/*
* GCRYPT crypto backend implementation
*
- * Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved.
- * Copyright (C) 2010-2012, Milan Broz
+ * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
+ * Copyright (C) 2010-2020 Milan Broz
*
* This file is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
#include <errno.h>
#include <assert.h>
#include <gcrypt.h>
-#include "crypto_backend.h"
+#include "crypto_backend_internal.h"
static int crypto_backend_initialised = 0;
static int crypto_backend_secmem = 1;
+static int crypto_backend_whirlpool_bug = -1;
static char version[64];
struct crypt_hash {
int hash_len;
};
-int crypt_backend_init(struct crypt_device *ctx)
+struct crypt_cipher {
+ bool use_kernel;
+ union {
+ struct crypt_cipher_kernel kernel;
+ gcry_cipher_hd_t hd;
+ } u;
+};
+
+/*
+ * Test for wrong Whirlpool variant,
+ * Ref: http://lists.gnupg.org/pipermail/gcrypt-devel/2014-January/002889.html
+ */
+static void crypt_hash_test_whirlpool_bug(void)
+{
+ struct crypt_hash *h;
+ char buf[2] = "\0\0", hash_out1[64], hash_out2[64];
+ int r;
+
+ if (crypto_backend_whirlpool_bug >= 0)
+ return;
+
+ crypto_backend_whirlpool_bug = 0;
+ if (crypt_hash_init(&h, "whirlpool"))
+ return;
+
+ /* One shot */
+ if ((r = crypt_hash_write(h, &buf[0], 2)) ||
+ (r = crypt_hash_final(h, hash_out1, 64))) {
+ crypt_hash_destroy(h);
+ return;
+ }
+
+ /* Split buf (crypt_hash_final resets hash state) */
+ if ((r = crypt_hash_write(h, &buf[0], 1)) ||
+ (r = crypt_hash_write(h, &buf[1], 1)) ||
+ (r = crypt_hash_final(h, hash_out2, 64))) {
+ crypt_hash_destroy(h);
+ return;
+ }
+
+ crypt_hash_destroy(h);
+
+ if (memcmp(hash_out1, hash_out2, 64))
+ crypto_backend_whirlpool_bug = 1;
+}
+
+int crypt_backend_init(void)
{
if (crypto_backend_initialised)
return 0;
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
}
- snprintf(version, 64, "gcrypt %s%s",
- gcry_check_version(NULL),
- crypto_backend_secmem ? "" : ", secmem disabled");
crypto_backend_initialised = 1;
+ crypt_hash_test_whirlpool_bug();
+
+ snprintf(version, 64, "gcrypt %s%s%s",
+ gcry_check_version(NULL),
+ crypto_backend_secmem ? "" : ", secmem disabled",
+ crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : ""
+ );
+
return 0;
}
+void crypt_backend_destroy(void)
+{
+ if (crypto_backend_initialised)
+ gcry_control(GCRYCTL_TERM_SECMEM);
+
+ crypto_backend_initialised = 0;
+}
+
const char *crypt_backend_version(void)
{
return crypto_backend_initialised ? version : "";
return 0;
}
+static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
+{
+ const char *hash_name = name;
+
+ /* "whirlpool_gcryptbug" is out shortcut to flawed whirlpool
+ * in libgcrypt < 1.6.0 */
+ if (name && !strcasecmp(name, "whirlpool_gcryptbug")) {
+#if GCRYPT_VERSION_NUMBER >= 0x010601
+ if (flags)
+ *flags |= GCRY_MD_FLAG_BUGEMU1;
+#endif
+ hash_name = "whirlpool";
+ }
+
+ return hash_name;
+}
+
/* HASH */
int crypt_hash_size(const char *name)
{
assert(crypto_backend_initialised);
- hash_id = gcry_md_map_name(name);
+ hash_id = gcry_md_map_name(crypt_hash_compat_name(name, NULL));
if (!hash_id)
return -EINVAL;
int crypt_hash_init(struct crypt_hash **ctx, const char *name)
{
