From: Marc Kleine-Budde <mkl@pengutronix.de>
Date: Mon, 17 Mar 2014 22:25:23 +0100
Subject: [PATCH] reintroduce gcrypt support

This reverts commit 897f1ec57899e39269d1f5e64519dd74d8861d65.

-------->8-------->8-------->8-------->8-------->8-------->8-------->8-------->8--------
commit 897f1ec57899e39269d1f5e64519dd74d8861d65
Author: Dustin Kirkland <kirkland@canonical.com>
Date:   Fri Jul 17 00:32:26 2009 -0500

      * README, configure.ac, debian/control, debian/rules,
        doc/sourceforge_webpage/README, src/libecryptfs-swig/libecryptfs.py,
        src/libecryptfs-swig/libecryptfs_wrap.c,
        src/libecryptfs/key_management.c, src/libecryptfs/libecryptfs.pc.in,
        src/libecryptfs/main.c, src/pam_ecryptfs/Makefile.am,
        src/utils/manager.c, src/utils/mount.ecryptfs.c: move build from gcrypt
        to nss (this change has been pending for some time)

    Signed-off-by: Dustin Kirkland <kirkland@canonical.com>
-------->8-------->8-------->8-------->8-------->8-------->8-------->8-------->8--------

Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
---
 README                            |  5 +++
 configure.ac                      | 17 +++++++-
 src/libecryptfs/key_management.c  | 87 +++++++++++++++++++++++++++++++++++++++
 src/libecryptfs/libecryptfs.pc.in |  4 +-
 src/libecryptfs/main.c            | 31 +++++++++++++-
 src/pam_ecryptfs/Makefile.am      |  4 +-
 6 files changed, 141 insertions(+), 7 deletions(-)

diff --git a/README b/README
index 8f61dd0ebfb4..fcf204bfde13 100644
--- a/README
+++ b/README
@@ -42,6 +42,11 @@ Requirements include:
      1.0 or higher)
    - Finding its way into some distros
    - Obtainable from <http://people.redhat.com/~dhowells/keyutils> 
+  - libgcrypt
+    - Part of most distros; install the development package
+    - If you need to build from source, you probably will want these:
+     - <ftp://ftp.gnupg.org/gcrypt/libgpg-error>
+     - <ftp://ftp.gnupg.org/gcrypt/libgcrypt>
 
 
 KERNEL BUILD OPTIONS
diff --git a/configure.ac b/configure.ac
index 6332a618e6ad..04c0d4dc0bdf 100644
--- a/configure.ac
+++ b/configure.ac
@@ -204,6 +204,14 @@ AC_ISC_POSIX
 AC_HEADER_STDC
 AC_CHECK_LIB([dl], [dlopen])
 
+# Verify gcrypt
+AC_MSG_CHECKING([for libgcrypt])
+AM_PATH_LIBGCRYPT(,,[AC_MSG_ERROR([eCryptfs userspace tools require libgcrypt
+You might find the package at:
+http://directory.fsf.org/security/libgcrypt.html
+])]
+)
+
 # Verify keyutils version 1.0 or higher
 if test -z "${KEYUTILS_LIBS}"; then
 	AC_ARG_VAR([KEYUTILS_CFLAGS], [C compiler flags for keyutils])
@@ -377,8 +385,13 @@ LOCALEDIR='${prefix}/${datadir}/locale'
 AC_SUBST(LOCALEDIR)
 
 
-CRYPTO_CFLAGS=${NSS_CFLAGS}
-CRYPTO_LIBS=${NSS_LIBS}
+if test "${enable_nss}" == "yes" ; then
+        CRYPTO_CFLAGS=${NSS_CFLAGS}
+	CRYPTO_LIBS=${NSS_LIBS}
+else
+        CRYPTO_CFLAGS=${LIBGCRYPT_CFLAGS}
+	CRYPTO_LIBS=${LIBGCRYPT_LIBS}
+fi
 
