Add version string to crypto backend.

Move fips check to libcryptsetup.
Clean up internal.h use.

lib/crypt_plain.c

@@ -22,8 +22,8 @@
 #include <stdlib.h>
 #include <errno.h>
 
+#include "libcryptsetup.h"
 #include "internal.h"
-#include "crypto_backend.h"
 
 static int hash(const char *hash_name, size_t key_size, char *key,
 		size_t passphrase_size, const char *passphrase)

lib/crypto_backend/crypto_backend.h

@@ -19,9 +19,10 @@
 #ifndef _CRYPTO_BACKEND_H
 #define _CRYPTO_BACKEND_H
 
-#include "libcryptsetup.h"
-#include "internal.h"
+#include <stdint.h>
+#include "config.h"
 
+struct crypt_device;
 struct crypt_hash;
 struct crypt_hmac;
 
@@ -30,6 +31,7 @@ int crypt_backend_init(struct crypt_device *ctx);
 #define CRYPT_BACKEND_KERNEL (1 << 0)	/* Crypto uses kernel part, for benchmark */
 
 uint32_t crypt_backend_flags(void);
+const char *crypt_backend_version(void);
 
 /* HASH */
 int crypt_hash_size(const char *name);
@@ -47,6 +49,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length);
 int crypt_hmac_destroy(struct crypt_hmac *ctx);
 
 /* RNG (must be usable in FIPS mode) */
+enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 };
 int crypt_backend_fips_rng(char *buffer, size_t length, int quality);
 
 #endif /* _CRYPTO_BACKEND_H */

lib/crypto_backend/crypto_gcrypt.c

@@ -18,12 +18,15 @@
  */
 
 #include <string.h>
+#include <stdio.h>
 #include <errno.h>
 #include <assert.h>
 #include <gcrypt.h>
 #include "crypto_backend.h"
 
 static int crypto_backend_initialised = 0;
+static int crypto_backend_secmem = 1;
+static char version[64];
 
 struct crypt_hash {
 	gcry_md_hd_t hd;
@@ -42,8 +45,6 @@ int crypt_backend_init(struct crypt_device *ctx)
 	if (crypto_backend_initialised)
 		return 0;
 
-	log_dbg("Initialising gcrypt crypto backend.");
-	crypt_fips_libcryptsetup_check(ctx);
 	if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) {
 		if (!gcry_check_version (GCRYPT_REQ_VERSION)) {
 			return -ENOSYS;
@@ -56,8 +57,8 @@ int crypt_backend_init(struct crypt_device *ctx)
  * and it locks its memory space anyway.
  */
 #if 0
-		log_dbg("Initializing crypto backend (secure memory disabled).");
 		gcry_control (GCRYCTL_DISABLE_SECMEM);
+		crypto_backend_secmem = 0;
 #else
 
 		gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN);
@@ -67,10 +68,18 @@ int crypt_backend_init(struct crypt_device *ctx)
 		gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
 	}
 
+	snprintf(version, 64, "gcrypt %s%s",
+		 gcry_check_version(NULL),
+		 crypto_backend_secmem ? "" : ", secmem disabled");
 	crypto_backend_initialised = 1;
 	return 0;
 }
 
+const char *crypt_backend_version(void)
+{
+	return crypto_backend_initialised ? version : "";
+}
+
 uint32_t crypt_backend_flags(void)
 {
 	return 0;

lib/crypto_backend/crypto_kernel.c

@@ -36,6 +36,7 @@
 #endif
 
 static int crypto_backend_initialised = 0;
+static char version[64];
 
 struct hash_alg {
 	const char *name;
@@ -93,7 +94,6 @@ bad:
 int crypt_backend_init(struct crypt_device *ctx)
 {
 	struct utsname uts;
-
 	struct sockaddr_alg sa = {
 		.salg_family = AF_ALG,
 		.salg_type = "hash",
@@ -104,11 +104,8 @@ int crypt_backend_init(struct crypt_device *ctx)
 	if (crypto_backend_initialised)
 		return 0;
 
-	log_dbg("Initialising kernel crypto API backend.");
-
 	if (uname(&uts) == -1 || strcmp(uts.sysname, "Linux"))
 		return -EINVAL;
-	log_dbg("Kernel version %s %s.", uts.sysname, uts.release);
 
 	if (_socket_init(&sa, &tfmfd, &opfd) < 0)
 		return -EINVAL;
@@ -116,6 +113,9 @@ int crypt_backend_init(struct crypt_device *ctx)
 	close(tfmfd);
 	close(opfd);
 
+	snprintf(version, sizeof(version), "%s %s kernel cryptoAPI",
+		 uts.sysname, uts.release);
+
 	crypto_backend_initialised = 1;
 	return 0;
 }
@@ -125,6 +125,11 @@ uint32_t crypt_backend_flags(void)
 	return CRYPT_BACKEND_KERNEL;
 }
 