struct crypt_hash *h;
+ unsigned int flags = 0;
assert(crypto_backend_initialised);
if (!h)
return -ENOMEM;
- h->hash_id = gcry_md_map_name(name);
+ h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
if (!h->hash_id) {
free(h);
return -EINVAL;
}
- if (gcry_md_open(&h->hd, h->hash_id, 0)) {
+ if (gcry_md_open(&h->hd, h->hash_id, flags)) {
free(h);
return -EINVAL;
}
return 0;
}
-int crypt_hash_destroy(struct crypt_hash *ctx)
+void crypt_hash_destroy(struct crypt_hash *ctx)
{
gcry_md_close(ctx->hd);
memset(ctx, 0, sizeof(*ctx));
free(ctx);
- return 0;
}
/* HMAC */
}
int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
- const void *buffer, size_t length)
+ const void *key, size_t key_length)
{
struct crypt_hmac *h;
+ unsigned int flags = GCRY_MD_FLAG_HMAC;
assert(crypto_backend_initialised);
if (!h)
return -ENOMEM;
- h->hash_id = gcry_md_map_name(name);
+ h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
if (!h->hash_id) {
free(h);
return -EINVAL;
}
- if (gcry_md_open(&h->hd, h->hash_id, GCRY_MD_FLAG_HMAC)) {
+ if (gcry_md_open(&h->hd, h->hash_id, flags)) {
free(h);
return -EINVAL;
}
- if (gcry_md_setkey(h->hd, buffer, length)) {
+ if (gcry_md_setkey(h->hd, key, key_length)) {
gcry_md_close(h->hd);
free(h);
return -EINVAL;
return 0;
}
-int crypt_hmac_destroy(struct crypt_hmac *ctx)
+void crypt_hmac_destroy(struct crypt_hmac *ctx)
{
gcry_md_close(ctx->hd);
memset(ctx, 0, sizeof(*ctx));
free(ctx);
- return 0;
}
/* RNG */
return 0;
}
+static int pbkdf2(const char *hash,
+ const char *password, size_t password_length,
+ const char *salt, size_t salt_length,
+ char *key, size_t key_length,
+ uint32_t iterations)
+{
+ const char *hash_name = crypt_hash_compat_name(hash, NULL);
+
+#if USE_INTERNAL_PBKDF2
+ return pkcs5_pbkdf2(hash_name, password, password_length, salt, salt_length,
+ iterations, key_length, key, 0);
+#else /* USE_INTERNAL_PBKDF2 */
+ int hash_id = gcry_md_map_name(hash_name);
+
+ if (!hash_id)
+ return -EINVAL;
+
+ if (gcry_kdf_derive(password, password_length, GCRY_KDF_PBKDF2, hash_id,
+ salt, salt_length, iterations, key_length, key))
+ return -EINVAL;
+
+ return 0;
+#endif /* USE_INTERNAL_PBKDF2 */
+}
+
/* PBKDF */
int crypt_pbkdf(const char *kdf, const char *hash,
const char *password, size_t password_length,
const char *salt, size_t salt_length,
char *key, size_t key_length,
- unsigned int iterations)
+ uint32_t iterations, uint32_t memory, uint32_t parallel)
{
-#if USE_INTERNAL_PBKDF2
- if (!kdf || strncmp(kdf, "pbkdf2", 6))
+ if (!kdf)
return -EINVAL;
- return pkcs5_pbkdf2(hash, password, password_length, salt, salt_length,
- iterations, key_length, key);
+ if (!strcmp(kdf, "pbkdf2"))
+ return pbkdf2(hash, password, password_length, salt, salt_length,
+ key, key_length, iterations);
+ else if (!strncmp(kdf, "argon2", 6))
+ return argon2(kdf, password, password_length, salt, salt_length,
+ key, key_length, iterations, memory, parallel);
+ return -EINVAL;
+}
-#else /* USE_INTERNAL_PBKDF2 */
- int hash_id = gcry_md_map_name(hash);
- int kdf_id;
+/* Block ciphers */
+static int _cipher_init(gcry_cipher_hd_t *hd, const char *name,
+ const char *mode, const void *buffer, size_t length)
+{
