Index: ecryptfs-utils-93/src/libecryptfs/main.c =================================================================== --- ecryptfs-utils-93.orig/src/libecryptfs/main.c 2011-10-27 18:53:07.000000000 +0300 +++ ecryptfs-utils-93/src/libecryptfs/main.c 2011-12-07 17:23:57.000000000 +0200 @@ -21,8 +21,12 @@ #include "config.h" #include +#ifdef ENABLE_NSS #include #include +#else +#include +#endif /* #ifdef ENABLE_NSS */ #include #ifndef S_SPLINT_S #include @@ -74,7 +78,16 @@ int do_hash(char *src, int src_size, char *dst, int algo) { +#ifdef ENABLE_NSS SECStatus err; +#else + gcry_md_hd_t hd; + gcry_error_t err = 0; + unsigned char * hash; + unsigned int mdlen; +#endif /* #ifdef ENABLE_NSS */ + +#ifdef ENABLE_NSS NSS_NoDB_Init(NULL); err = PK11_HashBuf(algo, (unsigned char *)dst, (unsigned char *)src, @@ -86,6 +99,19 @@ err = -EINVAL; goto out; } +#else + err = gcry_md_open(&hd, algo, 0); + mdlen = gcry_md_get_algo_dlen(algo); + if (err) { + syslog(LOG_ERR, "Failed to open hash algo [%d]: " + "[%d]\n", algo, err); + goto out; + } + gcry_md_write(hd, src, src_size); + hash = gcry_md_read(hd, algo); + memcpy(dst, hash, mdlen); + gcry_md_close(hd); +#endif /* #ifdef ENABLE_NSS */ out: return (int)err; } @@ -214,7 +240,11 @@ char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + ECRYPTFS_SALT_SIZE]; int passphrase_size; +#ifdef ENABLE_NSS int alg = SEC_OID_SHA512; +#else + int alg = GCRY_MD_SHA512; +#endif /* #ifdef ENABLE_NSS */ int dig_len = SHA512_DIGEST_LENGTH; char buf[SHA512_DIGEST_LENGTH]; int hash_iterations = ECRYPTFS_DEFAULT_NUM_HASH_ITERATIONS; Index: ecryptfs-utils-93/src/libecryptfs/key_management.c =================================================================== --- ecryptfs-utils-93.orig/src/libecryptfs/key_management.c 2011-10-27 18:53:07.000000000 +0300 +++ ecryptfs-utils-93/src/libecryptfs/key_management.c 2011-12-07 17:38:46.000000000 +0200 @@ -20,8 +20,12 @@ #include "config.h" #include +#ifdef ENABLE_NSS #include #include +#else +#include +#endif /* #ifdef ENABLE_NSS */ #include #ifndef S_SPLINT_S #include @@ -295,6 +299,7 @@ ECRYPTFS_AES_BLOCK_SIZE + 1]; int encrypted_passphrase_pos = 0; int decrypted_passphrase_pos = 0; +#ifdef ENABLE_NSS int tmp1_outlen = 0; int tmp2_outlen = 0; SECStatus err; @@ -303,6 +308,11 @@ PK11SlotInfo *slot = NULL; PK11Context *enc_ctx = NULL; SECItem *sec_param = NULL; +#else +#warning Building against gcrypt instead of nss + gcry_cipher_hd_t gcry_handle; + gcry_error_t gcry_err; +#endif /* #ifdef ENABLE_NSS */ int encrypted_passphrase_bytes; int decrypted_passphrase_bytes; int fd; @@ -334,6 +344,7 @@ - (decrypted_passphrase_bytes % ECRYPTFS_AES_BLOCK_SIZE)); encrypted_passphrase_bytes = decrypted_passphrase_bytes; +#ifdef ENABLE_NSS NSS_NoDB_Init(NULL); slot = PK11_GetBestSlot(CKM_AES_ECB, NULL); key_item.data = (unsigned char *)wrapping_key; @@ -394,6 +405,41 @@ rc = - EIO; goto out; } +#else + if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_ECB, 0))) { + syslog(LOG_ERR, "Error attempting to initialize AES cipher; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + goto out; + } + if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key, + ECRYPTFS_AES_KEY_BYTES))) { + syslog(LOG_ERR, "Error attempting to set AES key; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + while (decrypted_passphrase_bytes > 0) { + if ((gcry_err = gcry_cipher_encrypt( + gcry_handle, + &encrypted_passphrase[encrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE, + &decrypted_passphrase[decrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE))) { + syslog(LOG_ERR, "Error attempting to encrypt block; " + "gcry_error = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + decrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE; + } + gcry_cipher_close(gcry_handle); +#endif /* #ifdef ENABLE_NSS */ unlink(filename); if ((fd = open(filename, (O_WRONLY | O_CREAT | O_EXCL), (S_IRUSR | S_IWUSR))) == -1) { @@ -439,6 +485,7 @@ char encrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1]; int encrypted_passphrase_pos = 0; int decrypted_passphrase_pos = 0; +#ifdef ENABLE_NSS int tmp1_outlen = 0; int tmp2_outlen = 0; SECStatus err; @@ -447,6 +494,10 @@ PK11SlotInfo *slot = NULL; PK11Context *enc_ctx = NULL; SECItem *sec_param = NULL; +#else + gcry_cipher_hd_t gcry_handle; + gcry_error_t gcry_err; +#endif /* #ifdef ENABLE_NSS */ int encrypted_passphrase_bytes; int fd; ssize_t size; @@ -493,6 +544,7 @@ goto out; } encrypted_passphrase_bytes = size; +#ifdef ENABLE_NSS NSS_NoDB_Init(NULL); slot = PK11_GetBestSlot(CKM_AES_ECB, NULL); key_item.data = (unsigned char *)wrapping_key; @@ -552,6 +604,41 @@ rc = - EIO; goto out; } +#else + if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_ECB, 0))) { + syslog(LOG_ERR, "Error attempting to initialize AES cipher; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + goto out; + } + if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key, + ECRYPTFS_AES_KEY_BYTES))) { + syslog(LOG_ERR, "Error attempting to set AES key; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + memset(decrypted_passphrase, 0, ECRYPTFS_MAX_PASSPHRASE_BYTES + 1); + while (encrypted_passphrase_bytes > 0) { + if ((gcry_err = gcry_cipher_decrypt( + gcry_handle, + &decrypted_passphrase[encrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE, + &encrypted_passphrase[decrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE))) { + syslog(LOG_ERR, "Error attempting to decrypt block; " + "gcry_error = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + encrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE; + } +#endif /* #ifdef ENABLE_NSS */ out: return rc; }