X-Git-Url: http://review.tizen.org/git/?a=blobdiff_plain;f=lib%2Fcrypto_backend%2Fcrypto_gcrypt.c;h=698b52ac1cc4894617eaeaa454a5863e95e8bd63;hb=e4c1cef5a4674eb873a551d4f2a492d985e55e1e;hp=0c0637707d8e1f603cf2157a23238b223b6ca10d;hpb=45e09427558a62b026184a8cfaac29b546f47204;p=platform%2Fupstream%2Fcryptsetup.git diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c index 0c06377..698b52a 100644 --- a/lib/crypto_backend/crypto_gcrypt.c +++ b/lib/crypto_backend/crypto_gcrypt.c @@ -1,29 +1,35 @@ /* * GCRYPT crypto backend implementation * - * Copyright (C) 2010-2012, Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2021 Red Hat, Inc. All rights reserved. + * Copyright (C) 2010-2021 Milan Broz * - * This program is free software; you can redistribute it and/or - * modify it under the terms of the GNU General Public License - * version 2 as published by the Free Software Foundation. + * This file is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. * - * This program is distributed in the hope that it will be useful, + * This file is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of - * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the - * GNU General Public License for more details. + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. * - * You should have received a copy of the GNU General Public License - * along with this program; if not, write to the Free Software + * You should have received a copy of the GNU Lesser General Public + * License along with this file; if not, write to the Free Software * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. */ #include +#include #include #include #include -#include "crypto_backend.h" +#include "crypto_backend_internal.h" static int crypto_backend_initialised = 0; +static int crypto_backend_secmem = 1; +static int crypto_backend_whirlpool_bug = -1; +static char version[64]; struct crypt_hash { gcry_md_hd_t hd; @@ -37,13 +43,64 @@ struct crypt_hmac { int hash_len; }; -int crypt_backend_init(struct crypt_device *ctx) +struct crypt_cipher { + bool use_kernel; + union { + struct crypt_cipher_kernel kernel; + gcry_cipher_hd_t hd; + } u; +}; + +struct hash_alg { + const char *name; + const char *gcrypt_name; +}; + +/* + * Test for wrong Whirlpool variant, + * Ref: https://lists.gnupg.org/pipermail/gcrypt-devel/2014-January/002889.html + */ +static void crypt_hash_test_whirlpool_bug(void) +{ + struct crypt_hash *h; + char buf[2] = "\0\0", hash_out1[64], hash_out2[64]; + int r; + + if (crypto_backend_whirlpool_bug >= 0) + return; + + crypto_backend_whirlpool_bug = 0; + if (crypt_hash_init(&h, "whirlpool")) + return; + + /* One shot */ + if ((r = crypt_hash_write(h, &buf[0], 2)) || + (r = crypt_hash_final(h, hash_out1, 64))) { + crypt_hash_destroy(h); + return; + } + + /* Split buf (crypt_hash_final resets hash state) */ + if ((r = crypt_hash_write(h, &buf[0], 1)) || + (r = crypt_hash_write(h, &buf[1], 1)) || + (r = crypt_hash_final(h, hash_out2, 64))) { + crypt_hash_destroy(h); + return; + } + + crypt_hash_destroy(h); + + if (memcmp(hash_out1, hash_out2, 64)) + crypto_backend_whirlpool_bug = 1; +} + +int crypt_backend_init(void) { + int r; + if (crypto_backend_initialised) return 0; - log_dbg("Initialising gcrypt crypto backend."); - crypt_fips_libcryptsetup_check(ctx); if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) { if (!gcry_check_version (GCRYPT_REQ_VERSION)) { return -ENOSYS; @@ -56,8 +113,8 @@ int crypt_backend_init(struct crypt_device *ctx) * and it locks its memory space anyway. */ #if 0 - log_dbg("Initializing crypto backend (secure memory disabled)."); gcry_control (GCRYCTL_DISABLE_SECMEM); + crypto_backend_secmem = 0; #else gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); @@ -68,14 +125,76 @@ int crypt_backend_init(struct crypt_device *ctx) } crypto_backend_initialised = 1; + crypt_hash_test_whirlpool_bug(); + + r = snprintf(version, sizeof(version), "gcrypt %s%s%s", + gcry_check_version(NULL), + crypto_backend_secmem ? "" : ", secmem disabled", + crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : ""); + if (r < 0 || (size_t)r >= sizeof(version)) + return -EINVAL; + return 0; } +void