提交 799011bb 编写于 作者: J Ján Tomko

vircrypto: Rely on GnuTLS for hash functions

Ditch the use of gnulib's digest functions in favor of GnuTLS,
which might be more likely to get FIPS-certified.
Signed-off-by: NJán Tomko <jtomko@redhat.com>
上级 c038a3cf
...@@ -37,8 +37,6 @@ connect ...@@ -37,8 +37,6 @@ connect
configmake configmake
count-leading-zeros count-leading-zeros
count-one-bits count-one-bits
crypto/md5
crypto/sha256
dirname-lgpl dirname-lgpl
environ environ
execinfo execinfo
......
...@@ -26,8 +26,6 @@ ...@@ -26,8 +26,6 @@
#include "viralloc.h" #include "viralloc.h"
#include "virrandom.h" #include "virrandom.h"
#include "md5.h"
#include "sha256.h"
#ifdef WITH_GNUTLS #ifdef WITH_GNUTLS
# include <gnutls/gnutls.h> # include <gnutls/gnutls.h>
# if HAVE_GNUTLS_CRYPTO_H # if HAVE_GNUTLS_CRYPTO_H
...@@ -41,15 +39,18 @@ VIR_LOG_INIT("util.crypto"); ...@@ -41,15 +39,18 @@ VIR_LOG_INIT("util.crypto");
static const char hex[] = "0123456789abcdef"; static const char hex[] = "0123456789abcdef";
#define VIR_CRYPTO_LARGEST_DIGEST_SIZE VIR_CRYPTO_HASH_SIZE_SHA256
#if WITH_GNUTLS
struct virHashInfo { struct virHashInfo {
void *(*func)(const char *buf, size_t len, void *res); gnutls_digest_algorithm_t algorithm;
size_t hashlen; size_t hashlen;
} hashinfo[] = { } hashinfo[] = {
{ md5_buffer, MD5_DIGEST_SIZE }, { GNUTLS_DIG_MD5, VIR_CRYPTO_HASH_SIZE_MD5 },
{ sha256_buffer, SHA256_DIGEST_SIZE }, { GNUTLS_DIG_SHA256, VIR_CRYPTO_HASH_SIZE_SHA256 },
}; };
#define VIR_CRYPTO_LARGEST_DIGEST_SIZE SHA256_DIGEST_SIZE
verify(ARRAY_CARDINALITY(hashinfo) == VIR_CRYPTO_HASH_LAST); verify(ARRAY_CARDINALITY(hashinfo) == VIR_CRYPTO_HASH_LAST);
...@@ -58,20 +59,33 @@ virCryptoHashBuf(virCryptoHash hash, ...@@ -58,20 +59,33 @@ virCryptoHashBuf(virCryptoHash hash,
const char *input, const char *input,
unsigned char *output) unsigned char *output)
{ {
int rc;
if (hash >= VIR_CRYPTO_HASH_LAST) { if (hash >= VIR_CRYPTO_HASH_LAST) {
virReportError(VIR_ERR_INVALID_ARG, virReportError(VIR_ERR_INVALID_ARG,
_("Unknown crypto hash %d"), hash); _("Unknown crypto hash %d"), hash);
return -1; return -1;
} }
if (!(hashinfo[hash].func(input, strlen(input), output))) { rc = gnutls_hash_fast(hashinfo[hash].algorithm, input, strlen(input), output);
virReportError(VIR_ERR_INTERNAL_ERROR, "%s", if (rc < 0) {
_("Unable to compute hash of data")); virReportError(VIR_ERR_INTERNAL_ERROR,
_("Unable to compute hash of data: %s"),
gnutls_strerror(rc));
return -1; return -1;
} }
return 0; return 0;
} }
#else
int
virCryptoHashBuf(virCryptoHash hash,
const char *input ATTRIBUTE_UNUSED,
unsigned char *output ATTRIBUTE_UNUSED)
{
virReportError(VIR_ERR_INVALID_ARG,
_("algorithm=%d is not supported"), hash);
}
#endif
int int
virCryptoHashString(virCryptoHash hash, virCryptoHashString(virCryptoHash hash,
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册