aboutsummaryrefslogtreecommitdiff
path: root/crypto
AgeCommit message (Collapse)AuthorFilesLines
2017-11-08crypto: afalg: fix a NULL pointer dereferenceLongpeng3-15/+7
Test-crypto-hash calls qcrypto_hash_bytesv/digest/base64 with errp=NULL, this will cause a NULL pointer dereference if afalg_driver doesn't support requested algos: ret = qcrypto_hash_afalg_driver.hash_bytesv(alg, iov, niov, result, resultlen, errp); if (ret == 0) { return ret; } error_free(*errp); // <--- here Because the error message is thrown away immediately, we should just pass NULL to hash_bytesv(). There is also the same problem in afalg-backend cipher & hmac, let's fix them together. Reviewed-by: Eric Blake <eblake@redhat.com> Reported-by: Paolo Bonzini <pbonzini@redhat.com> Signed-off-by: Longpeng <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-10-06block: convert qcrypto_block_encrypt|decrypt to take bytes offsetDaniel P. Berrange4-16/+32
Instead of sector offset, take the bytes offset when encrypting or decrypting data. Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170927125340.12360-6-berrange@redhat.com Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Max Reitz <mreitz@redhat.com>
2017-10-06crypto: expose encryption sector size in APIsDaniel P. Berrange4-2/+12
While current encryption schemes all have a fixed sector size of 512 bytes, this is not guaranteed to be the case in future. Expose the sector size in the APIs so the block layer can remove assumptions about fixed 512 byte sectors. Reviewed-by: Max Reitz <mreitz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170927125340.12360-3-berrange@redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
2017-09-04qapi: Change data type of the FOO_lookup generated for enum FOOMarc-André Lureau3-6/+6
Currently, a FOO_lookup is an array of strings terminated by a NULL sentinel. A future patch will generate enums with "holes". NULL-termination will cease to work then. To prepare for that, store the length in the FOO_lookup by wrapping it in a struct and adding a member for the length. The sentinel will be dropped next. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Message-Id: <20170822132255.23945-13-marcandre.lureau@redhat.com> [Basically redone] Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-16-git-send-email-armbru@redhat.com> [Rebased]
2017-09-04qapi: Mechanically convert FOO_lookup[...] to FOO_str(...)Markus Armbruster11-24/+24
Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-14-git-send-email-armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2017-09-04qapi: Generate FOO_str() macro for QAPI enum FOOMarkus Armbruster1-1/+0
The next commit will put it to use. May look pointless now, but we're going to change the FOO_lookup's type, and then it'll help. Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-13-git-send-email-armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com>
2017-09-04crypto: Use qapi_enum_parse() in qcrypto_block_luks_name_lookup()Markus Armbruster1-12/+7
Cc: "Daniel P. Berrange" <berrange@redhat.com> Signed-off-by: Markus Armbruster <armbru@redhat.com> Message-Id: <1503564371-26090-10-git-send-email-armbru@redhat.com> Reviewed-by: Marc-André Lureau <marcandre.lureau@redhat.com> Acked-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-31docs: fix broken paths to docs/devel/tracing.txtPhilippe Mathieu-Daudé1-1/+1
With the move of some docs/ to docs/devel/ on ac06724a71, no references were updated. Signed-off-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Stefan Hajnoczi <stefanha@redhat.com> Signed-off-by: Michael Tokarev <mjt@tls.msk.ru>
2017-07-19crypto: hmac: add af_alg-backend hmac supportLongpeng(Mike)3-17/+121
Adds afalg-backend hmac support: introduces some private APIs firstly, and then intergrates them into qcrypto_hmac_afalg_driver. Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: hash: add afalg-backend hash supportLongpeng(Mike)5-0/+163
Adds afalg-backend hash support: introduces some private APIs firstly, and then intergrates them into qcrypto_hash_afalg_driver. Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: cipher: add afalg-backend cipher supportLongpeng(Mike)5-4/+271
Adds afalg-backend cipher support: introduces some private APIs firstly, and then intergrates them into qcrypto_cipher_afalg_driver. Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: introduce some common functions for af_alg backendLongpeng(Mike)3-0/+171
The AF_ALG socket family is the userspace interface for linux crypto API, this patch adds af_alg family support and some common functions for af_alg backend. It'll be used by afalg-backend crypto latter. Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Maintainer: modified to report an error if AF_ALG is requested but cannot be supported Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: hmac: add hmac driver frameworkLongpeng(Mike)5-114/+144