 AC_SUBST([pamdir])
 AC_SUBST([pamlibdir])
diff --git a/src/libecryptfs/key_management.c b/src/libecryptfs/key_management.c
index 9ae70b8deb1e..18240ee6c3e9 100644
--- a/src/libecryptfs/key_management.c
+++ b/src/libecryptfs/key_management.c
@@ -21,8 +21,12 @@
  */
 
 #include <errno.h>
+#ifdef ENABLE_NSS
 #include <nss.h>
 #include <pk11func.h>
+#else
+#include <gcrypt.h>
+#endif /* #ifdef ENABLE_NSS */
 #include <keyutils.h>
 #ifndef S_SPLINT_S
 #include <stdio.h>
@@ -572,6 +576,7 @@ int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase,
 		ECRYPTFS_AES_BLOCK_SIZE + 1];
 	int encrypted_passphrase_pos = 0;
 	int decrypted_passphrase_pos = 0;
+#ifdef ENABLE_NSS
 	int tmp1_outlen = 0;
 	int tmp2_outlen = 0;
 	SECStatus err;
@@ -580,6 +585,11 @@ int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase,
 	PK11SlotInfo *slot = NULL;
 	PK11Context *enc_ctx = NULL;
 	SECItem *sec_param = NULL;
+#else
+#warning Building against gcrypt instead of nss
+	gcry_cipher_hd_t gcry_handle;
+	gcry_error_t gcry_err;
+#endif /* #ifdef ENABLE_NSS */
 	int encrypted_passphrase_bytes;
 	int decrypted_passphrase_bytes;
 	int fd;
@@ -618,6 +628,7 @@ int ecryptfs_wrap_passphrase(char *filename, char *wrapping_passphrase,
 					       - (decrypted_passphrase_bytes
 						  % ECRYPTFS_AES_BLOCK_SIZE));
 	encrypted_passphrase_bytes = decrypted_passphrase_bytes;
+#ifdef ENABLE_NSS
 	NSS_NoDB_Init(NULL);
 	slot = PK11_GetBestSlot(CKM_AES_ECB, NULL);
 	key_item.data = (unsigned char *)wrapping_key;
@@ -678,6 +689,41 @@ nss_finish:
 		rc = - EIO;
 		goto out;
 	}
+#else
+	if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES,
+					 GCRY_CIPHER_MODE_ECB, 0))) {
+		syslog(LOG_ERR, "Error attempting to initialize AES cipher; "
+		       "gcry_error_t = [%d]\n", gcry_err);
+		rc = -EIO;
+		goto out;
+	}
+	if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key,
+					   ECRYPTFS_AES_KEY_BYTES))) {
+		syslog(LOG_ERR, "Error attempting to set AES key; "
+		       "gcry_error_t = [%d]\n", gcry_err);
+		rc = -EIO;
+		gcry_cipher_close(gcry_handle);
+		goto out;
+	}
+	while (decrypted_passphrase_bytes > 0) {
+		if ((gcry_err = gcry_cipher_encrypt(
+			     gcry_handle,
+			     &encrypted_passphrase[encrypted_passphrase_pos],
+			     ECRYPTFS_AES_BLOCK_SIZE,
+			     &decrypted_passphrase[decrypted_passphrase_pos],
+			     ECRYPTFS_AES_BLOCK_SIZE))) {
+			syslog(LOG_ERR, "Error attempting to encrypt block; "
+			       "gcry_error = [%d]\n", gcry_err);
+			rc = -EIO;
+			gcry_cipher_close(gcry_handle);
+			goto out;
+		}
+		encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
+		decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
+		decrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE;
+	}
+	gcry_cipher_close(gcry_handle);
+#endif /* #ifdef ENABLE_NSS */
 	rc = write_v2_wrapped_passphrase_file(filename, wrapping_salt,
 					      wrapping_auth_tok_sig,
 					      encrypted_passphrase,
