haraldwolff/qemu-patch-raspberry4
1
0
Fork 0
Code Issues Pull requests Packages Projects Releases Wiki Activity

Merge qcrypto 2016/10/20 v1

Browse source 
-----BEGIN PGP SIGNATURE-----
 
 iQIcBAABCAAGBQJYCLFxAAoJEL6G67QVEE/fgxAQAJbVAzBWTjWylGpZ7SivFytb
 Inr9JI4izKs1TS4BjzgFm3qS9GLFyEQz2J4OQJ3GQi9dBauCkgoaqxziEaR69FHT
 8lPFml2RoCx4RjFHgkO+mYt+8THuGc0YGZ2zLMp3X1ed5ip56WhWv5EqBj775Mjp
 xvHCyiqBhU8H6QgX9uvn9pJ1m+o5suJPO6DudRJJMDqTaDem8Hu+/aBi710K22C6
 Vk5MylHbNUye6Rhsh3l1IDJOjcHiL7SIz04js8jZzoTnU76ar2U7o2Nx0huGWNBs
 ZXoK61nfgnxMq5cq/2N9mvzBhv8CywXV2wr23nGx5pcS0gbN4VpLko9xjGGWzlPH
 T/y7UoX1SGGp4CqEttbC8qiE3GKFjxf/lManam3CNgDdP0/YGuQ1G8Ocz5czPNw/
 CHr0lTuqHVDCagc6lr2laRamgsdQk3hQaVX4kl2C+ObS+4n1Nu8oFZhD9Hym1Tuf
 fFV5jMucqMYj6QlRlwaDRMhP/XJF/bCSoTu4vf5/MQU1Kd/OF0r3iV9GcHRr0eFs
 aYJs3DS/AHwejThGvq11/2V6WuVCiLkyQz79p9bPCTFDfmCEwVo9rF0NJOf9PMPf
 3hNM1GvTnZhm5z8hzxKd5Uke5yEF+c7i/ix1tRWKI1DASTiCcIDEGLIzga3IoYZU
 HPZxL7VEhFeXfmSc9sTP
 =cZy7
 -----END PGP SIGNATURE-----

Merge remote-tracking branch 'remotes/berrange/tags/pull-qcrypto-2016-10-20-1' into staging

Merge qcrypto 2016/10/20 v1

# gpg: Signature made Thu 20 Oct 2016 12:58:41 BST
# gpg:                using RSA key 0xBE86EBB415104FDF
# gpg: Good signature from "Daniel P. Berrange <dan@berrange.com>"
# gpg:                 aka "Daniel P. Berrange <berrange@redhat.com>"
# Primary key fingerprint: DAF3 A6FD B26B 6291 2D0E  8E3F BE86 EBB4 1510 4FDF

* remotes/berrange/tags/pull-qcrypto-2016-10-20-1:
  crypto: fix initialization of gcrypt threading
  crypto: fix initialization of crypto in tests
  qtest: fix make check complaint in crypto module
  crypto: add mode check in qcrypto_cipher_new() for cipher-builtin
  crypto: add CTR mode support
  crypto: extend mode as a parameter in qcrypto_cipher_supports()

Signed-off-by: Peter Maydell <peter.maydell@linaro.org>
This commit is contained in:
Peter Maydell 2016-10-20 14:46:19 +01:00
parent 1b0d3845b4 373166636b
commit da158a86c4
14 changed files with 165 additions and 34 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
block/qcow.c
View file

@ -153,7 +153,8 @@ static int qcow_open(BlockDriverState *bs, QDict *options, int flags,
ret = -EINVAL;
goto fail;
}
if (!qcrypto_cipher_supports(QCRYPTO_CIPHER_ALG_AES_128)) {
if (!qcrypto_cipher_supports(QCRYPTO_CIPHER_ALG_AES_128,
QCRYPTO_CIPHER_MODE_CBC)) {
error_setg(errp, "AES cipher not available");
ret = -EINVAL;
goto fail;

3
block/qcow2.c
View file

@ -959,7 +959,8 @@ static int qcow2_open(BlockDriverState *bs, QDict *options, int flags,
ret = -EINVAL;
goto fail;
}
if (!qcrypto_cipher_supports(QCRYPTO_CIPHER_ALG_AES_128)) {
if (!qcrypto_cipher_supports(QCRYPTO_CIPHER_ALG_AES_128,
QCRYPTO_CIPHER_MODE_CBC)) {
error_setg(errp, "AES cipher not available");
ret = -EINVAL;
goto fail;

