Merge tag 'crypto-fixes-pull-request' of https://gitlab.com/berrange/qemu into staging
Various crypto fixes * Support sha384 with glib crypto backend * Improve error reporting for unsupported cipher modes * Avoid memory leak when bad cipher mode is given * Run pbkdf tests on macOS * Runtime check for pbkdf hash impls with gnutls & gcrypt * Avoid hangs counter pbkdf iterations on some Linux kernels by using a throwaway thread for benchmarking performance * Fix iotests expected output from gnutls errors # -----BEGIN PGP SIGNATURE----- # # iQIzBAABCAAdFiEE2vOm/bJrYpEtDo4/vobrtBUQT98FAmbfAy4ACgkQvobrtBUQ # T99ZLhAAomQ7GeUNYM2/Fh9VptSAy9nddp7WwMd2egTZ+wPMnvalxXiMupf0WNzb # 3CJtXojeNCCV8PtBuTmlCmLg+HxFA+zQgkizS9WqUOMies54woGrwQCUIlyez1Au # Y2+9GbRRrkJA860R1aK2EJI5C2ofJf+CJd/nWSxsTzZSPu6Iu3V9ZahSdAq8o96R # AMh//6MOuX5pauyTYLXL3jpxEJEM4YjQ/+AF8D5FYustcN1Icjv2KPL1PArwUOTe # m1NZtcWLxZpmis5vXO8davMbB16bda6YUxuBQ++pFlF3ars7U2JldZ4DIqECAKkI # sxtw6Wq/IjdVwyJLj/+c7CX3/T1p4IuJ8ch6sfVnQz1KUf2NxPtBwSXqQneLUa2G # b46swxL695nCBYkbcfgWYfL5BaU1b0W8Xkk4sRoTNN5tDcYOuE9nMTMu71pHifmz # 1itkxvLdLkwH7mxzTAxVV+vdQk3KiXlmt42/hOJMgAC3WRp2JJsEv64Jpq9huooA # a+7fM5c2r3b77q7hjIwp8X6HmNehCt2KQiGvn0DvMmqb22r/RT9VzE89iNhPNSUx # rCj7b2+19Xrfe1wxwl07GJ7yUXX4XIcphH66iO9nu1RQDBATqNSiJ/dHCfP9iiEP # 7PHf4krOSzA+wL67FP+u8x0sVhpPmbPRvU8VW4+D+Av91TK5wo0= # =wLAZ # -----END PGP SIGNATURE----- # gpg: Signature made Mon 09 Sep 2024 15:16:14 BST # gpg: using RSA key DAF3A6FDB26B62912D0E8E3FBE86EBB415104FDF # gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>" [full] # gpg: aka "Daniel P. Berrange <berrange@redhat.com>" [full] # Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E 8E3F BE86 EBB4 1510 4FDF * tag 'crypto-fixes-pull-request' of https://gitlab.com/berrange/qemu: crypto: Introduce x509 utils crypto: Support SHA384 hash when using glib crypto: Define macros for hash algorithm digest lengths crypto: use consistent error reporting pattern for unsupported cipher modes crypto: avoid leak of ctx when bad cipher mode is given tests/unit: build pbkdf test on macOS tests/unit: always build the pbkdf crypto unit test crypto: check gnutls & gcrypt support the requested pbkdf hash crypto: run qcrypto_pbkdf2_count_iters in a new thread iotests: fix expected output from gnutls Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
		| @@ -525,8 +525,10 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg, | |||||||
|             case QCRYPTO_CIPHER_MODE_CTR: |             case QCRYPTO_CIPHER_MODE_CTR: | ||||||
|                 drv = &qcrypto_nettle_des_driver_ctr; |                 drv = &qcrypto_nettle_des_driver_ctr; | ||||||
|                 break; |                 break; | ||||||
|             default: |             case QCRYPTO_CIPHER_MODE_XTS: | ||||||
|                 goto bad_cipher_mode; |                 goto bad_cipher_mode; | ||||||
|  |             default: | ||||||
|  |                 g_assert_not_reached(); | ||||||
|             } |             } | ||||||
| 
 | 
 | ||||||
|             ctx = g_new0(QCryptoNettleDES, 1); |             ctx = g_new0(QCryptoNettleDES, 1); | ||||||
| @@ -551,8 +553,10 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg, | |||||||
