From 20eea64334cf539f9931daab9bcef03f6a220b3d Mon Sep 17 00:00:00 2001 From: Milan Broz Date: Sun, 27 May 2012 00:48:10 +0200 Subject: [PATCH] Add version string to crypto backend. Move fips check to libcryptsetup. Clean up internal.h use. --- lib/crypt_plain.c | 2 +- lib/crypto_backend/crypto_backend.h | 7 +++++-- lib/crypto_backend/crypto_gcrypt.c | 15 ++++++++++++--- lib/crypto_backend/crypto_kernel.c | 13 +++++++++---- lib/crypto_backend/crypto_nettle.c | 8 +++++++- lib/crypto_backend/crypto_nss.c | 11 ++++++++++- lib/crypto_backend/crypto_openssl.c | 6 +++++- lib/internal.h | 2 +- lib/loopaes/loopaes.c | 3 ++- lib/luks1/af.c | 1 - lib/random.c | 1 - lib/setup.c | 4 +++- 12 files changed, 55 insertions(+), 18 deletions(-) diff --git a/lib/crypt_plain.c b/lib/crypt_plain.c index 19a62e22..dc4fac30 100644 --- a/lib/crypt_plain.c +++ b/lib/crypt_plain.c @@ -22,8 +22,8 @@ #include #include +#include "libcryptsetup.h" #include "internal.h" -#include "crypto_backend.h" static int hash(const char *hash_name, size_t key_size, char *key, size_t passphrase_size, const char *passphrase) diff --git a/lib/crypto_backend/crypto_backend.h b/lib/crypto_backend/crypto_backend.h index 81d74e63..23192dfd 100644 --- a/lib/crypto_backend/crypto_backend.h +++ b/lib/crypto_backend/crypto_backend.h @@ -19,9 +19,10 @@ #ifndef _CRYPTO_BACKEND_H #define _CRYPTO_BACKEND_H -#include "libcryptsetup.h" -#include "internal.h" +#include +#include "config.h" +struct crypt_device; struct crypt_hash; struct crypt_hmac; @@ -30,6 +31,7 @@ int crypt_backend_init(struct crypt_device *ctx); #define CRYPT_BACKEND_KERNEL (1 << 0) /* Crypto uses kernel part, for benchmark */ uint32_t crypt_backend_flags(void); +const char *crypt_backend_version(void); /* HASH */ int crypt_hash_size(const char *name); @@ -47,6 +49,7 @@ int crypt_hmac_final(struct crypt_hmac *ctx, char *buffer, size_t length); int crypt_hmac_destroy(struct crypt_hmac *ctx); /* RNG (must be usable in FIPS mode) */ +enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 }; int crypt_backend_fips_rng(char *buffer, size_t length, int quality); #endif /* _CRYPTO_BACKEND_H */ diff --git a/lib/crypto_backend/crypto_gcrypt.c b/lib/crypto_backend/crypto_gcrypt.c index 033b7a86..f0c9bec3 100644 --- a/lib/crypto_backend/crypto_gcrypt.c +++ b/lib/crypto_backend/crypto_gcrypt.c @@ -18,12 +18,15 @@ */ #include +#include #include #include #include #include "crypto_backend.h" static int crypto_backend_initialised = 0; +static int crypto_backend_secmem = 1; +static char version[64]; struct crypt_hash { gcry_md_hd_t hd; @@ -42,8 +45,6 @@ int crypt_backend_init(struct crypt_device *ctx) if (crypto_backend_initialised) return 0; - log_dbg("Initialising gcrypt crypto backend."); - crypt_fips_libcryptsetup_check(ctx); if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P)) { if (!gcry_check_version (GCRYPT_REQ_VERSION)) { return -ENOSYS; @@ -56,8 +57,8 @@ int crypt_backend_init(struct crypt_device *ctx) * and it locks its memory space anyway. */ #if 0 - log_dbg("Initializing crypto backend (secure memory disabled)."); gcry_control (GCRYCTL_DISABLE_SECMEM); + crypto_backend_secmem = 0; #else