else
GCRYPT_REQ_VERSION=1.1.42
fi
+ dnl Check if we can use gcrypt PBKDF2 (1.6.0 supports empty password)
+ AM_PATH_LIBGCRYPT([1.6.0], [use_internal_pbkdf2=0], [use_internal_pbkdf2=1])
AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])
if test x$enable_static_cryptsetup = xyes; then
AC_MSG_ERROR([You need openssl library.]))
CRYPTO_CFLAGS=$OPENSSL_CFLAGS
CRYPTO_LIBS=$OPENSSL_LIBS
+ use_internal_pbkdf2=0
if test x$enable_static_cryptsetup = xyes; then
saved_PKG_CONFIG=$PKG_CONFIG
CRYPTO_CFLAGS=$NSS_CFLAGS
CRYPTO_LIBS=$NSS_LIBS
+ use_internal_pbkdf2=1
NO_FIPS([])
])
# AC_CHECK_DECLS([AF_ALG],,
# [AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])],
# [#include <sys/socket.h>])
+ use_internal_pbkdf2=1
NO_FIPS([])
])
LIBS=$saved_LIBS
CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
+ use_internal_pbkdf2=1
NO_FIPS([])
])
AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL, test $with_crypto_backend = kernel)
AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE, test $with_crypto_backend = nettle)
+AM_CONDITIONAL(CRYPTO_INTERNAL_PBKDF2, test $use_internal_pbkdf2 = 1)
+AC_DEFINE_UNQUOTED(USE_INTERNAL_PBKDF2, [$use_internal_pbkdf2], [Use internal PBKDF2])
+
dnl Magic for cryptsetup.static build.
if test x$enable_static_cryptsetup = xyes; then
saved_PKG_CONFIG=$PKG_CONFIG
if CRYPTO_BACKEND_GCRYPT
libcrypto_backend_la_SOURCES += crypto_gcrypt.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
endif
if CRYPTO_BACKEND_OPENSSL
libcrypto_backend_la_SOURCES += crypto_openssl.c
endif
if CRYPTO_BACKEND_NSS
libcrypto_backend_la_SOURCES += crypto_nss.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
endif
if CRYPTO_BACKEND_KERNEL
libcrypto_backend_la_SOURCES += crypto_kernel.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
endif
if CRYPTO_BACKEND_NETTLE
libcrypto_backend_la_SOURCES += crypto_nettle.c
+endif
+
+if CRYPTO_INTERNAL_PBKDF2
libcrypto_backend_la_SOURCES += pbkdf2_generic.c
endif
char *key, size_t key_length,
unsigned int iterations)
{
+#if USE_INTERNAL_PBKDF2
if (!kdf || strncmp(kdf, "pbkdf2", 6))
return -EINVAL;
return pkcs5_pbkdf2(hash, password, password_length, salt, salt_length,
iterations, key_length, key);
-}
-#if 0
-/* Until bug in gcrypt related to empty password is fixed, cannot use this */
-int crypt_pbkdf(const char *kdf, const char *hash,
- const char *password, size_t password_length,
- const char *salt, size_t salt_length,
- char *key, size_t key_length,
- unsigned int iterations)
-{
+#else /* USE_INTERNAL_PBKDF2 */
int hash_id = gcry_md_map_name(hash);
int kdf_id;
return -EINVAL;
return 0;
+#endif /* USE_INTERNAL_PBKDF2 */
}
-#endif