25
crypto/cipher-builtin.c
View file

@ -400,14 +400,26 @@ static int qcrypto_cipher_init_des_rfb(QCryptoCipher *cipher,
}
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg)
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode)
{
switch (alg) {
case QCRYPTO_CIPHER_ALG_DES_RFB:
case QCRYPTO_CIPHER_ALG_AES_128:
case QCRYPTO_CIPHER_ALG_AES_192:
case QCRYPTO_CIPHER_ALG_AES_256:
break;
default:
return false;
}
switch (mode) {
case QCRYPTO_CIPHER_MODE_ECB:
case QCRYPTO_CIPHER_MODE_CBC:
case QCRYPTO_CIPHER_MODE_XTS:
return true;
case QCRYPTO_CIPHER_MODE_CTR:
return false;
default:
return false;
}
@ -421,6 +433,17 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
{
QCryptoCipher *cipher;
switch (mode) {
case QCRYPTO_CIPHER_MODE_ECB:
case QCRYPTO_CIPHER_MODE_CBC:
case QCRYPTO_CIPHER_MODE_XTS:
break;
default:
error_setg(errp, "Unsupported cipher mode %s",
QCryptoCipherMode_lookup[mode]);
return NULL;
}
cipher = g_new0(QCryptoCipher, 1);
cipher->alg = alg;
cipher->mode = mode;

38
crypto/cipher-gcrypt.c
View file

@ -24,7 +24,8 @@
#include <gcrypt.h>
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg)
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode)
{
switch (alg) {
case QCRYPTO_CIPHER_ALG_DES_RFB:
@ -37,6 +38,16 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg)
case QCRYPTO_CIPHER_ALG_SERPENT_256:
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
break;
default:
return false;
}
switch (mode) {
case QCRYPTO_CIPHER_MODE_ECB:
case QCRYPTO_CIPHER_MODE_CBC:
case QCRYPTO_CIPHER_MODE_XTS:
case QCRYPTO_CIPHER_MODE_CTR:
return true;
default:
return false;
@ -48,6 +59,7 @@ struct QCryptoCipherGcrypt {
gcry_cipher_hd_t handle;
gcry_cipher_hd_t tweakhandle;
size_t blocksize;
/* Initialization vector or Counter */
uint8_t *iv;
};
@ -69,6 +81,9 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_MODE_CBC:
gcrymode = GCRY_CIPHER_MODE_CBC;
break;
case QCRYPTO_CIPHER_MODE_CTR:
gcrymode = GCRY_CIPHER_MODE_CTR;
break;
default:
error_setg(errp, "Unsupported cipher mode %s",
QCryptoCipherMode_lookup[mode]);
@ -339,12 +354,21 @@ int qcrypto_cipher_setiv(QCryptoCipher *cipher,
if (ctx->iv) {
memcpy(ctx->iv, iv, niv);
} else {
gcry_cipher_reset(ctx->handle);
err = gcry_cipher_setiv(ctx->handle, iv, niv);
if (err != 0) {
error_setg(errp, "Cannot set IV: %s",
gcry_strerror(err));
return -1;
if (cipher->mode == QCRYPTO_CIPHER_MODE_CTR) {
err = gcry_cipher_setctr(ctx->handle, iv, niv);
if (err != 0) {
error_setg(errp, "Cannot set Counter: %s",
gcry_strerror(err));
return -1;
}
} else {
gcry_cipher_reset(ctx->handle);
err = gcry_cipher_setiv(ctx->handle, iv, niv);
if (err != 0) {
error_setg(errp, "Cannot set IV: %s",
gcry_strerror(err));
return -1;
}
}
}