crypt_backend_destroy(void) +{ + if (crypto_backend_initialised) + gcry_control(GCRYCTL_TERM_SECMEM); + + crypto_backend_initialised = 0; +} + +const char *crypt_backend_version(void) +{ + return crypto_backend_initialised ? version : ""; +} + uint32_t crypt_backend_flags(void) { return 0; } +static const char *crypt_hash_compat_name(const char *name, unsigned int *flags) +{ + const char *hash_name = name; + int i; + static struct hash_alg hash_algs[] = { + { "blake2b-160", "blake2b_160" }, + { "blake2b-256", "blake2b_256" }, + { "blake2b-384", "blake2b_384" }, + { "blake2b-512", "blake2b_512" }, + { "blake2s-128", "blake2s_128" }, + { "blake2s-160", "blake2s_160" }, + { "blake2s-224", "blake2s_224" }, + { "blake2s-256", "blake2s_256" }, + { NULL, NULL, }}; + + if (!name) + return NULL; + + /* "whirlpool_gcryptbug" is out shortcut to flawed whirlpool + * in libgcrypt < 1.6.0 */ + if (!strcasecmp(name, "whirlpool_gcryptbug")) { +#if GCRYPT_VERSION_NUMBER >= 0x010601 + if (flags) + *flags |= GCRY_MD_FLAG_BUGEMU1; +#endif + hash_name = "whirlpool"; + } + + i = 0; + while (hash_algs[i].name) { + if (!strcasecmp(name, hash_algs[i].name)) { + hash_name = hash_algs[i].gcrypt_name; + break; + } + i++; + } + + return hash_name; +} + /* HASH */ int crypt_hash_size(const char *name) { @@ -83,7 +202,7 @@ int crypt_hash_size(const char *name) assert(crypto_backend_initialised); - hash_id = gcry_md_map_name(name); + hash_id = gcry_md_map_name(crypt_hash_compat_name(name, NULL)); if (!hash_id) return -EINVAL; @@ -93,6 +212,7 @@ int crypt_hash_size(const char *name) int crypt_hash_init(struct crypt_hash **ctx, const char *name) { struct crypt_hash *h; + unsigned int flags = 0; assert(crypto_backend_initialised); @@ -100,13 +220,13 @@ int crypt_hash_init(struct crypt_hash **ctx, const char *name) if (!h) return -ENOMEM; - h->hash_id = gcry_md_map_name(name); + h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags)); if (!h->hash_id) { free(h); return -EINVAL; } - if (gcry_md_open(&h->hd, h->hash_id, 0)) { + if (gcry_md_open(&h->hd, h->hash_id, flags)) { free(h); return -EINVAL; } @@ -144,12 +264,11 @@ int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length) return 0; } -int crypt_hash_destroy(struct crypt_hash *ctx) +void crypt_hash_destroy(struct crypt_hash *ctx) { gcry_md_close(ctx->hd); memset(ctx, 0, sizeof(*ctx)); free(ctx); - return 0; } /* HMAC */ @@ -159,9 +278,10 @@ int crypt_hmac_size(const char *name) } int crypt_hmac_init(struct crypt_hmac **ctx, const char *name, - const void *buffer, size_t length) + const void *key, size_t key_length) { struct crypt_hmac *h; + unsigned int flags = GCRY_MD_FLAG_HMAC; assert(crypto_backend_initialised); @@ -169,18 +289,18 @@ int crypt_hmac_init(struct crypt_hmac **ctx, const char *name, if (!h) return -ENOMEM; - h->hash_id = gcry_md_map_name(name); + h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags)); if (!h->hash_id) { free(h); return -EINVAL; } - if (gcry_md_open(&h->hd, h->hash_id, GCRY_MD_FLAG_HMAC)) { + if (gcry_md_open(&h->hd, h->hash_id, flags)) { free(h); return -EINVAL; } - if (gcry_md_setkey(h->hd, buffer, length)) { + if (gcry_md_setkey(h->hd, key, key_length)) { gcry_md_close(h->hd); free(h); return -EINVAL; @@ -219,10 +339,214 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length) return 0; } -int crypt_hmac_destroy(struct crypt_hmac *ctx) +void crypt_hmac_destroy(struct crypt_hmac *ctx) { gcry_md_close(ctx->hd); memset(ctx, 0, sizeof(*ctx)); free(ctx); +} + +/* RNG */ +int crypt_backend_rng(char *buffer, size_t length, int quality, int fips) +{ + switch(quality) { + case CRYPT_RND_NORMAL: + gcry_randomize(buffer, length, GCRY_STRONG_RANDOM); + break; + case CRYPT_RND_SALT: + case CRYPT_RND_KEY: + default: + gcry_randomize(buffer, length, GCRY_VERY_STRONG_RANDOM); + break; + } return 0; } + +static int pbkdf2(const char *hash, + const char *password, size_t password_length, + const char *salt, size_t salt_length, + char *key, size_t key_length, + uint32_t iterations) +{ + const char *hash_name = crypt_hash_compat_name(hash, NULL); + +#if USE_INTERNAL_PBKDF2 + return pkcs5_pbkdf2(hash_name, password, password_length, salt, salt_length, + iterations, key_length, key, 