159 const char *hash_name = name;
161 static struct hash_alg hash_algs[] = {
162 { "blake2b-160", "blake2b_160" },
163 { "blake2b-256", "blake2b_256" },
164 { "blake2b-384", "blake2b_384" },
165 { "blake2b-512", "blake2b_512" },
166 { "blake2s-128", "blake2s_128" },
167 { "blake2s-160", "blake2s_160" },
168 { "blake2s-224", "blake2s_224" },
169 { "blake2s-256", "blake2s_256" },
175 /* "whirlpool_gcryptbug" is out shortcut to flawed whirlpool
176 * in libgcrypt < 1.6.0 */
177 if (!strcasecmp(name, "whirlpool_gcryptbug")) {
178 #if GCRYPT_VERSION_NUMBER >= 0x010601
180 *flags |= GCRY_MD_FLAG_BUGEMU1;
182 hash_name = "whirlpool";
186 while (hash_algs[i].name) {
187 if (!strcasecmp(name, hash_algs[i].name)) {
188 hash_name = hash_algs[i].gcrypt_name;
198 int crypt_hash_size(const char *name)
202 assert(crypto_backend_initialised);
204 hash_id = gcry_md_map_name(crypt_hash_compat_name(name, NULL));
208 return gcry_md_get_algo_dlen(hash_id);
211 int crypt_hash_init(struct crypt_hash **ctx, const char *name)
213 struct crypt_hash *h;
214 unsigned int flags = 0;
216 assert(crypto_backend_initialised);
218 h = malloc(sizeof(*h));
222 h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
228 if (gcry_md_open(&h->hd, h->hash_id, flags)) {
233 h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
238 static void crypt_hash_restart(struct crypt_hash *ctx)
240 gcry_md_reset(ctx->hd);
243 int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
245 gcry_md_write(ctx->hd, buffer, length);
249 int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
253 if (length > (size_t)ctx->hash_len)
256 hash = gcry_md_read(ctx->hd, ctx->hash_id);
260 memcpy(buffer, hash, length);
261 crypt_hash_restart(ctx);
266 void crypt_hash_destroy(struct crypt_hash *ctx)
268 gcry_md_close(ctx->hd);
269 memset(ctx, 0, sizeof(*ctx));
274 int crypt_hmac_size(const char *name)
276 return crypt_hash_size(name);
279 int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
280 const void *key, size_t key_length)
282 struct crypt_hmac *h;
283 unsigned int flags = GCRY_MD_FLAG_HMAC;
285 assert(crypto_backend_initialised);
287 h = malloc(sizeof(*h));
291 h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
297 if (gcry_md_open(&h->hd, h->hash_id, flags)) {
302 if (gcry_md_setkey(h->hd, key, key_length)) {
303 gcry_md_close(h->hd);
308 h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
313 static void crypt_hmac_restart(struct crypt_hmac *ctx)
315 gcry_md_reset(ctx->hd);
318 int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
320 gcry_md_write(ctx->hd, buffer, length);
324 int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
328 if (length > (size_t)ctx->hash_len)
331 hash = gcry_md_read(ctx->hd, ctx->hash_id);
335 memcpy(buffer, hash, length);
336 crypt_hmac_restart(ctx);
341 void crypt_hmac_destroy(struct crypt_hmac *ctx)
343 gcry_md_close(ctx->hd);
344 memset(ctx, 0, sizeof(*ctx));
349 int crypt_backend_rng(char *buffer, size_t length, int quality, int fips __attribute__((unused)))
352 case CRYPT_RND_NORMAL:
353 gcry_randomize(buffer, length, GCRY_STRONG_RANDOM);
358 gcry_randomize(buffer, length, GCRY_VERY_STRONG_RANDOM);
364 static int pbkdf2(const char *hash,
365 const char *password, size_t password_length,
366 const char *salt, size_t salt_length,
367 char *key, size_t key_length,
370 const char *hash_name = crypt_hash_compat_name(hash, NULL);
372 #if USE_INTERNAL_PBKDF2
373 return pkcs5_pbkdf2(hash_name, password, password_length, salt, salt_length,
374 iterations, key_length, key, 0);
375 #else /* USE_INTERNAL_PBKDF2 */
