2 * GCRYPT crypto backend implementation
4 * Copyright (C) 2010-2020 Red Hat, Inc. All rights reserved.
5 * Copyright (C) 2010-2020 Milan Broz
7 * This file is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
12 * This file is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this file; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
27 #include "crypto_backend_internal.h"
29 static int crypto_backend_initialised = 0;
30 static int crypto_backend_secmem = 1;
31 static int crypto_backend_whirlpool_bug = -1;
32 static char version[64];
49 struct crypt_cipher_kernel kernel;
55 * Test for wrong Whirlpool variant,
56 * Ref: http://lists.gnupg.org/pipermail/gcrypt-devel/2014-January/002889.html
58 static void crypt_hash_test_whirlpool_bug(void)
61 char buf[2] = "\0\0", hash_out1[64], hash_out2[64];
64 if (crypto_backend_whirlpool_bug >= 0)
67 crypto_backend_whirlpool_bug = 0;
68 if (crypt_hash_init(&h, "whirlpool"))
72 if ((r = crypt_hash_write(h, &buf[0], 2)) ||
73 (r = crypt_hash_final(h, hash_out1, 64))) {
74 crypt_hash_destroy(h);
78 /* Split buf (crypt_hash_final resets hash state) */
79 if ((r = crypt_hash_write(h, &buf[0], 1)) ||
80 (r = crypt_hash_write(h, &buf[1], 1)) ||
81 (r = crypt_hash_final(h, hash_out2, 64))) {
82 crypt_hash_destroy(h);
86 crypt_hash_destroy(h);
88 if (memcmp(hash_out1, hash_out2, 64))
89 crypto_backend_whirlpool_bug = 1;
92 int crypt_backend_init(void)
94 if (crypto_backend_initialised)
97 if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
98 if (!gcry_check_version (GCRYPT_REQ_VERSION)) {
102 /* FIXME: If gcrypt compiled to support POSIX 1003.1e capabilities,
103 * it drops all privileges during secure memory initialisation.
104 * For now, the only workaround is to disable secure memory in gcrypt.
105 * cryptsetup always need at least cap_sys_admin privilege for dm-ioctl
106 * and it locks its memory space anyway.
109 gcry_control (GCRYCTL_DISABLE_SECMEM);
110 crypto_backend_secmem = 0;
113 gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
114 gcry_control (GCRYCTL_INIT_SECMEM, 16384, 0);
115 gcry_control (GCRYCTL_RESUME_SECMEM_WARN);
117 gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
120 crypto_backend_initialised = 1;
121 crypt_hash_test_whirlpool_bug();
123 snprintf(version, 64, "gcrypt %s%s%s",
124 gcry_check_version(NULL),
125 crypto_backend_secmem ? "" : ", secmem disabled",
126 crypto_backend_whirlpool_bug > 0 ? ", flawed whirlpool" : ""
132 void crypt_backend_destroy(void)
134 if (crypto_backend_initialised)
135 gcry_control(GCRYCTL_TERM_SECMEM);
137 crypto_backend_initialised = 0;
140 const char *crypt_backend_version(void)
142 return crypto_backend_initialised ? version : "";
145 uint32_t crypt_backend_flags(void)
150 static const char *crypt_hash_compat_name(const char *name, unsigned int *flags)
152 const char *hash_name = name;
154 /* "whirlpool_gcryptbug" is out shortcut to flawed whirlpool
155 * in libgcrypt < 1.6.0 */
156 if (name && !strcasecmp(name, "whirlpool_gcryptbug")) {
157 #if GCRYPT_VERSION_NUMBER >= 0x010601
159 *flags |= GCRY_MD_FLAG_BUGEMU1;
161 hash_name = "whirlpool";
168 int crypt_hash_size(const char *name)
172 assert(crypto_backend_initialised);
174 hash_id = gcry_md_map_name(crypt_hash_compat_name(name, NULL));
178 return gcry_md_get_algo_dlen(hash_id);
181 int crypt_hash_init(struct crypt_hash **ctx, const char *name)
183 struct crypt_hash *h;
184 unsigned int flags = 0;
186 assert(crypto_backend_initialised);
188 h = malloc(sizeof(*h));
192 h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
198 if (gcry_md_open(&h->hd, h->hash_id, flags)) {
203 h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
208 static void crypt_hash_restart(struct crypt_hash *ctx)
210 gcry_md_reset(ctx->hd);
213 int crypt_hash_write(struct crypt_hash *ctx, const char *buffer, size_t length)
215 gcry_md_write(ctx->hd, buffer, length);
219 int crypt_hash_final(struct crypt_hash *ctx, char *buffer, size_t length)
223 if (length > (size_t)ctx->hash_len)
226 hash = gcry_md_read(ctx->hd, ctx->hash_id);
230 memcpy(buffer, hash, length);
231 crypt_hash_restart(ctx);
236 void crypt_hash_destroy(struct crypt_hash *ctx)
238 gcry_md_close(ctx->hd);
239 memset(ctx, 0, sizeof(*ctx));
244 int crypt_hmac_size(const char *name)
246 return crypt_hash_size(name);
249 int crypt_hmac_init(struct crypt_hmac **ctx, const char *name,
250 const void *key, size_t key_length)
252 struct crypt_hmac *h;
253 unsigned int flags = GCRY_MD_FLAG_HMAC;
255 assert(crypto_backend_initialised);
257 h = malloc(sizeof(*h));
261 h->hash_id = gcry_md_map_name(crypt_hash_compat_name(name, &flags));