28
crypto/cipher-nettle.c
View file

@ -28,6 +28,7 @@
#include <nettle/cast128.h>
#include <nettle/serpent.h>
#include <nettle/twofish.h>
#include <nettle/ctr.h>
typedef void (*QCryptoCipherNettleFuncWrapper)(const void *ctx,
size_t length,
@ -186,12 +187,13 @@ struct QCryptoCipherNettle {
QCryptoCipherNettleFuncNative alg_decrypt_native;
QCryptoCipherNettleFuncWrapper alg_encrypt_wrapper;
QCryptoCipherNettleFuncWrapper alg_decrypt_wrapper;
/* Initialization vector or Counter */
uint8_t *iv;
size_t blocksize;
};
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg)
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode)
{
switch (alg) {
case QCRYPTO_CIPHER_ALG_DES_RFB:
@ -205,6 +207,16 @@ bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg)
case QCRYPTO_CIPHER_ALG_TWOFISH_128:
case QCRYPTO_CIPHER_ALG_TWOFISH_192:
case QCRYPTO_CIPHER_ALG_TWOFISH_256:
break;
default:
return false;
}
switch (mode) {
case QCRYPTO_CIPHER_MODE_ECB:
case QCRYPTO_CIPHER_MODE_CBC:
case QCRYPTO_CIPHER_MODE_XTS:
case QCRYPTO_CIPHER_MODE_CTR:
return true;
default:
return false;
@ -225,6 +237,7 @@ QCryptoCipher *qcrypto_cipher_new(QCryptoCipherAlgorithm alg,
case QCRYPTO_CIPHER_MODE_ECB:
case QCRYPTO_CIPHER_MODE_CBC:
case QCRYPTO_CIPHER_MODE_XTS:
case QCRYPTO_CIPHER_MODE_CTR:
break;
default:
error_setg(errp, "Unsupported cipher mode %s",
@ -430,6 +443,12 @@ int qcrypto_cipher_encrypt(QCryptoCipher *cipher,
ctx->iv, len, out, in);
break;
case QCRYPTO_CIPHER_MODE_CTR:
ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
ctx->blocksize, ctx->iv,
len, out, in);
break;
default:
error_setg(errp, "Unsupported cipher mode %s",
QCryptoCipherMode_lookup[cipher->mode]);
@ -469,6 +488,11 @@ int qcrypto_cipher_decrypt(QCryptoCipher *cipher,
ctx->alg_encrypt_wrapper, ctx->alg_decrypt_wrapper,
ctx->iv, len, out, in);
break;
case QCRYPTO_CIPHER_MODE_CTR:
ctr_crypt(ctx->ctx, ctx->alg_encrypt_native,
ctx->blocksize, ctx->iv,
len, out, in);
break;
default:
error_setg(errp, "Unsupported cipher mode %s",

1
crypto/cipher.c
View file

@ -55,6 +55,7 @@ static bool mode_need_iv[QCRYPTO_CIPHER_MODE__MAX] = {
[QCRYPTO_CIPHER_MODE_ECB] = false,
[QCRYPTO_CIPHER_MODE_CBC] = true,
[QCRYPTO_CIPHER_MODE_XTS] = true,
[QCRYPTO_CIPHER_MODE_CTR] = true,
};

7
crypto/init.c
View file

@ -119,6 +119,10 @@ static struct gcry_thread_cbs qcrypto_gcrypt_thread_impl = {
int qcrypto_init(Error **errp)
{
#ifdef QCRYPTO_INIT_GCRYPT_THREADS
gcry_control(GCRYCTL_SET_THREAD_CBS, &qcrypto_gcrypt_thread_impl);
#endif /* QCRYPTO_INIT_GCRYPT_THREADS */
#ifdef CONFIG_GNUTLS
int ret;
ret = gnutls_global_init();
@ -139,9 +143,6 @@ int qcrypto_init(Error **errp)
error_setg(errp, "Unable to initialize gcrypt");
return -1;
}
#ifdef QCRYPTO_INIT_GCRYPT_THREADS
gcry_control(GCRYCTL_SET_THREAD_CBS, &qcrypto_gcrypt_thread_impl);
#endif /* QCRYPTO_INIT_GCRYPT_THREADS */
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
#endif