|             case QCRYPTO_CIPHER_MODE_CTR: |             case QCRYPTO_CIPHER_MODE_CTR: | ||||||
|                 drv = &qcrypto_nettle_des3_driver_ctr; |                 drv = &qcrypto_nettle_des3_driver_ctr; | ||||||
|                 break; |                 break; | ||||||
|             default: |             case QCRYPTO_CIPHER_MODE_XTS: | ||||||
|                 goto bad_cipher_mode; |                 goto bad_cipher_mode; | ||||||
|  |             default: | ||||||
|  |                 g_assert_not_reached(); | ||||||
|             } |             } | ||||||
| 
 | 
 | ||||||
|             ctx = g_new0(QCryptoNettleDES3, 1); |             ctx = g_new0(QCryptoNettleDES3, 1); | ||||||
| @@ -663,8 +667,10 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg, | |||||||
|             case QCRYPTO_CIPHER_MODE_CTR: |             case QCRYPTO_CIPHER_MODE_CTR: | ||||||
|                 drv = &qcrypto_nettle_cast128_driver_ctr; |                 drv = &qcrypto_nettle_cast128_driver_ctr; | ||||||
|                 break; |                 break; | ||||||
|             default: |             case QCRYPTO_CIPHER_MODE_XTS: | ||||||
|                 goto bad_cipher_mode; |                 goto bad_cipher_mode; | ||||||
|  |             default: | ||||||
|  |                 g_assert_not_reached(); | ||||||
|             } |             } | ||||||
| 
 | 
 | ||||||
|             ctx = g_new0(QCryptoNettleCAST128, 1); |             ctx = g_new0(QCryptoNettleCAST128, 1); | ||||||
| @@ -734,16 +740,23 @@ static QCryptoCipher *qcrypto_cipher_ctx_new(QCryptoCipherAlgorithm alg, | |||||||
| #ifdef CONFIG_CRYPTO_SM4
 | #ifdef CONFIG_CRYPTO_SM4
 | ||||||
|     case QCRYPTO_CIPHER_ALG_SM4: |     case QCRYPTO_CIPHER_ALG_SM4: | ||||||
|         { |         { | ||||||
|             QCryptoNettleSm4 *ctx = g_new0(QCryptoNettleSm4, 1); |             QCryptoNettleSm4 *ctx; | ||||||
|  |             const QCryptoCipherDriver *drv; | ||||||
| 
 | 
 | ||||||
|             switch (mode) { |             switch (mode) { | ||||||
|             case QCRYPTO_CIPHER_MODE_ECB: |             case QCRYPTO_CIPHER_MODE_ECB: | ||||||
|                 ctx->base.driver = &qcrypto_nettle_sm4_driver_ecb; |                 drv = &qcrypto_nettle_sm4_driver_ecb; | ||||||
|                 break; |                 break; | ||||||
|             default: |             case QCRYPTO_CIPHER_MODE_CBC: | ||||||
|  |             case QCRYPTO_CIPHER_MODE_CTR: | ||||||
|  |             case QCRYPTO_CIPHER_MODE_XTS: | ||||||
|                 goto bad_cipher_mode; |                 goto bad_cipher_mode; | ||||||
|  |             default: | ||||||
|  |                 g_assert_not_reached(); | ||||||
|             } |             } | ||||||
| 
 | 
 | ||||||
|  |             ctx = g_new0(QCryptoNettleSm4, 1); | ||||||
|  |             ctx->base.driver = drv; | ||||||
|             sm4_set_encrypt_key(&ctx->key[0], key); |             sm4_set_encrypt_key(&ctx->key[0], key); | ||||||
|             sm4_set_decrypt_key(&ctx->key[1], key); |             sm4_set_decrypt_key(&ctx->key[1], key); | ||||||
| 
 | 
 | ||||||
|   | |||||||
| @@ -29,7 +29,7 @@ static int qcrypto_hash_alg_map[QCRYPTO_HASH_ALG__MAX] = { | |||||||