+const char *crypt_backend_version(void)
+{
+	return crypto_backend_initialised ? version : "";
+}
+
 static struct hash_alg *_get_alg(const char *name)
 {
 	int i = 0;

lib/crypto_backend/crypto_nettle.c

@@ -24,6 +24,8 @@
 #include <nettle/hmac.h>
 #include "crypto_backend.h"
 
+static char *version = "Nettle";
+
 typedef void (*init_func) (void *);
 typedef void (*update_func) (void *, unsigned, const uint8_t *);
 typedef void (*digest_func) (void *, unsigned, uint8_t *);
@@ -135,10 +137,14 @@ static struct hash_alg *_get_alg(const char *name)
 
 int crypt_backend_init(struct crypt_device *ctx)
 {
-	log_dbg("Initialising Nettle crypto backend.");
 	return 0;
 }
 
+const char *crypt_backend_version(void)
+{
+	return version;
+}
+
 /* HASH */
 int crypt_hash_size(const char *name)
 {

lib/crypto_backend/crypto_nss.c

@@ -23,7 +23,11 @@
 #include <pk11pub.h>
 #include "crypto_backend.h"
 
+#define CONST_CAST(x) (x)(uintptr_t)
+
 static int crypto_backend_initialised = 0;
+static char version[64];
+
 
 struct hash_alg {
 	const char *name;
@@ -70,10 +74,10 @@ int crypt_backend_init(struct crypt_device *ctx)
 	if (crypto_backend_initialised)
 		return 0;
 
-	log_dbg("Initialising NSS crypto backend.");
 	if (NSS_NoDB_Init(".") != SECSuccess)
 		return -EINVAL;
 
+	snprintf(version, 64, "NSS %s", NSS_GetVersion());
 	crypto_backend_initialised = 1;
 	return 0;
 }
@@ -83,6 +87,11 @@ uint32_t crypt_backend_flags(void)
 	return 0;
 }
 
+const char *crypt_backend_version(void)
+{
+	return crypto_backend_initialised ? version : "";
+}
+
 /* HASH */
 int crypt_hash_size(const char *name)
 {

lib/crypto_backend/crypto_openssl.c

@@ -52,7 +52,6 @@ int crypt_backend_init(struct crypt_device *ctx)
 		return 0;
 
 	OpenSSL_add_all_digests();
-	log_dbg("OpenSSL crypto backend initialized.");
 
 	crypto_backend_initialised = 1;
 	return 0;
@@ -63,6 +62,11 @@ uint32_t crypt_backend_flags(void)
 	return 0;
 }
 
+const char *crypt_backend_version(void)
+{
+	return SSLeay_version(SSLEAY_VERSION);
+}
+
 /* HASH */
 int crypt_hash_size(const char *name)
 {

lib/internal.h

@@ -36,6 +36,7 @@
 #include "utils_loop.h"
 #include "utils_dm.h"
 #include "utils_fips.h"
+#include "crypto_backend.h"
 
 /* to silent gcc -Wcast-qual for const cast */
 #define CONST_CAST(x) (x)(uintptr_t)
@@ -98,7 +99,6 @@ void get_topology_alignment(const char *device,
 			    unsigned long *alignment_offset,   /* bytes */
 			    unsigned long default_alignment);
 
-enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 };
 int crypt_random_init(struct crypt_device *ctx);
 int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int quality);
 void crypt_random_exit(void);

lib/loopaes/loopaes.c

@@ -22,8 +22,9 @@
 #include <stdlib.h>
 #include <string.h>
 
-#include "crypto_backend.h"
+#include "libcryptsetup.h"
 #include "loopaes.h"
+#include "internal.h"
 
 static const char *get_hash(unsigned int key_size)
 {

lib/luks1/af.c

@@ -26,7 +26,6 @@
 #include <string.h>
 #include <netinet/in.h>
 #include <errno.h>
-#include "crypto_backend.h"
 #include "internal.h"
 #include "af.h"
 

lib/random.c

@@ -25,7 +25,6 @@
 
 #include "libcryptsetup.h"
 #include "internal.h"
-#include "crypto_backend.h"
 
 static int random_initialised = 0;
 

lib/setup.c

@@ -30,7 +30,6 @@
 #include "luks.h"
 #include "loopaes.h"
 #include "internal.h"
-#include "crypto_backend.h"
 
 struct crypt_device {
 	char *type;
@@ -157,6 +156,8 @@ static int init_crypto(struct crypt_device *ctx)
 {
 	int r;
 
+	crypt_fips_libcryptsetup_check(ctx);
+
 	r = crypt_random_init(ctx);
 	if (r < 0) {
 		log_err(ctx, _("Cannot initialize crypto RNG backend.\n"));
@@ -167,6 +168,7 @@ static int init_crypto(struct crypt_device *ctx)
 	if (r < 0)
 		log_err(ctx, _("Cannot initialize crypto backend.\n"));
 
+	log_dbg("Crypto backend (%s) initialized.", crypt_backend_version());
 	return r;
 }