12
include/crypto/cipher.h
View file

@ -85,13 +85,15 @@ struct QCryptoCipher {
/**
* qcrypto_cipher_supports:
* @alg: the cipher algorithm
* @mode: the cipher mode
*
* Determine if @alg cipher algorithm is supported by the
* Determine if @alg cipher algorithm in @mode is supported by the
* current configured build
*
* Returns: true if the algorithm is supported, false otherwise
*/
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg);
bool qcrypto_cipher_supports(QCryptoCipherAlgorithm alg,
QCryptoCipherMode mode);
/**
* qcrypto_cipher_get_block_len:
@ -213,16 +215,16 @@ int qcrypto_cipher_decrypt(QCryptoCipher *cipher,
/**
* qcrypto_cipher_setiv:
* @cipher: the cipher object
* @iv: the initialization vector bytes
* @iv: the initialization vector or counter (CTR mode) bytes
* @niv: the length of @iv
* @errpr: pointer to a NULL-initialized error object
*
* If the @cipher object is setup to use a mode that requires
* initialization vectors, this sets the initialization vector
* initialization vectors or counter, this sets the @niv
* bytes. The @iv data should have the same length as the
* cipher key used when originally constructing the cipher
* object. It is an error to set an initialization vector
* if the cipher mode does not require one.
* or counter if the cipher mode does not require one.
*
* Returns: 0 on success, -1 on error
*/

3
qapi/crypto.json
View file

@ -89,11 +89,12 @@
# @ecb: Electronic Code Book
# @cbc: Cipher Block Chaining
# @xts: XEX with tweaked code book and ciphertext stealing
# @ctr: Counter (Since 2.8)
# Since: 2.6
##
{ 'enum': 'QCryptoCipherMode',
'prefix': 'QCRYPTO_CIPHER_MODE',
'data': ['ecb', 'cbc', 'xts']}
'data': ['ecb', 'cbc', 'xts', 'ctr']}
##

5
tests/pkix_asn1_tab.c
View file

@ -4,7 +4,9 @@
*/
#include "qemu/osdep.h"
#include <libtasn1.h>
#include "tests/crypto-tls-x509-helpers.h"
#ifdef QCRYPTO_HAVE_TLS_TEST_SUPPORT
const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
{"PKIX1", 536875024, 0},
@ -1103,3 +1105,4 @@ const ASN1_ARRAY_TYPE pkix_asn1_tab[] = {
{0, 1048586, "2"},
{0, 0, 0}
};
#endif /* QCRYPTO_HAVE_TLS_TEST_SUPPORT */

57
tests/test-crypto-cipher.c
View file

@ -380,6 +380,61 @@ static QCryptoCipherTestData test_data[] = {
.key =
"27182818284590452353602874713526"
"31415926535897932384626433832795",
},
{
/* NIST F.5.1 CTR-AES128.Encrypt */
.path = "/crypto/cipher/aes-ctr-128",
.alg = QCRYPTO_CIPHER_ALG_AES_128,
.mode = QCRYPTO_CIPHER_MODE_CTR,
.key = "2b7e151628aed2a6abf7158809cf4f3c",
.iv = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
.plaintext =
"6bc1bee22e409f96e93d7e117393172a"
"ae2d8a571e03ac9c9eb76fac45af8e51"
"30c81c46a35ce411e5fbc1191a0a52ef"
"f69f2445df4f9b17ad2b417be66c3710",
.ciphertext =
"874d6191b620e3261bef6864990db6ce"
"9806f66b7970fdff8617187bb9fffdff"
"5ae4df3edbd5d35e5b4f09020db03eab"
"1e031dda2fbe03d1792170a0f3009cee",
},
{
/* NIST F.5.3 CTR-AES192.Encrypt */
.path = "/crypto/cipher/aes-ctr-192",
.alg = QCRYPTO_CIPHER_ALG_AES_192,
.mode = QCRYPTO_CIPHER_MODE_CTR,
.key = "8e73b0f7da0e6452c810f32b809079e562f8ead2522c6b7b",
.iv = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
.plaintext =
"6bc1bee22e409f96e93d7e117393172a"
"ae2d8a571e03ac9c9eb76fac45af8e51"
"30c81c46a35ce411e5fbc1191a0a52ef"
"f69f2445df4f9b17ad2b417be66c3710",
.ciphertext =
"1abc932417521ca24f2b0459fe7e6e0b"
"090339ec0aa6faefd5ccc2c6f4ce8e94"
"1e36b26bd1ebc670d1bd1d665620abf7"
"4f78a7f6d29809585a97daec58c6b050",
},
{
/* NIST F.5.5 CTR-AES256.Encrypt */
.path = "/crypto/cipher/aes-ctr-256",
.alg = QCRYPTO_CIPHER_ALG_AES_256,
.mode = QCRYPTO_CIPHER_MODE_CTR,
.key = "603deb1015ca71be2b73aef0857d7781"
"1f352c073b6108d72d9810a30914dff4",
.iv = "f0f1f2f3f4f5f6f7f8f9fafbfcfdfeff",
.plaintext =
"6bc1bee22e409f96e93d7e117393172a"
"ae2d8a571e03ac9c9eb76fac45af8e51"
"30c81c46a35ce411e5fbc1191a0a52ef"
"f69f2445df4f9b17ad2b417be66c3710",
.ciphertext =
"601ec313775789a5b7a7f504bbf3d228"
"f443e3ca4d62b59aca84e990cacaf5c5"
"2b0930daa23de94ce87017ba2d84988d"
"dfc9c58db67aada613c2dd08457941a6",
}
};
@ -616,7 +671,7 @@ int main(int argc, char **argv)
g_assert(qcrypto_init(NULL) == 0);
for (i = 0; i < G_N_ELEMENTS(test_data); i++) {
if (qcrypto_cipher_supports(test_data[i].alg)) {
if (qcrypto_cipher_supports(test_data[i].alg, test_data[i].mode)) {
g_test_add_data_func(test_data[i].path, &test_data[i], test_cipher);
}
}