0); +#else /* USE_INTERNAL_PBKDF2 */ + int hash_id = gcry_md_map_name(hash_name); + + if (!hash_id) + return -EINVAL; + + if (gcry_kdf_derive(password, password_length, GCRY_KDF_PBKDF2, hash_id, + salt, salt_length, iterations, key_length, key)) + return -EINVAL; + + return 0; +#endif /* USE_INTERNAL_PBKDF2 */ +} + +/* PBKDF */ +int crypt_pbkdf(const char *kdf, const char *hash, + const char *password, size_t password_length, + const char *salt, size_t salt_length, + char *key, size_t key_length, + uint32_t iterations, uint32_t memory, uint32_t parallel) +{ + if (!kdf) + return -EINVAL; + + if (!strcmp(kdf, "pbkdf2")) + return pbkdf2(hash, password, password_length, salt, salt_length, + key, key_length, iterations); + else if (!strncmp(kdf, "argon2", 6)) + return argon2(kdf, password, password_length, salt, salt_length, + key, key_length, iterations, memory, parallel); + return -EINVAL; +} + +/* Block ciphers */ +static int _cipher_init(gcry_cipher_hd_t *hd, const char *name, + const char *mode, const void *buffer, size_t length) +{ + int cipher_id, mode_id; + + cipher_id = gcry_cipher_map_name(name); + if (cipher_id == GCRY_CIPHER_MODE_NONE) + return -ENOENT; + + if (!strcmp(mode, "ecb")) + mode_id = GCRY_CIPHER_MODE_ECB; + else if (!strcmp(mode, "cbc")) + mode_id = GCRY_CIPHER_MODE_CBC; +#if HAVE_DECL_GCRY_CIPHER_MODE_XTS + else if (!strcmp(mode, "xts")) + mode_id = GCRY_CIPHER_MODE_XTS; +#endif + else + return -ENOENT; + + if (gcry_cipher_open(hd, cipher_id, mode_id, 0)) + return -EINVAL; + + if (gcry_cipher_setkey(*hd, buffer, length)) { + gcry_cipher_close(*hd); + return -EINVAL; + } + + return 0; +} + +int crypt_cipher_init(struct crypt_cipher **ctx, const char *name, + const char *mode, const void *key, size_t key_length) +{ + struct crypt_cipher *h; + int r; + + h = malloc(sizeof(*h)); + if (!h) + return -ENOMEM; + + if (!_cipher_init(&h->u.hd, name, mode, key, key_length)) { + h->use_kernel = false; + *ctx = h; + return 0; + } + + r = crypt_cipher_init_kernel(&h->u.kernel, name, mode, key, key_length); + if (r < 0) { + free(h); + return r; + } + + h->use_kernel = true; + *ctx = h; + return 0; +} + +void crypt_cipher_destroy(struct crypt_cipher *ctx) +{ + if (ctx->use_kernel) + crypt_cipher_destroy_kernel(&ctx->u.kernel); + else + gcry_cipher_close(ctx->u.hd); + free(ctx); +} + +int crypt_cipher_encrypt(struct crypt_cipher *ctx, + const char *in, char *out, size_t length, + const char *iv, size_t iv_length) +{ + if (ctx->use_kernel) + return crypt_cipher_encrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length); + + if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length)) + return -EINVAL; + + if (gcry_cipher_encrypt(ctx->u.hd, out, length, in, length)) + return -EINVAL; + + return 0; +} + +int crypt_cipher_decrypt(struct crypt_cipher *ctx, + const char *in, char *out, size_t length, + const char *iv, size_t iv_length) +{ + if (ctx->use_kernel) + return crypt_cipher_decrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length); + + if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length)) + return -EINVAL; + + if (gcry_cipher_decrypt(ctx->u.hd, out, length, in, length)) + return -EINVAL; + + return 0; +} + +bool crypt_cipher_kernel_only(struct crypt_cipher *ctx) +{ + return ctx->use_kernel; +} + +int crypt_bitlk_decrypt_key(const void *key, size_t key_length, + const char *in, char *out, size_t length, + const char *iv, size_t iv_length, + const char *tag, size_t tag_length) +{ +#ifdef GCRY_CCM_BLOCK_LEN + gcry_cipher_hd_t hd; + uint64_t l[3]; + int r = -EINVAL; + + if (gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CCM, 0)) + return -EINVAL; + + if (gcry_cipher_setkey(hd, key, key_length)) + goto out; + + if (gcry_cipher_setiv(hd, iv, iv_length)) + goto out; + + l[0] = length; + l[1] = 0; + l[2] = tag_length; + if (gcry_cipher_ctl(hd, GCRYCTL_SET_CCM_LENGTHS, l, sizeof(l))) + goto out; + + if (gcry_cipher_decrypt(hd, out, length, in, length)) + goto out; + + if (gcry_cipher_checktag(hd, tag, tag_length)) + goto out; + + r = 0; +out: + gcry_cipher_close(hd); + return r; +#else + return -ENOTSUP; +#endif +}