1) makes the public APIs in hmac-nettle/gcrypt/glib static, and rename them with "nettle/gcrypt/glib" prefix. 2) introduces hmac framework, including QCryptoHmacDriver and new public APIs. Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: hmac: introduce qcrypto_hmac_ctx_new for glib-backendLongpeng(Mike)1-10/+24
Extracts qcrypto_hmac_ctx_new() from qcrypto_hmac_new() for glib-backend impls. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: hmac: introduce qcrypto_hmac_ctx_new for nettle-backendLongpeng(Mike)1-10/+24
Extracts qcrypto_hmac_ctx_new() from qcrypto_hmac_new() for nettle-backend impls. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: hmac: introduce qcrypto_hmac_ctx_new for gcrypt-backendLongpeng(Mike)1-10/+25
1) Fix a handle-leak problem in qcrypto_hmac_new(), didn't free ctx->handle if gcry_mac_setkey fails. 2) Extracts qcrypto_hmac_ctx_new() from qcrypto_hmac_new() for gcrypt-backend impls. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: hmac: move crypto/hmac.h into include/crypto/Longpeng(Mike)1-166/+0
Moves crypto/hmac.h into include/crypto/, likes cipher.h and hash.h Reviewed-by: Philippe Mathieu-Daudé <f4bug@amsat.org> Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: hash: add hash driver frameworkLongpeng(Mike)5-18/+83
1) makes the public APIs in hash-nettle/gcrypt/glib static, and rename them with "nettle/gcrypt/glib" prefix. 2) introduces hash framework, including QCryptoHashDriver and new public APIs. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: cipher: add cipher driver frameworkLongpeng(Mike)5-123/+189
1) makes the public APIs in cipher-nettle/gcrypt/builtin static, and rename them with "nettle/gcrypt/builtin" prefix. 2) introduces cipher framework, including QCryptoCipherDriver and new public APIs. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: cipher: introduce qcrypto_cipher_ctx_new for builtin-backendLongpeng(Mike)1-46/+55
Extracts qcrypto_cipher_ctx_new() from qcrypto_cipher_new() for builtin-backend impls. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: cipher: introduce qcrypto_cipher_ctx_new for nettle-backendLongpeng(Mike)1-12/+29
Extracts qcrypto_cipher_ctx_new() from qcrypto_cipher_new() for nettle-backend impls. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: cipher: introduce qcrypto_cipher_ctx_new for gcrypt-backendLongpeng(Mike)1-17/+33
Extracts qcrypto_cipher_ctx_new() from qcrypto_cipher_new() for gcrypt-backend impls. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-19crypto: cipher: introduce context free functionLongpeng(Mike)2-17/+32
Refactors the qcrypto_cipher_free(), splits it into two parts. One is gcrypt/nettle__cipher_free_ctx() to free the special context. This makes code more clear, what's more, it would be used by the later patch. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-07-11block: pass option prefix down to crypto layerDaniel P. Berrange4-6/+18
While the crypto layer uses a fixed option name "key-secret", the upper block layer may have a prefix on the options. e.g. "encrypt.key-secret", in order to avoid clashes between crypto option names & other block option names. To ensure the crypto layer can report accurate error messages, we must tell it what option name prefix was used. Reviewed-by: Alberto Garcia <berto@igalia.com> Reviewed-by: Max Reitz <mreitz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170623162419.26068-19-berrange@redhat.com Signed-off-by: Max Reitz <mreitz@redhat.com>
2017-05-16fix mingw build failureGerd Hoffmann1-1/+1
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com> Reviewed-by: Stefan Weil <sw@weilnetz.de> Reviewed-by: Daniel P. Berrange <berrange@redhat.com> Message-id: 20170516052439.16214-1-kraxel@redhat.com Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
2017-05-09crypto: qcrypto_random_bytes() now works on windows w/o any other crypto libsGeert Martin Ijewski4-8/+48
If no crypto library is included in the build, QEMU uses qcrypto_random_bytes() to generate random data. That function tried to open /dev/urandom or /dev/random and if opening both files failed it errored out. Those files obviously do not exist on windows, so there the code uses CryptGenRandom(). Furthermore there was some refactoring and a new function qcrypto_random_init() was introduced. If a proper crypto library (gnutls or libgcrypt) is included in the build, this function does nothing. If neither is included it initializes the (platform specific) handles that are used by qcrypto_random_bytes(). Either: * a handle to /dev/urandom | /dev/random on unix like systems * a handle to a cryptographic service provider on windows Signed-off-by: Geert Martin Ijewski <gm.ijewski@web.de> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-05-09crypto: move 'opaque' parameter to (nearly) the end of parameter listDaniel P. Berrange1-5/+8
