From: "Daniel P. Berrangé" <berrange@redhat.com>
To: qemu-devel@nongnu.org
Cc: "Eduardo Otubo" <otubo@redhat.com>,
"Daniel P. Berrangé" <berrange@redhat.com>,
"Eduardo Habkost" <ehabkost@redhat.com>,
"Juan Quintela" <quintela@redhat.com>,
"Jason Wang" <jasowang@redhat.com>,
"Richard Henderson" <richard.henderson@linaro.org>,
"Dr. David Alan Gilbert" <dgilbert@redhat.com>,
"Markus Armbruster" <armbru@redhat.com>,
"Jiri Pirko" <jiri@resnulli.us>,
"Gerd Hoffmann" <kraxel@redhat.com>,
"Paolo Bonzini" <pbonzini@redhat.com>,
"Eric Blake" <eblake@redhat.com>
Subject: [PULL 16/26] crypto: add gnutls hmac provider
Date: Wed, 14 Jul 2021 15:08:48 +0100 [thread overview]
Message-ID: <20210714140858.2247409-17-berrange@redhat.com> (raw)
In-Reply-To: <20210714140858.2247409-1-berrange@redhat.com>
This adds support for using gnutls as a provider of the crypto
hmac APIs.
Reviewed-by: Eric Blake <eblake@redhat.com>
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
---
crypto/hmac-gnutls.c | 139 +++++++++++++++++++++++++++++++++++++++++++
1 file changed, 139 insertions(+)
create mode 100644 crypto/hmac-gnutls.c
diff --git a/crypto/hmac-gnutls.c b/crypto/hmac-gnutls.c
new file mode 100644
index 0000000000..24db383322
--- /dev/null
+++ b/crypto/hmac-gnutls.c
@@ -0,0 +1,139 @@
+/*
+ * QEMU Crypto hmac algorithms
+ *
+ * Copyright (c) 2021 Red Hat, Inc.
+ *
+ * Derived from hmac-gcrypt.c:
+ *
+ * Copyright (c) 2016 HUAWEI TECHNOLOGIES CO., LTD.
+ *
+ * This work is licensed under the terms of the GNU GPL, version 2 or
+ * (at your option) any later version. See the COPYING file in the
+ * top-level directory.
+ *
+ */
+
+#include "qemu/osdep.h"
+#include <gnutls/crypto.h>
+
+#include "qapi/error.h"
+#include "crypto/hmac.h"
+#include "hmacpriv.h"
+
+static int qcrypto_hmac_alg_map[QCRYPTO_HASH_ALG__MAX] = {
+ [QCRYPTO_HASH_ALG_MD5] = GNUTLS_MAC_MD5,
+ [QCRYPTO_HASH_ALG_SHA1] = GNUTLS_MAC_SHA1,
+ [QCRYPTO_HASH_ALG_SHA224] = GNUTLS_MAC_SHA224,
+ [QCRYPTO_HASH_ALG_SHA256] = GNUTLS_MAC_SHA256,
+ [QCRYPTO_HASH_ALG_SHA384] = GNUTLS_MAC_SHA384,
+ [QCRYPTO_HASH_ALG_SHA512] = GNUTLS_MAC_SHA512,
+ [QCRYPTO_HASH_ALG_RIPEMD160] = GNUTLS_MAC_RMD160,
+};
+
+typedef struct QCryptoHmacGnutls QCryptoHmacGnutls;
+struct QCryptoHmacGnutls {
+ gnutls_hmac_hd_t handle;
+};
+
+bool qcrypto_hmac_supports(QCryptoHashAlgorithm alg)
+{
+ size_t i;
+ const gnutls_digest_algorithm_t *algs;
+ if (alg >= G_N_ELEMENTS(qcrypto_hmac_alg_map) ||
+ qcrypto_hmac_alg_map[alg] == GNUTLS_DIG_UNKNOWN) {
+ return false;
+ }
+ algs = gnutls_digest_list();
+ for (i = 0; algs[i] != GNUTLS_DIG_UNKNOWN; i++) {
+ if (algs[i] == qcrypto_hmac_alg_map[alg]) {
+ return true;
+ }
+ }
+ return false;
+}
+
+void *qcrypto_hmac_ctx_new(QCryptoHashAlgorithm alg,
+ const uint8_t *key, size_t nkey,
+ Error **errp)
+{
+ QCryptoHmacGnutls *ctx;
+ int err;
+
+ if (!qcrypto_hmac_supports(alg)) {
+ error_setg(errp, "Unsupported hmac algorithm %s",
+ QCryptoHashAlgorithm_str(alg));
+ return NULL;
+ }
+
+ ctx = g_new0(QCryptoHmacGnutls, 1);
+
+ err = gnutls_hmac_init(&ctx->handle,
+ qcrypto_hmac_alg_map[alg],
+ (const void *)key, nkey);
+ if (err != 0) {
+ error_setg(errp, "Cannot initialize hmac: %s",
+ gnutls_strerror(err));
+ goto error;
+ }
+
+ return ctx;
+
+error:
+ g_free(ctx);
+ return NULL;
+}
+
+static void
+qcrypto_gnutls_hmac_ctx_free(QCryptoHmac *hmac)
+{
+ QCryptoHmacGnutls *ctx;
+
+ ctx = hmac->opaque;
+ gnutls_hmac_deinit(ctx->handle, NULL);
+
+ g_free(ctx);
+}
+
+static int
+qcrypto_gnutls_hmac_bytesv(QCryptoHmac *hmac,
+ const struct iovec *iov,
+ size_t niov,
+ uint8_t **result,
+ size_t *resultlen,
+ Error **errp)
+{
+ QCryptoHmacGnutls *ctx;
+ uint32_t ret;
+ int i;
+
+ ctx = hmac->opaque;
+
+ for (i = 0; i < niov; i++) {
+ gnutls_hmac(ctx->handle, iov[i].iov_base, iov[i].iov_len);
+ }
+
+ ret = gnutls_hmac_get_len(qcrypto_hmac_alg_map[hmac->alg]);
+ if (ret <= 0) {
+ error_setg(errp, "Unable to get hmac length: %s",
+ gnutls_strerror(ret));
+ return -1;
+ }
+