|     [QCRYPTO_HASH_ALG_SHA1] = G_CHECKSUM_SHA1, |     [QCRYPTO_HASH_ALG_SHA1] = G_CHECKSUM_SHA1, | ||||||
|     [QCRYPTO_HASH_ALG_SHA224] = -1, |     [QCRYPTO_HASH_ALG_SHA224] = -1, | ||||||
|     [QCRYPTO_HASH_ALG_SHA256] = G_CHECKSUM_SHA256, |     [QCRYPTO_HASH_ALG_SHA256] = G_CHECKSUM_SHA256, | ||||||
|     [QCRYPTO_HASH_ALG_SHA384] = -1, |     [QCRYPTO_HASH_ALG_SHA384] = G_CHECKSUM_SHA384, | ||||||
|     [QCRYPTO_HASH_ALG_SHA512] = G_CHECKSUM_SHA512, |     [QCRYPTO_HASH_ALG_SHA512] = G_CHECKSUM_SHA512, | ||||||
|     [QCRYPTO_HASH_ALG_RIPEMD160] = -1, |     [QCRYPTO_HASH_ALG_RIPEMD160] = -1, | ||||||
| }; | }; | ||||||
|   | |||||||
| @@ -23,13 +23,13 @@ | |||||||
| #include "hashpriv.h" | #include "hashpriv.h" | ||||||
|  |  | ||||||
| static size_t qcrypto_hash_alg_size[QCRYPTO_HASH_ALG__MAX] = { | static size_t qcrypto_hash_alg_size[QCRYPTO_HASH_ALG__MAX] = { | ||||||
|     [QCRYPTO_HASH_ALG_MD5] = 16, |     [QCRYPTO_HASH_ALG_MD5]       = QCRYPTO_HASH_DIGEST_LEN_MD5, | ||||||
|     [QCRYPTO_HASH_ALG_SHA1] = 20, |     [QCRYPTO_HASH_ALG_SHA1]      = QCRYPTO_HASH_DIGEST_LEN_SHA1, | ||||||
|     [QCRYPTO_HASH_ALG_SHA224] = 28, |     [QCRYPTO_HASH_ALG_SHA224]    = QCRYPTO_HASH_DIGEST_LEN_SHA224, | ||||||
|     [QCRYPTO_HASH_ALG_SHA256] = 32, |     [QCRYPTO_HASH_ALG_SHA256]    = QCRYPTO_HASH_DIGEST_LEN_SHA256, | ||||||
|     [QCRYPTO_HASH_ALG_SHA384] = 48, |     [QCRYPTO_HASH_ALG_SHA384]    = QCRYPTO_HASH_DIGEST_LEN_SHA384, | ||||||
|     [QCRYPTO_HASH_ALG_SHA512] = 64, |     [QCRYPTO_HASH_ALG_SHA512]    = QCRYPTO_HASH_DIGEST_LEN_SHA512, | ||||||
|     [QCRYPTO_HASH_ALG_RIPEMD160] = 20, |     [QCRYPTO_HASH_ALG_RIPEMD160] = QCRYPTO_HASH_DIGEST_LEN_RIPEMD160, | ||||||
| }; | }; | ||||||
|  |  | ||||||
| size_t qcrypto_hash_digest_len(QCryptoHashAlgorithm alg) | size_t qcrypto_hash_digest_len(QCryptoHashAlgorithm alg) | ||||||
|   | |||||||
| @@ -24,6 +24,10 @@ crypto_ss.add(files( | |||||||
|   'rsakey.c', |   'rsakey.c', | ||||||
| )) | )) | ||||||
|  |  | ||||||
|  | if gnutls.found() | ||||||
|  |   crypto_ss.add(files('x509-utils.c')) | ||||||
|  | endif | ||||||
|  |  | ||||||
| if nettle.found() | if nettle.found() | ||||||
|   crypto_ss.add(nettle, files('hash-nettle.c', 'hmac-nettle.c', 'pbkdf-nettle.c')) |   crypto_ss.add(nettle, files('hash-nettle.c', 'hmac-nettle.c', 'pbkdf-nettle.c')) | ||||||
|   if hogweed.found() |   if hogweed.found() | ||||||
|   | |||||||
| @@ -33,7 +33,7 @@ bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash) | |||||||
|     case QCRYPTO_HASH_ALG_SHA384: |     case QCRYPTO_HASH_ALG_SHA384: | ||||||
|     case QCRYPTO_HASH_ALG_SHA512: |     case QCRYPTO_HASH_ALG_SHA512: | ||||||
|     case QCRYPTO_HASH_ALG_RIPEMD160: |     case QCRYPTO_HASH_ALG_RIPEMD160: | ||||||
|         return true; |         return qcrypto_hash_supports(hash); | ||||||
|     default: |     default: | ||||||
|         return false; |         return false; | ||||||
|     } |     } | ||||||
|   | |||||||
| @@ -33,7 +33,7 @@ bool qcrypto_pbkdf2_supports(QCryptoHashAlgorithm hash) | |||||||
|     case QCRYPTO_HASH_ALG_SHA384: |     case QCRYPTO_HASH_ALG_SHA384: | ||||||
|     case QCRYPTO_HASH_ALG_SHA512: |     case QCRYPTO_HASH_ALG_SHA512: | ||||||