@@ -852,6 +898,7 @@ int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename,
 	char encrypted_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES + 1];
 	int encrypted_passphrase_pos = 0;
 	int decrypted_passphrase_pos = 0;
+#ifdef ENABLE_NSS
 	int tmp1_outlen = 0;
 	int tmp2_outlen = 0;
 	SECStatus err;
@@ -860,6 +907,10 @@ int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename,
 	PK11SlotInfo *slot = NULL;
 	PK11Context *enc_ctx = NULL;
 	SECItem *sec_param = NULL;
+#else
+	gcry_cipher_hd_t gcry_handle;
+	gcry_error_t gcry_err;
+#endif /* #ifdef ENABLE_NSS */
 	uint8_t version = 0;
 	int encrypted_passphrase_bytes;
 	int rc;
@@ -923,6 +974,7 @@ int ecryptfs_unwrap_passphrase(char *decrypted_passphrase, char *filename,
 		rc = -EIO;
 		goto out;
 	}
+#ifdef ENABLE_NSS
 	NSS_NoDB_Init(NULL);
 	slot = PK11_GetBestSlot(CKM_AES_ECB, NULL);
 	key_item.data = (unsigned char *)wrapping_key;
@@ -982,6 +1034,41 @@ nss_finish:
 		rc = - EIO;
 		goto out;
 	}
+#else
+	if ((gcry_err = gcry_cipher_open(&gcry_handle, GCRY_CIPHER_AES,
+					 GCRY_CIPHER_MODE_ECB, 0))) {
+		syslog(LOG_ERR, "Error attempting to initialize AES cipher; "
+		       "gcry_error_t = [%d]\n", gcry_err);
+		rc = -EIO;
+		goto out;
+	}
+	if ((gcry_err = gcry_cipher_setkey(gcry_handle, wrapping_key,
+					   ECRYPTFS_AES_KEY_BYTES))) {
+		syslog(LOG_ERR, "Error attempting to set AES key; "
+		       "gcry_error_t = [%d]\n", gcry_err);
+		rc = -EIO;
+		gcry_cipher_close(gcry_handle);
+		goto out;
+	}
+	memset(decrypted_passphrase, 0, ECRYPTFS_MAX_PASSPHRASE_BYTES + 1);
+	while (encrypted_passphrase_bytes > 0) {
+		if ((gcry_err = gcry_cipher_decrypt(
+			     gcry_handle,
+			     &decrypted_passphrase[encrypted_passphrase_pos],
+			     ECRYPTFS_AES_BLOCK_SIZE,
+			     &encrypted_passphrase[decrypted_passphrase_pos],
+			     ECRYPTFS_AES_BLOCK_SIZE))) {
+			syslog(LOG_ERR, "Error attempting to decrypt block; "
+			       "gcry_error = [%d]\n", gcry_err);
+			rc = -EIO;
+			gcry_cipher_close(gcry_handle);
+			goto out;
+		}
+		encrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
+		decrypted_passphrase_pos += ECRYPTFS_AES_BLOCK_SIZE;
+		encrypted_passphrase_bytes -= ECRYPTFS_AES_BLOCK_SIZE;
+	}
+#endif /* #ifdef ENABLE_NSS */
 out:
 	return rc;
 }
diff --git a/src/libecryptfs/libecryptfs.pc.in b/src/libecryptfs/libecryptfs.pc.in
index 9900ec05498e..4adc57391f82 100644
--- a/src/libecryptfs/libecryptfs.pc.in
+++ b/src/libecryptfs/libecryptfs.pc.in
@@ -6,5 +6,5 @@ includedir=@includedir@
 Name: libecryptfs
 Description: eCryptfs library
 Version: @PACKAGE_VERSION@
-Cflags: -I${includedir} @KEYUTILS_CFLAGS@
-Libs: @KEYUTILS_LIBS@ -L${libdir} -lecryptfs
+Cflags: -I${includedir} @LIBGCRYPT_CFLAGS@ @KEYUTILS_CFLAGS@
+Libs: @LIBGCRYPT_LIBS@ @KEYUTILS_LIBS@ -L${libdir} -lecryptfs
diff --git a/src/libecryptfs/main.c b/src/libecryptfs/main.c
index adb51b16ae69..9d4d9f302133 100644
--- a/src/libecryptfs/main.c
+++ b/src/libecryptfs/main.c
@@ -20,8 +20,12 @@
  */
 
