2 * Linux kernel userspace API crypto backend implementation
4 * Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2010-2012, Milan Broz
7 * This program is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU General Public License
9 * version 2 as published by the Free Software Foundation.
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
16 * You should have received a copy of the GNU General Public License
17 * along with this program; if not, write to the Free Software
18 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
26 #include <sys/socket.h>
27 #include <sys/utsname.h>
28 #include <linux/if_alg.h>
29 #include "crypto_backend.h"
31 /* FIXME: remove later */
39 static int crypto_backend_initialised = 0;
40 static char version[64];
44 const char *kernel_name;
48 static struct hash_alg hash_algs[] = {
49 { "sha1", "sha1", 20 },
50 { "sha256", "sha256", 32 },
51 { "sha512", "sha512", 64 },
52 { "ripemd160", "rmd160", 20 },
53 { "whirlpool", "wp512", 64 },
69 /* Defined in crypt_kernel_ciphers.c */
70 extern int crypt_kernel_socket_init(struct sockaddr_alg *sa, int *tfmfd, int *opfd);
72 int crypt_backend_init(struct crypt_device *ctx)
75 struct sockaddr_alg sa = {
76 .salg_family = AF_ALG,
80 int tfmfd = -1, opfd = -1;
82 if (crypto_backend_initialised)
85 if (uname(&uts) == -1 || strcmp(uts.sysname, "Linux"))
88 if (crypt_kernel_socket_init(&sa, &tfmfd, &opfd) < 0)
94 snprintf(version, sizeof(version), "%s %s kernel cryptoAPI",
95 uts.sysname, uts.release);
97 crypto_backend_initialised = 1;
101 uint32_t crypt_backend_flags(void)
103 return CRYPT_BACKEND_KERNEL;
106 const char *crypt_backend_version(void)
108 return crypto_backend_initialised ? version : "";
111 static struct hash_alg *_get_alg(const char *name)
115 while (name && hash_algs[i].name) {
116 if (!strcmp(name, hash_algs[i].name))
117 return &hash_algs[i];
124 int crypt_hash_size(const char *name)
126 struct hash_alg *ha = _get_alg(name);
128 return ha ? ha->length : -EINVAL;
131 int crypt_hash_init(struct crypt_hash **ctx, const char *name)
133 struct crypt_hash *h;
135 struct sockaddr_alg sa = {
136 .salg_family = AF_ALG,
140 h = malloc(sizeof(*h));
149 h->hash_len = ha->length;
151 strncpy((char *)sa.salg_name, ha->kernel_name, sizeof(sa.salg_name));
153 if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd) < 0) {
162 int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
166 r = send(ctx->opfd, buffer, length, MSG_MORE);
167 if (r < 0 || (size_t)r < length)
173 int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
177 if (length > (size_t)ctx->hash_len)
180 r = read(ctx->opfd, buffer, length);
187 int crypt_hash_destroy(struct crypt_hash *ctx)
189 if (ctx->tfmfd != -1)
193 memset(ctx, 0, sizeof(*ctx));
199 int crypt_hmac_size(const char *name)
201 return crypt_hash_size(name);
204 int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
205 const void *buffer, size_t length)
207 struct crypt_hmac *h;
209 struct sockaddr_alg sa = {
210 .salg_family = AF_ALG,
214 h = malloc(sizeof(*h));
223 h->hash_len = ha->length;
225 snprintf((char *)sa.salg_name, sizeof(sa.salg_name),
226 "hmac(%s)", ha->kernel_name);
228 if (crypt_kernel_socket_init(&sa, &h->tfmfd, &h->opfd) < 0) {
233 if (setsockopt(h->tfmfd, SOL_ALG, ALG_SET_KEY, buffer, length) == -1) {
234 crypt_hmac_destroy(h);
242 int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
246 r = send(ctx->opfd, buffer, length, MSG_MORE);
247 if (r < 0 || (size_t)r < length)
253 int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
257 if (length > (size_t)ctx->hash_len)
260 r = read(ctx->opfd, buffer, length);
267 int crypt_hmac_destroy(struct crypt_hmac *ctx)
269 if (ctx->tfmfd != -1)
273 memset(ctx, 0, sizeof(*ctx));
279 int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
285 int crypt_pbkdf(const char *kdf, const char *hash,
286 const char *password, size_t password_length,
287 const char *salt, size_t salt_length,
288 char *key, size_t key_length,
289 unsigned int iterations)
291 if (!kdf || strncmp(kdf, "pbkdf2", 6))
294 return pkcs5_pbkdf2(hash, password, password_length, salt, salt_length,
295 iterations, key_length, key);