|     case QCRYPTO_HASH_ALG_RIPEMD160: |     case QCRYPTO_HASH_ALG_RIPEMD160: | ||||||
|         return true; |         return qcrypto_hash_supports(hash); | ||||||
|     default: |     default: | ||||||
|         return false; |         return false; | ||||||
|     } |     } | ||||||
|   | |||||||
| @@ -19,6 +19,7 @@ | |||||||
|  */ |  */ | ||||||
|  |  | ||||||
| #include "qemu/osdep.h" | #include "qemu/osdep.h" | ||||||
|  | #include "qemu/thread.h" | ||||||
| #include "qapi/error.h" | #include "qapi/error.h" | ||||||
| #include "crypto/pbkdf.h" | #include "crypto/pbkdf.h" | ||||||
| #ifndef _WIN32 | #ifndef _WIN32 | ||||||
| @@ -85,12 +86,28 @@ static int qcrypto_pbkdf2_get_thread_cpu(unsigned long long *val_ms, | |||||||
| #endif | #endif | ||||||
| } | } | ||||||
|  |  | ||||||
| uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, | typedef struct CountItersData { | ||||||
|                                     const uint8_t *key, size_t nkey, |     QCryptoHashAlgorithm hash; | ||||||
|                                     const uint8_t *salt, size_t nsalt, |     const uint8_t *key; | ||||||
|                                     size_t nout, |     size_t nkey; | ||||||
|                                     Error **errp) |     const uint8_t *salt; | ||||||
|  |     size_t nsalt; | ||||||
|  |     size_t nout; | ||||||
|  |     uint64_t iterations; | ||||||
|  |     Error **errp; | ||||||
|  | } CountItersData; | ||||||
|  |  | ||||||
|  | static void *threaded_qcrypto_pbkdf2_count_iters(void *data) | ||||||
| { | { | ||||||
|  |     CountItersData *iters_data = (CountItersData *) data; | ||||||
|  |     QCryptoHashAlgorithm hash = iters_data->hash; | ||||||
|  |     const uint8_t *key = iters_data->key; | ||||||
|  |     size_t nkey = iters_data->nkey; | ||||||
|  |     const uint8_t *salt = iters_data->salt; | ||||||
|  |     size_t nsalt = iters_data->nsalt; | ||||||
|  |     size_t nout = iters_data->nout; | ||||||
|  |     Error **errp = iters_data->errp; | ||||||
|  |  | ||||||
|     uint64_t ret = -1; |     uint64_t ret = -1; | ||||||
|     g_autofree uint8_t *out = g_new(uint8_t, nout); |     g_autofree uint8_t *out = g_new(uint8_t, nout); | ||||||
|     uint64_t iterations = (1 << 15); |     uint64_t iterations = (1 << 15); | ||||||
| @@ -114,7 +131,10 @@ uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, | |||||||
|  |  | ||||||
|         delta_ms = end_ms - start_ms; |         delta_ms = end_ms - start_ms; | ||||||
|  |  | ||||||
|         if (delta_ms > 500) { |         if (delta_ms == 0) { /* sanity check */ | ||||||
|  |             error_setg(errp, "Unable to get accurate CPU usage"); | ||||||
|  |             goto cleanup; | ||||||
|  |         } else if (delta_ms > 500) { | ||||||
|             break; |             break; | ||||||
|         } else if (delta_ms < 100) { |         } else if (delta_ms < 100) { | ||||||
|             iterations = iterations * 10; |             iterations = iterations * 10; | ||||||
| @@ -129,5 +149,24 @@ uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, | |||||||
|  |  | ||||||
|  cleanup: |  cleanup: | ||||||
|     memset(out, 0, nout); |     memset(out, 0, nout); | ||||||