+ int cipher_id, mode_id;
+
+ cipher_id = gcry_cipher_map_name(name);
+ if (cipher_id == GCRY_CIPHER_MODE_NONE)
+ return -ENOENT;
+
+ if (!strcmp(mode, "ecb"))
+ mode_id = GCRY_CIPHER_MODE_ECB;
+ else if (!strcmp(mode, "cbc"))
+ mode_id = GCRY_CIPHER_MODE_CBC;
+#if HAVE_DECL_GCRY_CIPHER_MODE_XTS
+ else if (!strcmp(mode, "xts"))
+ mode_id = GCRY_CIPHER_MODE_XTS;
+#endif
+ else
+ return -ENOENT;
- if (!hash_id)
+ if (gcry_cipher_open(hd, cipher_id, mode_id, 0))
return -EINVAL;
- if (kdf && !strncmp(kdf, "pbkdf2", 6))
- kdf_id = GCRY_KDF_PBKDF2;
+ if (gcry_cipher_setkey(*hd, buffer, length)) {
+ gcry_cipher_close(*hd);
+ return -EINVAL;
+ }
+
+ return 0;
+}
+
+int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+ const char *mode, const void *key, size_t key_length)
+{
+ struct crypt_cipher *h;
+ int r;
+
+ h = malloc(sizeof(*h));
+ if (!h)
+ return -ENOMEM;
+
+ if (!_cipher_init(&h->u.hd, name, mode, key, key_length)) {
+ h->use_kernel = false;
+ *ctx = h;
+ return 0;
+ }
+
+ r = crypt_cipher_init_kernel(&h->u.kernel, name, mode, key, key_length);
+ if (r < 0) {
+ free(h);
+ return r;
+ }
+
+ h->use_kernel = true;
+ *ctx = h;
+ return 0;
+}
+
+void crypt_cipher_destroy(struct crypt_cipher *ctx)
+{
+ if (ctx->use_kernel)
+ crypt_cipher_destroy_kernel(&ctx->u.kernel);
else
+ gcry_cipher_close(ctx->u.hd);
+ free(ctx);
+}
+
+int crypt_cipher_encrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length)
+{
+ if (ctx->use_kernel)
+ return crypt_cipher_encrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
+
+ if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
return -EINVAL;
- if (gcry_kdf_derive(password, password_length, kdf_id, hash_id,
- salt, salt_length, iterations, key_length, key))
+ if (gcry_cipher_encrypt(ctx->u.hd, out, length, in, length))
return -EINVAL;
return 0;
-#endif /* USE_INTERNAL_PBKDF2 */
+}
+
+int crypt_cipher_decrypt(struct crypt_cipher *ctx,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length)
+{
+ if (ctx->use_kernel)
+ return crypt_cipher_decrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
+
+ if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
+ return -EINVAL;
+
+ if (gcry_cipher_decrypt(ctx->u.hd, out, length, in, length))
+ return -EINVAL;
+
+ return 0;
+}
+
+bool crypt_cipher_kernel_only(struct crypt_cipher *ctx)
+{
+ return ctx->use_kernel;
+}
+
+int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
+ const char *in, char *out, size_t length,
+ const char *iv, size_t iv_length,
+ const char *tag, size_t tag_length)
+{
+#ifdef GCRY_CCM_BLOCK_LEN
+ gcry_cipher_hd_t hd;
+ uint64_t l[3];
+ int r = -EINVAL;
+
+ if (gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CCM, 0))
+ return -EINVAL;
+
+ if (gcry_cipher_setkey(hd, key, key_length))
+ goto out;
+
+ if (gcry_cipher_setiv(hd, iv, iv_length))
+ goto out;
+
+ l[0] = length;
+ l[1] = 0;
+ l[2] = tag_length;
+ if (gcry_cipher_ctl(hd, GCRYCTL_SET_CCM_LENGTHS, l, sizeof(l)))
+ goto out;
+
+ if (gcry_cipher_decrypt(hd, out, length, in, length))
+ goto out;
+
+ if (gcry_cipher_checktag(hd, tag, tag_length))
+ goto out;
+
+ r = 0;
+out:
+ gcry_cipher_close(hd);
+ return r;
+#else
+ return -ENOTSUP;
+#endif
}