crypto: add support for PBKDF2 algorithm
The LUKS data format includes use of PBKDF2 (Password-Based
Key Derivation Function). The Nettle library can provide
an implementation of this, but we don't want code directly
depending on a specific crypto library backend. Introduce
a new include/crypto/pbkdf.h header which defines a QEMU
API for invoking PBKDK2. The initial implementations are
backed by nettle & gcrypt, which are commonly available
with distros shipping GNUTLS.
The test suite data is taken from the cryptsetup codebase
under the LGPLv2.1+ license. This merely aims to verify
that whatever backend we provide for this function in QEMU
will comply with the spec.
Reviewed-by: Fam Zheng <famz@redhat.com>
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
diff --git a/configure b/configure
index 71c1e2b..b88d0db 100755
--- a/configure
+++ b/configure
@@ -309,6 +309,7 @@
gnutls_rnd=""
nettle=""
gcrypt=""
+gcrypt_kdf="no"
vte=""
virglrenderer=""
tpm="yes"
@@ -2302,6 +2303,19 @@
if test -z "$nettle"; then
nettle="no"
fi
+
+ cat > $TMPC << EOF
+#include <gcrypt.h>
+int main(void) {
+ gcry_kdf_derive(NULL, 0, GCRY_KDF_PBKDF2,
+ GCRY_MD_SHA256,
+ NULL, 0, 0, 0, NULL);
+ return 0;
+}
+EOF
+ if compile_prog "$gcrypt_cflags" "$gcrypt_libs" ; then
+ gcrypt_kdf=yes
+ fi
else
if test "$gcrypt" = "yes"; then
feature_not_found "gcrypt" "Install gcrypt devel"
@@ -4726,6 +4740,7 @@
echo "GNUTLS hash $gnutls_hash"
echo "GNUTLS rnd $gnutls_rnd"
echo "libgcrypt $gcrypt"
+echo "libgcrypt kdf $gcrypt_kdf"
if test "$nettle" = "yes"; then
echo "nettle $nettle ($nettle_version)"
else
@@ -5108,6 +5123,9 @@
fi
if test "$gcrypt" = "yes" ; then
echo "CONFIG_GCRYPT=y" >> $config_host_mak
+ if test "$gcrypt_kdf" = "yes" ; then
+ echo "CONFIG_GCRYPT_KDF=y" >> $config_host_mak
+ fi
fi
if test "$nettle" = "yes" ; then
echo "CONFIG_NETTLE=y" >> $config_host_mak