+ if (*resultlen == 0) {
+ *resultlen = ret;
+ *result = g_new0(uint8_t, *resultlen);
+ } else if (*resultlen != ret) {
+ error_setg(errp, "Result buffer size %zu is smaller than hmac %d",
+ *resultlen, ret);
+ return -1;
+ }
+
+ gnutls_hmac_output(ctx->handle, *result);
+
+ return 0;
+}
+
+QCryptoHmacDriver qcrypto_hmac_lib_driver = {
+ .hmac_bytesv = qcrypto_gnutls_hmac_bytesv,
+ .hmac_free = qcrypto_gnutls_hmac_ctx_free,
+};
--
2.31.1
next prev parent reply other threads:[~2021-07-14 14:26 UTC|newest]
Thread overview: 28+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-14 14:08 [PULL v2 00/26] Crypto and more patches Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 01/26] crypto: remove conditional around 3DES crypto test cases Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 02/26] crypto: remove obsolete crypto test condition Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 03/26] crypto: skip essiv ivgen tests if AES+ECB isn't available Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 04/26] crypto: use &error_fatal in crypto tests Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 05/26] crypto: fix gcrypt min version 1.8 regression Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 06/26] crypto: drop gcrypt thread initialization code Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 07/26] crypto: drop custom XTS support in gcrypt driver Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 08/26] crypto: add crypto tests for single block DES-ECB and DES-CBC Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 09/26] crypto: delete built-in DES implementation Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 10/26] crypto: delete built-in XTS cipher mode support Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 11/26] crypto: replace 'des-rfb' cipher with 'des' Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 12/26] crypto: flip priority of backends to prefer gcrypt Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 13/26] crypto: introduce build system for gnutls crypto backend Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 14/26] crypto: add gnutls cipher provider Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 15/26] crypto: add gnutls hash provider Daniel P. Berrangé
2021-07-14 14:08 ` Daniel P. Berrangé [this message]
2021-07-14 14:08 ` [PULL 17/26] crypto: add gnutls pbkdf provider Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 18/26] crypto: prefer gnutls as the crypto backend if new enough Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 19/26] net/rocker: use GDateTime for formatting timestamp in debug messages Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 20/26] io: use GDateTime for formatting timestamp for websock headers Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 21/26] seccomp: don't block getters for resource control syscalls Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 22/26] tests/migration: fix unix socket migration Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 23/26] docs: fix typo s/Intel/AMD/ in CPU model notes Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 24/26] qemu-options: re-arrange CPU topology options Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 25/26] qemu-options: tweak to show that CPU count is optional Daniel P. Berrangé
2021-07-14 14:08 ` [PULL 26/26] qemu-options: rewrite help for -smp options Daniel P. Berrangé
2021-07-15 20:38 ` [PULL v2 00/26] Crypto and more patches Peter Maydell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210714140858.2247409-17-berrange@redhat.com \
--to=berrange@redhat.com \
--cc=armbru@redhat.com \
--cc=dgilbert@redhat.com \
--cc=eblake@redhat.com \
--cc=ehabkost@redhat.com \
--cc=jasowang@redhat.com \
--cc=jiri@resnulli.us \
--cc=kraxel@redhat.com \
--cc=otubo@redhat.com \
--cc=pbonzini@redhat.com \
--cc=qemu-devel@nongnu.org \
--cc=quintela@redhat.com \
--cc=richard.henderson@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).