 #include <errno.h>
+#ifdef ENABLE_NSS
 #include <nss.h>
 #include <pk11func.h>
+#else
+#include <gcrypt.h>
+#endif /* #ifdef ENABLE_NSS */
 #include <mntent.h>
 #ifndef S_SPLINT_S
 #include <stdio.h>
@@ -73,8 +77,16 @@ void from_hex(char *dst, char *src, int dst_size)
 
 int do_hash(char *src, int src_size, char *dst, int algo)
 {
+#ifdef ENABLE_NSS
 	SECStatus err;
-
+#else
+	gcry_md_hd_t hd;
+	gcry_error_t err = 0;
+	unsigned char * hash;
+	unsigned int mdlen;
+#endif /* #ifdef ENABLE_NSS */
+
+#ifdef ENABLE_NSS
 	NSS_NoDB_Init(NULL);
 	err = PK11_HashBuf(algo, (unsigned char *)dst, (unsigned char *)src,
 			   src_size);
@@ -85,6 +97,19 @@ int do_hash(char *src, int src_size, char *dst, int algo)
 		err = -EINVAL;
 		goto out;
 	}
+#else
+	err = gcry_md_open(&hd, algo, 0);
+	mdlen = gcry_md_get_algo_dlen(algo);
+	if (err) {
+		syslog(LOG_ERR, "Failed to open hash algo [%d]: "
+		       "[%d]\n", algo, err);
+		goto out;
+	}
+	gcry_md_write(hd, src, src_size);
+	hash = gcry_md_read(hd, algo);
+	memcpy(dst, hash, mdlen);
+	gcry_md_close(hd);
+#endif /* #ifdef ENABLE_NSS */
 out:
 	return (int)err;
 }
@@ -217,7 +242,11 @@ generate_passphrase_sig(char *passphrase_sig, char *fekek,
 	char salt_and_passphrase[ECRYPTFS_MAX_PASSPHRASE_BYTES
 				 + ECRYPTFS_SALT_SIZE];
 	int passphrase_size;
+#ifdef ENABLE_NSS
 	int alg = SEC_OID_SHA512;
+#else
+	int alg = GCRY_MD_SHA512;
+#endif /* #ifdef ENABLE_NSS */
 	int dig_len = SHA512_DIGEST_LENGTH;
 	char buf[SHA512_DIGEST_LENGTH];
 	int hash_iterations = ECRYPTFS_DEFAULT_NUM_HASH_ITERATIONS;
diff --git a/src/pam_ecryptfs/Makefile.am b/src/pam_ecryptfs/Makefile.am
index 39cec265b09c..98eee620a152 100644
--- a/src/pam_ecryptfs/Makefile.am
+++ b/src/pam_ecryptfs/Makefile.am
@@ -12,6 +12,6 @@ uninstall-local:
 endif
 
 pam_ecryptfs_la_SOURCES = pam_ecryptfs.c
-pam_ecryptfs_la_CFLAGS = $(AM_CFLAGS)
-pam_ecryptfs_la_LIBADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(PAM_LIBS)
+pam_ecryptfs_la_CFLAGS = $(AM_CFLAGS) $(LIBGCRYPT_CFLAGS)
+pam_ecryptfs_la_LIBADD = $(top_builddir)/src/libecryptfs/libecryptfs.la $(PAM_LIBS) $(LIBGCRYPT_LIBS)
 pam_ecryptfs_la_LDFLAGS = $(AM_LDFLAGS) -module -avoid-version -shared