12
tests/test-crypto-hash.c
View file

@ -89,8 +89,6 @@ static void test_hash_alloc(void)
{
size_t i;
g_assert(qcrypto_init(NULL) == 0);
for (i = 0; i < G_N_ELEMENTS(expected_outputs) ; i++) {
uint8_t *result = NULL;
size_t resultlen = 0;
@ -123,8 +121,6 @@ static void test_hash_prealloc(void)
{
size_t i;
g_assert(qcrypto_init(NULL) == 0);
for (i = 0; i < G_N_ELEMENTS(expected_outputs) ; i++) {
uint8_t *result;
size_t resultlen;
@ -161,8 +157,6 @@ static void test_hash_iov(void)
{
size_t i;
g_assert(qcrypto_init(NULL) == 0);
for (i = 0; i < G_N_ELEMENTS(expected_outputs) ; i++) {
struct iovec iov[3] = {
{ .iov_base = (char *)INPUT_TEXT1, .iov_len = strlen(INPUT_TEXT1) },
@ -199,8 +193,6 @@ static void test_hash_digest(void)
{
size_t i;
g_assert(qcrypto_init(NULL) == 0);
for (i = 0; i < G_N_ELEMENTS(expected_outputs) ; i++) {
int ret;
char *digest;
@ -230,8 +222,6 @@ static void test_hash_base64(void)
{
size_t i;
g_assert(qcrypto_init(NULL) == 0);
for (i = 0; i < G_N_ELEMENTS(expected_outputs) ; i++) {
int ret;
char *digest;
@ -253,6 +243,8 @@ static void test_hash_base64(void)
int main(int argc, char **argv)
{
g_assert(qcrypto_init(NULL) == 0);
g_test_init(&argc, &argv, NULL);
g_test_add_func("/crypto/hash/iov", test_hash_iov);
g_test_add_func("/crypto/hash/alloc", test_hash_alloc);

3
tests/test-io-channel-tls.c
View file

@ -27,6 +27,7 @@
#include "io/channel-tls.h"
#include "io/channel-socket.h"
#include "io-channel-helpers.h"
#include "crypto/init.h"
#include "crypto/tlscredsx509.h"
#include "qemu/acl.h"
#include "qom/object_interfaces.h"
@ -265,6 +266,8 @@ int main(int argc, char **argv)
{
int ret;
g_assert(qcrypto_init(NULL) == 0);
module_call_init(MODULE_INIT_QOM);
g_test_init(&argc, &argv, NULL);
setenv("GNUTLS_FORCE_FIPS_MODE", "2", 1);

2
ui/vnc.c
View file

@ -3606,7 +3606,7 @@ void vnc_display_open(const char *id, Error **errp)
goto fail;
}
if (!qcrypto_cipher_supports(
QCRYPTO_CIPHER_ALG_DES_RFB)) {
QCRYPTO_CIPHER_ALG_DES_RFB, QCRYPTO_CIPHER_MODE_ECB)) {
error_setg(errp,
"Cipher backend does not support DES RFB algorithm");
goto fail;