crypto: add gnutls pbkdf provider
This adds support for using gnutls as a provider of the crypto pbkdf APIs. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
This commit is contained in:
parent
678307b605
commit
8c1d3dc772
@ -29,7 +29,7 @@ if nettle.found()
|
||||
elif gcrypt.found()
|
||||
crypto_ss.add(gcrypt, files('hash-gcrypt.c', 'hmac-gcrypt.c', 'pbkdf-gcrypt.c'))
|
||||
elif gnutls_crypto.found()
|
||||
crypto_ss.add(gnutls, files('hash-gnutls.c', 'hmac-glib.c', 'pbkdf-stub.c')
|
||||
crypto_ss.add(gnutls, files('hash-gnutls.c', 'hmac-gnutls.c', 'pbkdf-gnutls.c'))
|
||||
else
|
||||
crypto_ss.add(files('hash-glib.c', 'hmac-glib.c', 'pbkdf-stub.c'))
|
||||
endif
|
||||
|
90
crypto/pbkdf-gnutls.c
Normal file
90
crypto/pbkdf-gnutls.c
Normal file
@ -0,0 +1,90 @@
|
||||
/*
|
||||
* QEMU Crypto PBKDF support (Password-Based Key Derivation Function)
|
||||
*
|
||||
* Copyright (c) 2021 Red Hat, Inc.
|
||||
*
|
||||
* This library is free software; you can redistribute it and/or
|
||||
* modify it under the terms of the GNU Lesser General Public
|
||||
* License as published by the Free Software Foundation; either
|
||||
* version 2.1 of the License, or (at your option) any later version.
|
||||
*
|
||||
* This library is distributed in the hope that it will be useful,
|
||||
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
||||
* Lesser General Public License for more details.
|
||||
*
|
||||
* You should have received a copy of the GNU Lesser General Public
|
||||
* License along with this library; if not, see <http://www.gnu.org/licenses/>.
|
||||
*
|
||||
*/
|
||||
|
||||
#include "qemu/osdep.h"
|
||||
#include <gnutls/crypto.h>
|
||||
#include "qapi/error.h"
|
||||
#include "crypto/pbkdf.h"
|
||||
|
||||
bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash)
|
||||
{
|
||||
switch (hash) {
|
||||
case QCRYPTO_HASH_ALG_MD5:
|
||||
case QCRYPTO_HASH_ALG_SHA1:
|
||||
case QCRYPTO_HASH_ALG_SHA224:
|
||||
case QCRYPTO_HASH_ALG_SHA256:
|
||||
case QCRYPTO_HASH_ALG_SHA384:
|
||||
case QCRYPTO_HASH_ALG_SHA512:
|
||||
case QCRYPTO_HASH_ALG_RIPEMD160:
|
||||
return true;
|
||||
default:
|
||||
return false;
|
||||
}
|
||||
}
|
||||
|
||||
int qcrypto_pbkdf2(QCryptoHashAlgorithm hash,
|
||||
const uint8_t *key, size_t nkey,
|
||||
const uint8_t *salt, size_t nsalt,
|
||||
uint64_t iterations,
|
||||
uint8_t *out, size_t nout,
|
||||
Error **errp)
|
||||
{
|
||||
static const int hash_map[QCRYPTO_HASH_ALG__MAX] = {
|
||||
[QCRYPTO_HASH_ALG_MD5] = GNUTLS_DIG_MD5,
|
||||
[QCRYPTO_HASH_ALG_SHA1] = GNUTLS_DIG_SHA1,
|
||||
[QCRYPTO_HASH_ALG_SHA224] = GNUTLS_DIG_SHA224,
|
||||
[QCRYPTO_HASH_ALG_SHA256] = GNUTLS_DIG_SHA256,
|
||||
[QCRYPTO_HASH_ALG_SHA384] = GNUTLS_DIG_SHA384,
|
||||
[QCRYPTO_HASH_ALG_SHA512] = GNUTLS_DIG_SHA512,
|
||||
[QCRYPTO_HASH_ALG_RIPEMD160] = GNUTLS_DIG_RMD160,
|
||||
};
|
||||
int ret;
|
||||
const gnutls_datum_t gkey = { (unsigned char *)key, nkey };
|
||||
const gnutls_datum_t gsalt = { (unsigned char *)salt, nsalt };
|
||||
|
||||
if (iterations > ULONG_MAX) {
|
||||
error_setg_errno(errp, ERANGE,
|
||||
"PBKDF iterations %llu must be less than %lu",
|
||||
(long long unsigned)iterations, ULONG_MAX);
|
||||
return -1;
|
||||
}
|
||||
|
||||
if (hash >= G_N_ELEMENTS(hash_map) ||
|
||||
hash_map[hash] == GNUTLS_DIG_UNKNOWN) {
|
||||
error_setg_errno(errp, ENOSYS,
|
||||
"PBKDF does not support hash algorithm %s",
|
||||
QCryptoHashAlgorithm_str(hash));
|
||||
return -1;
|
||||
}
|
||||
|
||||
ret = gnutls_pbkdf2(hash_map[hash],
|
||||
&gkey,
|
||||
&gsalt,
|
||||
iterations,
|
||||
out,
|
||||
nout);
|
||||
if (ret != 0) {
|
||||
error_setg(errp, "Cannot derive password: %s",
|
||||
gnutls_strerror(ret));
|
||||
return -1;
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
Loading…
Reference in New Issue
Block a user