gcry_control (GCRYCTL_SUSPEND_SECMEM_WARN); @@ -67,10 +68,18 @@ int crypt_backend_init(struct crypt_device *ctx) gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0); } + snprintf(version, 64, "gcrypt %s%s", + gcry_check_version(NULL), + crypto_backend_secmem ? "" : ", secmem disabled"); crypto_backend_initialised = 1; return 0; } +const char *crypt_backend_version(void) +{ + return crypto_backend_initialised ? version : ""; +} + uint32_t crypt_backend_flags(void) { return 0; diff --git a/lib/crypto_backend/crypto_kernel.c b/lib/crypto_backend/crypto_kernel.c index da9f1ea0..b0eb0421 100644 --- a/lib/crypto_backend/crypto_kernel.c +++ b/lib/crypto_backend/crypto_kernel.c @@ -36,6 +36,7 @@ #endif static int crypto_backend_initialised = 0; +static char version[64]; struct hash_alg { const char *name; @@ -93,7 +94,6 @@ bad: int crypt_backend_init(struct crypt_device *ctx) { struct utsname uts; - struct sockaddr_alg sa = { .salg_family = AF_ALG, .salg_type = "hash", @@ -104,11 +104,8 @@ int crypt_backend_init(struct crypt_device *ctx) if (crypto_backend_initialised) return 0; - log_dbg("Initialising kernel crypto API backend."); - if (uname(&uts) == -1 || strcmp(uts.sysname, "Linux")) return -EINVAL; - log_dbg("Kernel version %s %s.", uts.sysname, uts.release); if (_socket_init(&sa, &tfmfd, &opfd) < 0) return -EINVAL; @@ -116,6 +113,9 @@ int crypt_backend_init(struct crypt_device *ctx) close(tfmfd); close(opfd); + snprintf(version, sizeof(version), "%s %s kernel cryptoAPI", + uts.sysname, uts.release); + crypto_backend_initialised = 1; return 0; } @@ -125,6 +125,11 @@ uint32_t crypt_backend_flags(void) return CRYPT_BACKEND_KERNEL; } +const char *crypt_backend_version(void) +{ + return crypto_backend_initialised ? version : ""; +} + static struct hash_alg *_get_alg(const char *name) { int i = 0; diff --git a/lib/crypto_backend/crypto_nettle.c b/lib/crypto_backend/crypto_nettle.c index 9a438a84..f41ae7c6 100644 --- a/lib/crypto_backend/crypto_nettle.c +++ b/lib/crypto_backend/crypto_nettle.c @@ -24,6 +24,8 @@ #include #include "crypto_backend.h" +static char *version = "Nettle"; + typedef void (*init_func) (void *); typedef void (*update_func) (void *, unsigned, const uint8_t *); typedef void (*digest_func) (void *, unsigned, uint8_t *); @@ -135,10 +137,14 @@ static struct hash_alg *_get_alg(const char *name) int crypt_backend_init(struct crypt_device *ctx) { - log_dbg("Initialising Nettle crypto backend."); return 0; } +const char *crypt_backend_version(void) +{ + return version; +} + /* HASH */ int crypt_hash_size(const char *name) { diff --git a/lib/crypto_backend/crypto_nss.c b/lib/crypto_backend/crypto_nss.c index 86d429ef..dca91712 100644 --- a/lib/crypto_backend/crypto_nss.c +++ b/lib/crypto_backend/crypto_nss.c @@ -23,7 +23,11 @@ #include #include "crypto_backend.h" +#define CONST_CAST(x) (x)(uintptr_t) + static int crypto_backend_initialised = 0; +static char version[64]; + struct hash_alg { const char *name; @@ -70,10 +74,10 @@ int crypt_backend_init(struct crypt_device *ctx) if (crypto_backend_initialised) return 0; - log_dbg("Initialising NSS crypto backend."); if (NSS_NoDB_Init(".") != SECSuccess) return -EINVAL; + snprintf(version, 64, "NSS %s", NSS_GetVersion()); crypto_backend_initialised = 1; return 0; } @@ -83,6 +87,11 @@ uint32_t crypt_backend_flags(void) return 0; } +const char *crypt_backend_version(void) +{ + return crypto_backend_initialised ? version : ""; +} + /* HASH */ int crypt_hash_size(const char *name) { diff --git a/lib/crypto_backend/crypto_openssl.c b/lib/crypto_backend/crypto_openssl.c index e7f0c59c..3efd8155 100644 --- a/lib/crypto_backend/crypto_openssl.c +++ b/lib/crypto_backend/crypto_openssl.c @@ -52,7 +52,6 @@ int crypt_backend_init(struct crypt_device *ctx) return 0; OpenSSL_add_all_digests(); - log_dbg("OpenSSL crypto backend initialized."); crypto_backend_initialised = 1; return 0; @@ -63,6 +62,11 @@ uint32_t crypt_backend_flags(void) return 0; } +const char *crypt_backend_version(void) +{ + return SSLeay_version(SSLEAY_VERSION); +} + /* HASH */ int crypt_hash_size(const char *name) { diff --git a/lib/internal.h b/lib/internal.h index f7ae8641..1469c4ed 100644 --- a/lib/internal.h +++ b/lib/internal.h @@ -36,6 +36,7 @@ #include "utils_loop.h" #include "utils_dm.h" #include "utils_fips.h" +#include "crypto_backend.h" /* to silent gcc -Wcast-qual for const cast */ #define CONST_CAST(x) (x)(uintptr_t) @@ -98,7 +99,6 @@ void get_topology_alignment(const char *device, unsigned long *alignment_offset, /* bytes */ unsigned long default_alignment); -enum { CRYPT_RND_NORMAL = 0, CRYPT_RND_KEY = 1, CRYPT_RND_SALT = 2 }; int crypt_random_init(struct crypt_device *ctx); int crypt_random_get(struct crypt_device *ctx, char *buf, size_t len, int quality); void crypt_random_exit(void); diff --git a/lib/loopaes/loopaes.c b/lib/loopaes/loopaes.c index dd61df31..298ff9f7 100644 --- a/lib/loopaes/loopaes.c +++ b/lib/loopaes/loopaes.c @@ -22,8 +22,9 @@ #include #include -#include "crypto_backend.h" +#include "libcryptsetup.h" #include "loopaes.h" +#include "internal.h" static const char *get_hash(unsigned int key_size) { diff --git a/lib/luks1/af.c b/lib/luks1/af.c index 8e79f9b4..d147438d 100644 --- a/lib/luks1/af.c +++ b/lib/luks1/af.c @@ -26,7 +26,6 @@ #include #include #include -#include "crypto_backend.h" #include "internal.h" #include "af.h" diff --git a/lib/random.c b/lib/random.c index 870ab64f..5aa95e04 100644 --- a/lib/random.c +++ b/lib/random.c @@ -25,7 +25,6 @@ #include "libcryptsetup.h" #include "internal.h" -#include "crypto_backend.h" static int random_initialised = 0; diff --git a/lib/setup.c b/lib/setup.c index f34733d8..fa9b174e 100644 --- a/lib/setup.c +++ b/lib/setup.c @@ -30,7 +30,6 @@ #include "luks.h" #include "loopaes.h" #include "internal.h" -#include "crypto_backend.h" struct crypt_device { char *type; @@ -157,6 +156,8 @@ static int init_crypto(struct crypt_device *ctx) { int r; + crypt_fips_libcryptsetup_check(ctx); + r = crypt_random_init(ctx); if (r < 0) { log_err(ctx, _("Cannot initialize crypto RNG backend.\n")); @@ -167,6 +168,7 @@ static int init_crypto(struct crypt_device *ctx) if (r < 0) log_err(ctx, _("Cannot initialize crypto backend.\n")); + log_dbg("Crypto backend (%s) initialized.", crypt_backend_version()); return r; }