Previous commit moved 'opaque' to be the 2nd parameter in the list: commit 375092332eeaa6e47561ce47fd36144cdaf964d0 Author: Fam Zheng <famz@redhat.com> Date: Fri Apr 21 20:27:02 2017 +0800 crypto: Make errp the last parameter of functions Move opaque to 2nd instead of the 2nd to last, so that compilers help check with the conversion. this puts it back to the 2nd to last position. Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Fam Zheng <famz@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-04-24crypto: Make errp the last parameter of functionsFam Zheng1-12/+9
Move opaque to 2nd instead of the 2nd to last, so that compilers help check with the conversion. Signed-off-by: Fam Zheng <famz@redhat.com> Message-Id: <20170421122710.15373-7-famz@redhat.com> Reviewed-by: Markus Armbruster <armbru@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> [Commit message typo corrected] Signed-off-by: Markus Armbruster <armbru@redhat.com>
2017-02-27crypto: assert cipher algorithm is always validPrasad J Pandit1-6/+2
Crypto routines 'qcrypto_cipher_get_block_len' and 'qcrypto_cipher_get_key_len' return non-zero cipher block and key lengths from static arrays 'alg_block_len[]' and 'alg_key_len[]' respectively. Returning 'zero(0)' value from either of them would likely lead to an error condition. Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2017-02-27crypto: fix leak in ivgen essiv initLi Qiang1-0/+1
On error path, the 'salt' doesn't been freed thus leading a memory leak. This patch avoid this. Signed-off-by: Li Qiang <liqiang6-s@360.cn> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-12-22crypto: support HMAC algorithms based on nettleLongpeng(Mike)1-3/+133
This patch add nettle-backed HMAC algorithms support Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-12-22crypto: support HMAC algorithms based on glibLongpeng(Mike)1-0/+122
This patch add glib-backed HMAC algorithms support Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-12-22crypto: support HMAC algorithms based on libgcryptLongpeng(Mike)1-2/+109
This patch add HMAC algorithms based on libgcrypt support Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-12-22crypto: add HMAC algorithms frameworkLongpeng(Mike)6-0/+376
This patch introduce HMAC algorithms framework. Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-12-21crypto: add 3des-ede support when using libgcrypt/nettleLongpeng(Mike)3-2/+48
Libgcrypt and nettle support 3des-ede, so this patch add 3des-ede support when using libgcrypt or nettle. Reviewed-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Longpeng(Mike) <longpeng2@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-12-21cipher: fix leak on initialization errorMarc-André Lureau1-3/+2
On error path, ctx may be leaked. Assign ctx earlier, and call qcrypto_cipher_free() on error. Spotted thanks to ASAN. Signed-off-by: Marc-André Lureau <marcandre.lureau@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-10-20crypto: fix initialization of gcrypt threadingDaniel P. Berrange1-3/+4
The gcrypt threads implementation must be set before calling any other gcrypt APIs, especially gcry_check_version(), since that triggers initialization of the random pool. After that is initialized, changes to the threads impl won't be honoured by the random pool code. This means that gcrypt will think thread locking is needed and so try to acquire the random pool mutex, but this is NULL as no threads impl was set originally. This results in a crash in the random pool code. For the same reasons, we must set the gcrypt threads impl before calling gnutls_init, since that will also trigger gcry_check_version Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-10-19crypto: add mode check in qcrypto_cipher_new() for cipher-builtinGonglei1-0/+11
Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-10-19crypto: add CTR mode supportGonglei3-7/+34
Introduce CTR mode support for the cipher APIs. CTR mode uses a counter rather than a traditional IV. The counter has additional properties, including a nonce and initial counter block. We reuse the ctx->iv as the counter for conveniences. Both libgcrypt and nettle are support CTR mode, the cipher-builtin doesn't support yet. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-10-19crypto: extend mode as a parameter in qcrypto_cipher_supports()Gonglei3-3/+37
