From 278418aa56573c368abd6dc9b7742df270574842 Mon Sep 17 00:00:00 2001 From: Li xin Date: Tue, 28 Jul 2015 03:06:10 +0900 Subject: [PATCH] ecryptfs fix disable nss --- src/libecryptfs/key_management.c | 87 ++++++++++++++++++++++++++++++++++++++++ src/libecryptfs/main.c | 31 ++++++++++++++ 2 files changed, 118 insertions(+) diff --git a/src/libecryptfs/key_management.c b/src/libecryptfs/key_management.c index 81a9c08..c051a50 100644 --- a/src/libecryptfs/key_management.c +++ b/src/libecryptfs/key_management.c @@ -21,8 +21,12 @@ */ #include +#ifdef ENABLE_NSS #include #include +#else +#include +#endif /* #ifdef ENABLE_NSS */ #include #ifndef S_SPLINT_S #include @@ -572,6 +576,7 @@ int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, ECRYPTFS_AES_BLOCK_SIZE + 1]; int encrypted_passphrase_pos = 0; int decrypted_passphrase_pos = 0; +#ifdef ENABLE_NSS int tmp1_outlen = 0; int tmp2_outlen = 0; SECStatus err; @@ -580,6 +585,11 @@ int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, PK11SlotInfo *slot = NULL; PK11Context *enc_ctx = NULL; SECItem *sec_param = NULL; +#else +#warning Building against gcrypt instead of nss + gcry_cipher_hd_t gcry_handle; + gcry_error_t gcry_err; +#endif /* #ifdef ENABLE_NSS */ int encrypted_passphrase_bytes; int decrypted_passphrase_bytes; int fd; @@ -618,6 +628,7 @@ int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase, - (decrypted_passphrase_bytes % ECRYPTFS_AES_BLOCK_SIZE)); encrypted_passphrase_bytes = decrypted_passphrase_bytes; +#ifdef ENABLE_NSS NSS_NoDB_Init(NULL); slot = PK11_GetBestSlot(CKM_AES_ECB, NULL); key_item.data = (unsigned char *)wrapping_key; @@ -678,6 +689,41 @@ nss_finish: rc = - EIO; goto out; } +#else + if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_ECB, 0))) { + syslog(LOG_ERR, "Error attempting to initialize AES cipher; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + goto out; + } + if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key, + ECRYPTFS_AES_KEY_BYTES))) { + syslog(LOG_ERR, "Error attempting to set AES key; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + while (decrypted_passphrase_bytes > 0) { + if ((gcry_err = gcry_cipher_encrypt( + gcry_handle, + &encrypted_passphrase[encrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE, + &decrypted_passphrase[decrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE))) { + syslog(LOG_ERR, "Error attempting to encrypt block; " + "gcry_error = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + decrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE; + } + gcry_cipher_close(gcry_handle); +#endif /* #ifdef ENABLE_NSS */ rc = write_v2_wrapped_passphrase_file(filename, wrapping_salt, wrapping_auth_tok_sig, encrypted_passphrase, @@ -852,6 +898,7 @@ int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, char encrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1]; int encrypted_passphrase_pos = 0; int decrypted_passphrase_pos = 0; +#ifdef ENABLE_NSS int tmp1_outlen = 0; int tmp2_outlen = 0; SECStatus err; @@ -860,6 +907,10 @@ int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, PK11SlotInfo *slot = NULL; PK11Context *enc_ctx = NULL; SECItem *sec_param = NULL; +#else + gcry_cipher_hd_t gcry_handle; + gcry_error_t gcry_err; +#endif /* #ifdef ENABLE_NSS */ uint8_t version = 0; int encrypted_passphrase_bytes; int rc; @@ -923,6 +974,7 @@ int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename, rc = -EIO; goto out; } +#ifdef ENABLE_NSS NSS_NoDB_Init(NULL); slot = PK11_GetBestSlot(CKM_AES_ECB, NULL); key_item.data = (unsigned char *)wrapping_key; @@ -982,6 +1034,41 @@ nss_finish: rc = - EIO; goto out; } +#else + if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES, + GCRY_CIPHER_MODE_ECB, 0))) { + syslog(LOG_ERR, "Error attempting to initialize AES cipher; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + goto out; + } + if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key, + ECRYPTFS_AES_KEY_BYTES))) { + syslog(LOG_ERR, "Error attempting to set AES key; " + "gcry_error_t = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + memset(decrypted_passphrase, 0, ECRYPTFS_MAX_PASSPHRASE_BYTES + 1); + while (encrypted_passphrase_bytes > 0) { + if ((gcry_err = gcry_cipher_decrypt( + gcry_handle, + &decrypted_passphrase[encrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE, + &encrypted_passphrase[decrypted_passphrase_pos], + ECRYPTFS_AES_BLOCK_SIZE))) { + syslog(LOG_ERR, "Error attempting to decrypt block; " + "gcry_error = [%d]\n", gcry_err); + rc = -EIO; + gcry_cipher_close(gcry_handle); + goto out; + } + encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE; + encrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE; + } +#endif /* #ifdef ENABLE_NSS */ out: return rc; } diff --git a/src/libecryptfs/main.c b/src/libecryptfs/main.c index 98bdc54..800c851 100644 --- a/src/libecryptfs/main.c +++ b/src/libecryptfs/main.c @@ -20,8 +20,12 @@ */ #include +#ifdef ENABLE_NSS #include #include +#else +#include +#endif /* #ifdef ENABLE_NSS */ #include #ifndef S_SPLINT_S #include @@ -73,7 +77,16 @@ void from_hex(char *dst, char *src, int dst_size) int do_hash(char *src, int src_size, char *dst, int algo) { +#ifdef ENABLE_NSS SECStatus err; +#else + gcry_md_hd_t hd; + gcry_error_t err = 0; + unsigned char * hash; + unsigned int mdlen; +#endif /* #ifdef ENABLE_NSS */ + +#ifdef ENABLE_NSS NSS_NoDB_Init(NULL); err = PK11_HashBuf(algo, (unsigned char *)dst, (unsigned char *)src, @@ -85,6 +98,19 @@ int do_hash(char *src, int src_size, char *dst, int algo) err = -EINVAL; goto out; } +#else + err = gcry_md_open(&hd, algo, 0); + mdlen = gcry_md_get_algo_dlen(algo); + if (err) { + syslog(LOG_ERR, "Failed to open hash algo [%d]: " + "[%d]\n", algo, err); + goto out; + } + gcry_md_write(hd, src, src_size); + hash = gcry_md_read(hd, algo); + memcpy(dst, hash, mdlen); + gcry_md_close(hd); +#endif /* #ifdef ENABLE_NSS */ out: return (int)err; } @@ -217,7 +243,12 @@ generate_passphrase_sig(char *passphrase_sig, char *fekek, char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + ECRYPTFS_SALT_SIZE]; int passphrase_size; +#ifdef ENABLE_NSS int alg = SEC_OID_SHA512; +#else + int alg = GCRY_MD_SHA512; +#endif /* #ifdef ENABLE_NSS */ + int dig_len = SHA512_DIGEST_LENGTH; char buf[SHA512_DIGEST_LENGTH]; int hash_iterations = ECRYPTFS_DEFAULT_NUM_HASH_ITERATIONS; -- 1.8.4.2