|     return ret; |     iters_data->iterations = ret; | ||||||
|  |     return NULL; | ||||||
|  | } | ||||||
|  |  | ||||||
|  | uint64_t qcrypto_pbkdf2_count_iters(QCryptoHashAlgorithm hash, | ||||||
|  |                                     const uint8_t *key, size_t nkey, | ||||||
|  |                                     const uint8_t *salt, size_t nsalt, | ||||||
|  |                                     size_t nout, | ||||||
|  |                                     Error **errp) | ||||||
|  | { | ||||||
|  |     CountItersData data = { | ||||||
|  |         hash, key, nkey, salt, nsalt, nout, 0, errp | ||||||
|  |     }; | ||||||
|  |     QemuThread thread; | ||||||
|  |  | ||||||
|  |     qemu_thread_create(&thread, "pbkdf2", threaded_qcrypto_pbkdf2_count_iters, | ||||||
|  |                        &data, QEMU_THREAD_JOINABLE); | ||||||
|  |     qemu_thread_join(&thread); | ||||||
|  |  | ||||||
|  |     return data.iterations; | ||||||
| } | } | ||||||
|   | |||||||
							
								
								
									
										76
									
								
								crypto/x509-utils.c
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										76
									
								
								crypto/x509-utils.c
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,76 @@ | |||||||
|  | /* | ||||||
|  |  * X.509 certificate related helpers | ||||||
|  |  * | ||||||
|  |  * Copyright (c) 2024 Dorjoy Chowdhury <dorjoychy111@gmail.com> | ||||||
|  |  * | ||||||
|  |  * This work is licensed under the terms of the GNU GPL, version 2 or | ||||||
|  |  * (at your option) any later version.  See the COPYING file in the | ||||||
|  |  * top-level directory. | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | #include "qemu/osdep.h" | ||||||
|  | #include "qapi/error.h" | ||||||
|  | #include "crypto/x509-utils.h" | ||||||
|  | #include <gnutls/gnutls.h> | ||||||
|  | #include <gnutls/crypto.h> | ||||||
|  | #include <gnutls/x509.h> | ||||||
|  |  | ||||||
|  | static const int qcrypto_to_gnutls_hash_alg_map[QCRYPTO_HASH_ALG__MAX] = { | ||||||
|  |     [QCRYPTO_HASH_ALG_MD5] = GNUTLS_DIG_MD5, | ||||||
|  |     [QCRYPTO_HASH_ALG_SHA1] = GNUTLS_DIG_SHA1, | ||||||
|  |     [QCRYPTO_HASH_ALG_SHA224] = GNUTLS_DIG_SHA224, | ||||||
|  |     [QCRYPTO_HASH_ALG_SHA256] = GNUTLS_DIG_SHA256, | ||||||
|  |     [QCRYPTO_HASH_ALG_SHA384] = GNUTLS_DIG_SHA384, | ||||||
|  |     [QCRYPTO_HASH_ALG_SHA512] = GNUTLS_DIG_SHA512, | ||||||
|  |     [QCRYPTO_HASH_ALG_RIPEMD160] = GNUTLS_DIG_RMD160, | ||||||
|  | }; | ||||||
|  |  | ||||||
|  | int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, | ||||||
|  |                                       QCryptoHashAlgorithm alg, | ||||||
|  |                                       uint8_t *result, | ||||||
|  |                                       size_t *resultlen, | ||||||
|  |                                       Error **errp) | ||||||
|  | { | ||||||
|  |     int ret = -1; | ||||||
|  |     int hlen; | ||||||
|  |     gnutls_x509_crt_t crt; | ||||||
|  |     gnutls_datum_t datum = {.data = cert, .size = size}; | ||||||
|  |  | ||||||
|  |     if (alg >= G_N_ELEMENTS(qcrypto_to_gnutls_hash_alg_map)) { | ||||||
|  |         error_setg(errp, "Unknown hash algorithm"); | ||||||