376 int hash_id = gcry_md_map_name(hash_name);
381 if (gcry_kdf_derive(password, password_length, GCRY_KDF_PBKDF2, hash_id,
382 salt, salt_length, iterations, key_length, key))
386 #endif /* USE_INTERNAL_PBKDF2 */
390 int crypt_pbkdf(const char *kdf, const char *hash,
391 const char *password, size_t password_length,
392 const char *salt, size_t salt_length,
393 char *key, size_t key_length,
394 uint32_t iterations, uint32_t memory, uint32_t parallel)
399 if (!strcmp(kdf, "pbkdf2"))
400 return pbkdf2(hash, password, password_length, salt, salt_length,
401 key, key_length, iterations);
402 else if (!strncmp(kdf, "argon2", 6))
403 return argon2(kdf, password, password_length, salt, salt_length,
404 key, key_length, iterations, memory, parallel);
409 static int _cipher_init(gcry_cipher_hd_t *hd, const char *name,
410 const char *mode, const void *buffer, size_t length)
412 int cipher_id, mode_id;
414 cipher_id = gcry_cipher_map_name(name);
415 if (cipher_id == GCRY_CIPHER_MODE_NONE)
418 if (!strcmp(mode, "ecb"))
419 mode_id = GCRY_CIPHER_MODE_ECB;
420 else if (!strcmp(mode, "cbc"))
421 mode_id = GCRY_CIPHER_MODE_CBC;
422 #if HAVE_DECL_GCRY_CIPHER_MODE_XTS
423 else if (!strcmp(mode, "xts"))
424 mode_id = GCRY_CIPHER_MODE_XTS;
429 if (gcry_cipher_open(hd, cipher_id, mode_id, 0))
432 if (gcry_cipher_setkey(*hd, buffer, length)) {
433 gcry_cipher_close(*hd);
440 int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
441 const char *mode, const void *key, size_t key_length)
443 struct crypt_cipher *h;
446 h = malloc(sizeof(*h));
450 if (!_cipher_init(&h->u.hd, name, mode, key, key_length)) {
451 h->use_kernel = false;
456 r = crypt_cipher_init_kernel(&h->u.kernel, name, mode, key, key_length);
462 h->use_kernel = true;
467 void crypt_cipher_destroy(struct crypt_cipher *ctx)
470 crypt_cipher_destroy_kernel(&ctx->u.kernel);
472 gcry_cipher_close(ctx->u.hd);
476 int crypt_cipher_encrypt(struct crypt_cipher *ctx,
477 const char *in, char *out, size_t length,
478 const char *iv, size_t iv_length)
481 return crypt_cipher_encrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
483 if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
486 if (gcry_cipher_encrypt(ctx->u.hd, out, length, in, length))
492 int crypt_cipher_decrypt(struct crypt_cipher *ctx,
493 const char *in, char *out, size_t length,
494 const char *iv, size_t iv_length)
497 return crypt_cipher_decrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
499 if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
502 if (gcry_cipher_decrypt(ctx->u.hd, out, length, in, length))
508 bool crypt_cipher_kernel_only(struct crypt_cipher *ctx)
510 return ctx->use_kernel;
513 int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
514 const char *in, char *out, size_t length,
515 const char *iv, size_t iv_length,
516 const char *tag, size_t tag_length)
518 #ifdef GCRY_CCM_BLOCK_LEN
523 if (gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CCM, 0))
526 if (gcry_cipher_setkey(hd, key, key_length))
529 if (gcry_cipher_setiv(hd, iv, iv_length))
535 if (gcry_cipher_ctl(hd, GCRYCTL_SET_CCM_LENGTHS, l, sizeof(l)))
538 if (gcry_cipher_decrypt(hd, out, length, in, length))
541 if (gcry_cipher_checktag(hd, tag, tag_length))
546 gcry_cipher_close(hd);
553 int crypt_backend_memeq(const void *m1, const void *m2, size_t n)
555 return crypt_internal_memeq(m1, m2, n);
559 bool crypt_fips_mode(void) { return false; }
561 bool crypt_fips_mode(void)
563 static bool fips_mode = false, fips_checked = false;
568 fips_mode = gcry_fips_mode_active();
573 #endif /* ENABLE FIPS */