Try to check if AEAD cipher is available through kernel crypto API.

lib/crypto_backend/crypto_backend.h

@@ -111,6 +111,10 @@ int crypt_cipher_decrypt(struct crypt_cipher *ctx,
 			 const char *in, char *out, size_t length,
 			 const char *iv, size_t iv_length);
 
+/* Check availability of a cipher */
+int crypt_cipher_check(const char *name, const char *mode,
+		       const char *integrity, size_t key_length);
+
 /* storage encryption wrappers */
 int crypt_storage_init(struct crypt_storage **ctx, uint64_t sector_start,
 		       const char *cipher, const char *cipher_mode,

lib/crypto_backend/crypto_cipher_kernel.c

@@ -22,6 +22,7 @@
 #include <string.h>
 #include <stdlib.h>
 #include <stdio.h>
+#include <stdbool.h>
 #include <errno.h>
 #include <unistd.h>
 #include <sys/socket.h>
@@ -51,22 +52,16 @@ struct crypt_cipher {
  * ENOTSUP - AF_ALG family not available
  * (but cannot check specifically for skcipher API)
  */
-int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+static int _crypt_cipher_init(struct crypt_cipher **ctx,
-		    const char *mode, const void *key, size_t key_length)
+			      const void *key, size_t key_length,
+			      struct sockaddr_alg *sa)
 {
 	struct crypt_cipher *h;
-	struct sockaddr_alg sa = {
-		.salg_family = AF_ALG,
-		.salg_type = "skcipher",
-	};
 
 	h = malloc(sizeof(*h));
 	if (!h)
 		return -ENOMEM;
 
-	snprintf((char *)sa.salg_name, sizeof(sa.salg_name),
-		 "%s(%s)", mode, name);
-
 	h->opfd = -1;
 	h->tfmfd = socket(AF_ALG, SOCK_SEQPACKET, 0);
 	if (h->tfmfd < 0) {
@@ -74,14 +69,11 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
 		return -ENOTSUP;
 	}
 
-	if (bind(h->tfmfd, (struct sockaddr *)&sa, sizeof(sa)) < 0) {
+	if (bind(h->tfmfd, (struct sockaddr *)sa, sizeof(*sa)) < 0) {
 		crypt_cipher_destroy(h);
 		return -ENOENT;
 	}
 
-	if (!strcmp(name, "cipher_null"))
-		key_length = 0;
-
 	if (setsockopt(h->tfmfd, SOL_ALG, ALG_SET_KEY, key, key_length) < 0) {
 		crypt_cipher_destroy(h);
 		return -EINVAL;
@@ -97,6 +89,22 @@ int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
 	return 0;
 }
 
+int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
+		      const char *mode, const void *key, size_t key_length)
+{
+	struct sockaddr_alg sa = {
+		.salg_family = AF_ALG,
+		.salg_type = "skcipher",
+	};
+
+	if (!strcmp(name, "cipher_null"))
+		key_length = 0;
+
+	snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", mode, name);
+
+	return _crypt_cipher_init(ctx, key, key_length, &sa);
+}
+
 /* The in/out should be aligned to page boundary */
 static int crypt_cipher_crypt(struct crypt_cipher *ctx,
 			 const char *in, char *out, size_t length,
@@ -191,6 +199,61 @@ void crypt_cipher_destroy(struct crypt_cipher *ctx)
 	free(ctx);
 }
 
+int crypt_cipher_check(const char *name, const char *mode,
+		       const char *integrity, size_t key_length)
+{
+	struct crypt_cipher *c = NULL;
+	char mode_name[64], *real_mode = NULL, *cipher_iv = NULL, *key, *salg_type;
+	bool aead;
+	int r;
+	struct sockaddr_alg sa = {
+		.salg_family = AF_ALG,
+	};
+
+	aead = integrity && strcmp(integrity, "none");
+
+	/* Remove IV if present */
+	if (mode) {
+		strncpy(mode_name, mode, sizeof(mode_name));
+		mode_name[sizeof(mode_name) - 1] = 0;
+		cipher_iv = strchr(mode_name, '-');
+		if (cipher_iv) {
+			*cipher_iv = '\0';
+			real_mode = mode_name;
+		}
+	}
+
+	salg_type = aead ? "aead" : "skcipher";
+	snprintf((char *)sa.salg_type, sizeof(sa.salg_type), "%s", salg_type);
+
+	/* FIXME: this is duplicating a part of devmapper backend */
+	if (aead && !strcmp(integrity, "poly1305"))
+		snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "rfc7539(%s,%s)", name, integrity);
+	else if (!real_mode)
+		snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s", name);
+	else if (aead && !strcmp(real_mode, "ccm"))
+		snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "rfc4309(%s(%s))", real_mode, name);
+	else
+		snprintf((char *)sa.salg_name, sizeof(sa.salg_name), "%s(%s)", real_mode, name);
+
+	key = malloc(key_length);
+	if (!key)
+		return -ENOMEM;
+
+	r = crypt_backend_rng(key, key_length, CRYPT_RND_NORMAL, 0);
+	if (r < 0) {
+		free (key);
+		return r;
+	}
+
+	r = _crypt_cipher_init(&c, key, key_length, &sa);
+	if (c)
+		crypt_cipher_destroy(c);
+	free(key);
+
+	return r;
+}
+
 #else /* ENABLE_AF_ALG */
 int crypt_cipher_init(struct crypt_cipher **ctx, const char *name,
 		    const char *mode, const void *buffer, size_t length)
@@ -215,4 +278,9 @@ int crypt_cipher_decrypt(struct crypt_cipher *ctx,
 {
 	return -EINVAL;
 }
+int crypt_cipher_check(const char *name, const char *mode,
+		       const char *integrity, size_t key_length)
+{
+	return 0;
+}
 #endif

lib/setup.c

@@ -1585,8 +1585,16 @@ static int _crypt_format_luks2(struct crypt_device *cd,
 		goto out;
 	}
 
-	/* FIXME: we have no way how to check AEAD ciphers,
+	/* FIXME: allow this later also for normal ciphers (check AF_ALG availability. */
-	 * only length preserving mode or authenc() composed modes */
+	if (integrity && !integrity_key_size) {
+		r = crypt_cipher_check(cipher, cipher_mode, integrity, volume_key_size);
+		if (r < 0) {
+			log_err(cd, _("Cipher %s-%s (key size %zd bits) is not available."),
+				cipher, cipher_mode, volume_key_size * 8);
+			goto out;
+		}
+	}
+
 	if ((!integrity || integrity_key_size) && !LUKS2_keyslot_cipher_incompatible(cd)) {
 		r = LUKS_check_cipher(cd, volume_key_size - integrity_key_size,
 				      cipher, cipher_mode);