|  |         return -1; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     if (result == NULL) { | ||||||
|  |         error_setg(errp, "No valid buffer given"); | ||||||
|  |         return -1; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     gnutls_x509_crt_init(&crt); | ||||||
|  |  | ||||||
|  |     if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM) != 0) { | ||||||
|  |         error_setg(errp, "Failed to import certificate"); | ||||||
|  |         goto cleanup; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     hlen = gnutls_hash_get_len(qcrypto_to_gnutls_hash_alg_map[alg]); | ||||||
|  |     if (*resultlen < hlen) { | ||||||
|  |         error_setg(errp, | ||||||
|  |                    "Result buffer size %zu is smaller than hash %d", | ||||||
|  |                    *resultlen, hlen); | ||||||
|  |         goto cleanup; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     if (gnutls_x509_crt_get_fingerprint(crt, | ||||||
|  |                                         qcrypto_to_gnutls_hash_alg_map[alg], | ||||||
|  |                                         result, resultlen) != 0) { | ||||||
|  |         error_setg(errp, "Failed to get fingerprint from certificate"); | ||||||
|  |         goto cleanup; | ||||||
|  |     } | ||||||
|  |  | ||||||
|  |     ret = 0; | ||||||
|  |  | ||||||
|  |  cleanup: | ||||||
|  |     gnutls_x509_crt_deinit(crt); | ||||||
|  |     return ret; | ||||||
|  | } | ||||||
| @@ -23,6 +23,14 @@ | |||||||
|  |  | ||||||
| #include "qapi/qapi-types-crypto.h" | #include "qapi/qapi-types-crypto.h" | ||||||
|  |  | ||||||
|  | #define QCRYPTO_HASH_DIGEST_LEN_MD5       16 | ||||||
|  | #define QCRYPTO_HASH_DIGEST_LEN_SHA1      20 | ||||||
|  | #define QCRYPTO_HASH_DIGEST_LEN_SHA224    28 | ||||||
|  | #define QCRYPTO_HASH_DIGEST_LEN_SHA256    32 | ||||||
|  | #define QCRYPTO_HASH_DIGEST_LEN_SHA384    48 | ||||||
|  | #define QCRYPTO_HASH_DIGEST_LEN_SHA512    64 | ||||||
|  | #define QCRYPTO_HASH_DIGEST_LEN_RIPEMD160 20 | ||||||
|  |  | ||||||
| /* See also "QCryptoHashAlgorithm" defined in qapi/crypto.json */ | /* See also "QCryptoHashAlgorithm" defined in qapi/crypto.json */ | ||||||
|  |  | ||||||
| /** | /** | ||||||
|   | |||||||
							
								
								
									
										22
									
								
								include/crypto/x509-utils.h
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										22
									
								
								include/crypto/x509-utils.h
									
									
									
									
									
										Normal file
									
								
							| @@ -0,0 +1,22 @@ | |||||||
|  | /* | ||||||
|  |  * X.509 certificate related helpers | ||||||
|  |  * | ||||||
|  |  * Copyright (c) 2024 Dorjoy Chowdhury <dorjoychy111@gmail.com> | ||||||
|  |  * | ||||||
|  |  * This work is licensed under the terms of the GNU GPL, version 2 or | ||||||
|  |  * (at your option) any later version.  See the COPYING file in the | ||||||
|  |  * top-level directory. | ||||||
|  |  */ | ||||||
|  |  | ||||||
|  | #ifndef QCRYPTO_X509_UTILS_H | ||||||
|  | #define QCRYPTO_X509_UTILS_H | ||||||
|  |  | ||||||
|  | #include "crypto/hash.h" | ||||||
|  |  | ||||||
|  | int qcrypto_get_x509_cert_fingerprint(uint8_t *cert, size_t size, | ||||||