It can't guarantee all cipher modes are supported if one cipher algorithm is supported by a backend. Let's extend qcrypto_cipher_supports() to take both the algorithm and mode as parameters. Signed-off-by: Gonglei <arei.gonglei@huawei.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-23crypto: Switch to QEMU UUID APIFam Zheng1-19/+7
The uuid generation doesn't return error, so update the function signature and calling code accordingly. Signed-off-by: Fam Zheng <famz@redhat.com> Reviewed-by: Eric Blake <eblake@redhat.com> Reviewed-by: Jeff Cody <jcody@redhat.com> Message-Id: <1474432046-325-7-git-send-email-famz@redhat.com> Reviewed-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: add trace points for TLS cert verificationDaniel P. Berrange2-2/+9
It is very useful to know about TLS cert verification status when debugging, so add a trace point for it. Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: support more hash algorithms for pbkdfDaniel P. Berrange2-10/+65
Currently pbkdf is only supported with SHA1 and SHA256. Expand this to support all algorithms known to QEMU. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: increase default pbkdf2 time for luks to 2 secondsDaniel P. Berrange1-1/+1
cryptsetup recently increased the default pbkdf2 time to 2 seconds to partially mitigate improvements in hardware performance wrt brute-forcing the pbkdf algorithm. This updates QEMU defaults to match. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: remove bogus /= 2 for pbkdf iterationsDaniel P. Berrange1-4/+0
When calculating iterations for pbkdf of the key slot data, we had a /= 2, which was copied from identical code in cryptsetup. It was always unclear & undocumented why cryptsetup had this division and it was recently removed there, too. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: use correct derived key size when timing pbkdfDaniel P. Berrange2-3/+9
Currently when timing the pbkdf algorithm a fixed key size of 32 bytes is used. This results in inaccurate timings for certain hashes depending on their digest size. For example when using sha1 with aes-256, this causes us to measure time for the master key digest doing 2 sha1 operations per iteration, instead of 1. Instead we should pass in the desired key size to the timing routine that matches the key size that will be used for real later. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: clear out buffer after timing pbkdf algorithmDaniel P. Berrange1-4/+9
The 'out' buffer will hold a key derived from master password, so it is best practice to clear this buffer when no longer required. At this time, the code isn't worrying about locking buffers into RAM to prevent swapping sensitive data to disk. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: make PBKDF iterations configurable for LUKS formatDaniel P. Berrange1-0/+24
As protection against bruteforcing passphrases, the PBKDF algorithm is tuned by counting the number of iterations needed to produce 1 second of running time. If the machine that the image will be used on is much faster than the machine where the image is created, it can be desirable to raise the number of iterations. This change adds a new 'iter-time' property that allows the user to choose the iteration wallclock time. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-19crypto: use uint64_t for pbkdf iteration count parametersDaniel P. Berrange5-35/+52
The qcrypto_pbkdf_count_iters method uses a 64 bit int but then checks its value against INT32_MAX before returning it. This bounds check is premature, because the calling code may well scale the iteration count by some value. It is thus better to return a 64-bit integer and let the caller do range checking. For consistency the qcrypto_pbkdf method is also changed to accept a 64bit int, though this is somewhat academic since nettle is limited to taking an 'int' while gcrypt is limited to taking a 'long int'. Reviewed-by: Eric Blake <eblake@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>
2016-09-12crypto: report enum strings instead of values in errorsDaniel P. Berrange4-13/+22
Several error messages print out the raw enum value, which is less than helpful to users, as these values are not documented, nor stable across QEMU releases. Switch to use the enum string instead. The nettle impl also had two typos where it mistakenly said "algorithm" instead of "mode", and actually reported the algorithm value too. Reviewed-by: Markus Armbruster <armbru@redhat.com> Signed-off-by: Daniel P. Berrange <berrange@redhat.com>