Prepare supported PBKDF2 implementation autodetection for gcrypt.

configure.ac

@@ -115,6 +115,8 @@ AC_DEFUN([CONFIGURE_GCRYPT], [
 	else
 		GCRYPT_REQ_VERSION=1.1.42
 	fi
+	dnl Check if we can use gcrypt PBKDF2 (1.6.0 supports empty password)
+	AM_PATH_LIBGCRYPT([1.6.0], [use_internal_pbkdf2=0], [use_internal_pbkdf2=1])
 	AM_PATH_LIBGCRYPT($GCRYPT_REQ_VERSION,,[AC_MSG_ERROR([You need the gcrypt library.])])
 
 	if test x$enable_static_cryptsetup = xyes; then
@@ -139,6 +141,7 @@ AC_DEFUN([CONFIGURE_OPENSSL], [
 		AC_MSG_ERROR([You need openssl library.]))
 	CRYPTO_CFLAGS=$OPENSSL_CFLAGS
 	CRYPTO_LIBS=$OPENSSL_LIBS
+	use_internal_pbkdf2=0
 
 	if test x$enable_static_cryptsetup = xyes; then
 		saved_PKG_CONFIG=$PKG_CONFIG
@@ -167,6 +170,7 @@ AC_DEFUN([CONFIGURE_NSS], [
 
 	CRYPTO_CFLAGS=$NSS_CFLAGS
 	CRYPTO_LIBS=$NSS_LIBS
+	use_internal_pbkdf2=1
 	NO_FIPS([])
 ])
 
@@ -176,6 +180,7 @@ AC_DEFUN([CONFIGURE_KERNEL], [
 #	AC_CHECK_DECLS([AF_ALG],,
 #		[AC_MSG_ERROR([You need Linux kernel with userspace crypto interface.])],
 #		[#include <sys/socket.h>])
+	use_internal_pbkdf2=1
 	NO_FIPS([])
 ])
 
@@ -190,6 +195,7 @@ AC_DEFUN([CONFIGURE_NETTLE], [
 	LIBS=$saved_LIBS
 
 	CRYPTO_STATIC_LIBS=$CRYPTO_LIBS
+	use_internal_pbkdf2=1
 	NO_FIPS([])
 ])
 
@@ -280,6 +286,9 @@ AM_CONDITIONAL(CRYPTO_BACKEND_NSS,     test $with_crypto_backend = nss)
 AM_CONDITIONAL(CRYPTO_BACKEND_KERNEL,  test $with_crypto_backend = kernel)
 AM_CONDITIONAL(CRYPTO_BACKEND_NETTLE,  test $with_crypto_backend = nettle)
 
+AM_CONDITIONAL(CRYPTO_INTERNAL_PBKDF2, test $use_internal_pbkdf2 = 1)
+AC_DEFINE_UNQUOTED(USE_INTERNAL_PBKDF2, [$use_internal_pbkdf2], [Use internal PBKDF2])
+
 dnl Magic for cryptsetup.static build.
 if test x$enable_static_cryptsetup = xyes; then
 	saved_PKG_CONFIG=$PKG_CONFIG

lib/crypto_backend/Makefile.am

@@ -9,21 +9,21 @@ libcrypto_backend_la_SOURCES = crypto_backend.h \
 
 if CRYPTO_BACKEND_GCRYPT
 libcrypto_backend_la_SOURCES += crypto_gcrypt.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 if CRYPTO_BACKEND_OPENSSL
 libcrypto_backend_la_SOURCES += crypto_openssl.c
 endif
 if CRYPTO_BACKEND_NSS
 libcrypto_backend_la_SOURCES += crypto_nss.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 if CRYPTO_BACKEND_KERNEL
 libcrypto_backend_la_SOURCES += crypto_kernel.c
-libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 if CRYPTO_BACKEND_NETTLE
 libcrypto_backend_la_SOURCES += crypto_nettle.c
+endif
+
+if CRYPTO_INTERNAL_PBKDF2
 libcrypto_backend_la_SOURCES += pbkdf2_generic.c
 endif
 

lib/crypto_backend/crypto_gcrypt.c

@@ -261,21 +261,14 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 		char *key, size_t key_length,
 		unsigned int iterations)
 {
+#if USE_INTERNAL_PBKDF2
 	if (!kdf || strncmp(kdf, "pbkdf2", 6))
 		return -EINVAL;
 
 	return pkcs5_pbkdf2(hash, password, password_length, salt, salt_length,
 			    iterations, key_length, key);
-}
 
-#if 0
+#else /* USE_INTERNAL_PBKDF2 */
-/* Until bug in gcrypt related to empty password is fixed,  cannot use this */
-int crypt_pbkdf(const char *kdf, const char *hash,
-		const char *password, size_t password_length,
-		const char *salt, size_t salt_length,
-		char *key, size_t key_length,
-		unsigned int iterations)
-{
 	int hash_id = gcry_md_map_name(hash);
 	int kdf_id;
 
@@ -292,5 +285,5 @@ int crypt_pbkdf(const char *kdf, const char *hash,
 		return -EINVAL;
 
 	return 0;
+#endif /* USE_INTERNAL_PBKDF2 */
 }
-#endif