|  |                                       QCryptoHashAlgorithm hash, | ||||||
|  |                                       uint8_t *result, | ||||||
|  |                                       size_t *resultlen, | ||||||
|  |                                       Error **errp); | ||||||
|  |  | ||||||
|  | #endif | ||||||
| @@ -69,8 +69,8 @@ read 1048576/1048576 bytes at offset 1048576 | |||||||
| 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | 1 MiB, X ops; XX:XX:XX.X (XXX YYY/sec and XXX ops/sec) | ||||||
|  |  | ||||||
| == check TLS with authorization == | == check TLS with authorization == | ||||||
| qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort | qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: The TLS connection was non-properly terminated. | ||||||
| qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: Software caused connection abort | qemu-img: Could not open 'driver=nbd,host=127.0.0.1,port=PORT,tls-creds=tls0': Failed to read option reply: Cannot read from TLS channel: The TLS connection was non-properly terminated. | ||||||
|  |  | ||||||
| == check TLS fail over UNIX with no hostname == | == check TLS fail over UNIX with no hostname == | ||||||
| qemu-img: Could not open 'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0': No hostname for certificate validation | qemu-img: Could not open 'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0': No hostname for certificate validation | ||||||
| @@ -103,14 +103,14 @@ qemu-img: Could not open 'driver=nbd,path=SOCK_DIR/qemu-nbd.sock,tls-creds=tls0' | |||||||
| qemu-nbd: TLS handshake failed: The TLS connection was non-properly terminated. | qemu-nbd: TLS handshake failed: The TLS connection was non-properly terminated. | ||||||
|  |  | ||||||
| == final server log == | == final server log == | ||||||
| qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort | qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: The TLS connection was non-properly terminated. | ||||||
| qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort | qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: The TLS connection was non-properly terminated. | ||||||
| qemu-nbd: option negotiation failed: Verify failed: No certificate was found. | qemu-nbd: option negotiation failed: Verify failed: No certificate was found. | ||||||
| qemu-nbd: option negotiation failed: Verify failed: No certificate was found. | qemu-nbd: option negotiation failed: Verify failed: No certificate was found. | ||||||
| qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied | qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied | ||||||
| qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied | qemu-nbd: option negotiation failed: TLS x509 authz check for DISTINGUISHED-NAME is denied | ||||||
| qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort | qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: The TLS connection was non-properly terminated. | ||||||
| qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: Software caused connection abort | qemu-nbd: option negotiation failed: Failed to read opts magic: Cannot read from TLS channel: The TLS connection was non-properly terminated. | ||||||