267 if (gcry_md_open(&h->hd, h->hash_id, flags)) {
272 if (gcry_md_setkey(h->hd, key, key_length)) {
273 gcry_md_close(h->hd);
278 h->hash_len = gcry_md_get_algo_dlen(h->hash_id);
283 static void crypt_hmac_restart(struct crypt_hmac *ctx)
285 gcry_md_reset(ctx->hd);
288 int crypt_hmac_write(struct crypt_hmac *ctx, const char *buffer, size_t length)
290 gcry_md_write(ctx->hd, buffer, length);
294 int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length)
298 if (length > (size_t)ctx->hash_len)
301 hash = gcry_md_read(ctx->hd, ctx->hash_id);
305 memcpy(buffer, hash, length);
306 crypt_hmac_restart(ctx);
311 void crypt_hmac_destroy(struct crypt_hmac *ctx)
313 gcry_md_close(ctx->hd);
314 memset(ctx, 0, sizeof(*ctx));
319 int crypt_backend_rng(char *buffer, size_t length, int quality, int fips)
322 case CRYPT_RND_NORMAL:
323 gcry_randomize(buffer, length, GCRY_STRONG_RANDOM);
328 gcry_randomize(buffer, length, GCRY_VERY_STRONG_RANDOM);
334 static int pbkdf2(const char *hash,
335 const char *password, size_t password_length,
336 const char *salt, size_t salt_length,
337 char *key, size_t key_length,
340 const char *hash_name = crypt_hash_compat_name(hash, NULL);
342 #if USE_INTERNAL_PBKDF2
343 return pkcs5_pbkdf2(hash_name, password, password_length, salt, salt_length,
344 iterations, key_length, key, 0);
345 #else /* USE_INTERNAL_PBKDF2 */
346 int hash_id = gcry_md_map_name(hash_name);
351 if (gcry_kdf_derive(password, password_length, GCRY_KDF_PBKDF2, hash_id,
352 salt, salt_length, iterations, key_length, key))
356 #endif /* USE_INTERNAL_PBKDF2 */
360 int crypt_pbkdf(const char *kdf, const char *hash,
361 const char *password, size_t password_length,
362 const char *salt, size_t salt_length,
363 char *key, size_t key_length,
364 uint32_t iterations, uint32_t memory, uint32_t parallel)
369 if (!strcmp(kdf, "pbkdf2"))
370 return pbkdf2(hash, password, password_length, salt, salt_length,
371 key, key_length, iterations);
372 else if (!strncmp(kdf, "argon2", 6))
373 return argon2(kdf, password, password_length, salt, salt_length,
374 key, key_length, iterations, memory, parallel);
379 static int _cipher_init(gcry_cipher_hd_t *hd, const char *name,
380 const char *mode, const void *buffer, size_t length)
382 int cipher_id, mode_id;
384 cipher_id = gcry_cipher_map_name(name);
385 if (cipher_id == GCRY_CIPHER_MODE_NONE)
388 if (!strcmp(mode, "ecb"))
389 mode_id = GCRY_CIPHER_MODE_ECB;
390 else if (!strcmp(mode, "cbc"))
391 mode_id = GCRY_CIPHER_MODE_CBC;
392 #if HAVE_DECL_GCRY_CIPHER_MODE_XTS
393 else if (!strcmp(mode, "xts"))
394 mode_id = GCRY_CIPHER_MODE_XTS;
399 if (gcry_cipher_open(hd, cipher_id, mode_id, 0))
402 if (gcry_cipher_setkey(*hd, buffer, length)) {
403 gcry_cipher_close(*hd);
410 int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
411 const char *mode, const void *key, size_t key_length)
413 struct crypt_cipher *h;
416 h = malloc(sizeof(*h));
420 if (!_cipher_init(&h->u.hd, name, mode, key, key_length)) {
421 h->use_kernel = false;
426 r = crypt_cipher_init_kernel(&h->u.kernel, name, mode, key, key_length);
432 h->use_kernel = true;
437 void crypt_cipher_destroy(struct crypt_cipher *ctx)
440 crypt_cipher_destroy_kernel(&ctx->u.kernel);
442 gcry_cipher_close(ctx->u.hd);
446 int crypt_cipher_encrypt(struct crypt_cipher *ctx,
447 const char *in, char *out, size_t length,
448 const char *iv, size_t iv_length)
451 return crypt_cipher_encrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
453 if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
456 if (gcry_cipher_encrypt(ctx->u.hd, out, length, in, length))
462 int crypt_cipher_decrypt(struct crypt_cipher *ctx,
463 const char *in, char *out, size_t length,
464 const char *iv, size_t iv_length)
467 return crypt_cipher_decrypt_kernel(&ctx->u.kernel, in, out, length, iv, iv_length);
469 if (iv && gcry_cipher_setiv(ctx->u.hd, iv, iv_length))
472 if (gcry_cipher_decrypt(ctx->u.hd, out, length, in, length))
478 bool crypt_cipher_kernel_only(struct crypt_cipher *ctx)
480 return ctx->use_kernel;
483 int crypt_bitlk_decrypt_key(const void *key, size_t key_length,
484 const char *in, char *out, size_t length,
485 const char *iv, size_t iv_length,
486 const char *tag, size_t tag_length)
488 #ifdef GCRY_CCM_BLOCK_LEN
493 if (gcry_cipher_open(&hd, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CCM, 0))
496 if (gcry_cipher_setkey(hd, key, key_length))
499 if (gcry_cipher_setiv(hd, iv, iv_length))
505 if (gcry_cipher_ctl(hd, GCRYCTL_SET_CCM_LENGTHS, l, sizeof(l)))
508 if (gcry_cipher_decrypt(hd, out, length, in, length))
511 if (gcry_cipher_checktag(hd, tag, tag_length))
516 gcry_cipher_close(hd);