| qemu-nbd: option negotiation failed: TLS handshake failed: An illegal parameter has been received. | qemu-nbd: option negotiation failed: TLS handshake failed: An illegal parameter has been received. | ||||||
| qemu-nbd: option negotiation failed: TLS handshake failed: An illegal parameter has been received. | qemu-nbd: option negotiation failed: TLS handshake failed: An illegal parameter has been received. | ||||||
| *** done | *** done | ||||||
|   | |||||||
| @@ -121,9 +121,7 @@ if have_block | |||||||
|   if config_host_data.get('CONFIG_REPLICATION') |   if config_host_data.get('CONFIG_REPLICATION') | ||||||
|     tests += {'test-replication': [testblock]} |     tests += {'test-replication': [testblock]} | ||||||
|   endif |   endif | ||||||
|   if nettle.found() or gcrypt.found() |   tests += {'test-crypto-pbkdf': [io]} | ||||||
|     tests += {'test-crypto-pbkdf': [io]} |  | ||||||
|   endif |  | ||||||
| endif | endif | ||||||
|  |  | ||||||
| if have_system | if have_system | ||||||
|   | |||||||
| @@ -25,8 +25,7 @@ | |||||||
| #include <sys/resource.h> | #include <sys/resource.h> | ||||||
| #endif | #endif | ||||||
|  |  | ||||||
| #if ((defined(CONFIG_NETTLE) || defined(CONFIG_GCRYPT)) && \ | #if defined(_WIN32) || defined(RUSAGE_THREAD) || defined(CONFIG_DARWNI) | ||||||
|      (defined(_WIN32) || defined(RUSAGE_THREAD))) |  | ||||||
| #include "crypto/pbkdf.h" | #include "crypto/pbkdf.h" | ||||||
|  |  | ||||||
| typedef struct QCryptoPbkdfTestData QCryptoPbkdfTestData; | typedef struct QCryptoPbkdfTestData QCryptoPbkdfTestData; | ||||||
| @@ -394,7 +393,7 @@ static void test_pbkdf(const void *opaque) | |||||||
| } | } | ||||||
|  |  | ||||||
|  |  | ||||||
| static void test_pbkdf_timing(void) | static void test_pbkdf_timing_sha256(void) | ||||||
| { | { | ||||||
|     uint8_t key[32]; |     uint8_t key[32]; | ||||||
|     uint8_t salt[32]; |     uint8_t salt[32]; | ||||||
| @@ -422,14 +421,18 @@ int main(int argc, char **argv) | |||||||
|     g_assert(qcrypto_init(NULL) == 0); |     g_assert(qcrypto_init(NULL) == 0); | ||||||
|  |  | ||||||
|     for (i = 0; i < G_N_ELEMENTS(test_data); i++) { |     for (i = 0; i < G_N_ELEMENTS(test_data); i++) { | ||||||
|  |         if (!qcrypto_pbkdf2_supports(test_data[i].hash)) { | ||||||
|  |             continue; | ||||||
|  |         } | ||||||
|  |  | ||||||
|         if (!test_data[i].slow || |         if (!test_data[i].slow || | ||||||
|             g_test_slow()) { |             g_test_slow()) { | ||||||
|             g_test_add_data_func(test_data[i].path, &test_data[i], test_pbkdf); |             g_test_add_data_func(test_data[i].path, &test_data[i], test_pbkdf); | ||||||
|         } |         } | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     if (g_test_slow()) { |     if (g_test_slow() && qcrypto_pbkdf2_supports(QCRYPTO_HASH_ALG_SHA256)) { | ||||||
|         g_test_add_func("/crypt0/pbkdf/timing", test_pbkdf_timing); |         g_test_add_func("/crypt0/pbkdf/timing/sha256", test_pbkdf_timing_sha256); | ||||||
|     } |     } | ||||||
|  |  | ||||||
|     return g_test_run(); |     return g_test_run(); | ||||||
|   | |||||||
		Reference in New Issue
	
	Block a user