[PATCH 5/5] vircrypto: Rely on GnuTLS for hash functions

Ján Tomko <jtomko@xxxxxxxxxx> · Fri, 11 May 2018 17:50:15 +0200

Ditch the use of gnulib's digest functions in favor of GnuTLS,
which might be more likely to get FIPS-certified.

Signed-off-by: Ján Tomko <jtomko@xxxxxxxxxx>
---
 bootstrap.conf       |  2 --
 src/util/vircrypto.c | 32 +++++++++++++++++++++++---------
 2 files changed, 23 insertions(+), 11 deletions(-)

diff --git a/bootstrap.conf b/bootstrap.conf
index 9559922fce..c4ef54ff13 100644
--- a/bootstrap.conf
+++ b/bootstrap.conf
@@ -37,8 +37,6 @@ connect
 configmake
 count-leading-zeros
 count-one-bits
-crypto/md5
-crypto/sha256
 dirname-lgpl
 environ
 execinfo
diff --git a/src/util/vircrypto.c b/src/util/vircrypto.c
index 1a2dcc28b7..62a027353b 100644
--- a/src/util/vircrypto.c
+++ b/src/util/vircrypto.c
@@ -26,8 +26,6 @@
 #include "viralloc.h"
 #include "virrandom.h"
 
-#include "md5.h"
-#include "sha256.h"
 #ifdef WITH_GNUTLS
 # include <gnutls/gnutls.h>
 # if HAVE_GNUTLS_CRYPTO_H
@@ -41,15 +39,18 @@ VIR_LOG_INIT("util.crypto");
 
 static const char hex[] = "0123456789abcdef";
 
+#define VIR_CRYPTO_LARGEST_DIGEST_SIZE VIR_CRYPTO_HASH_SIZE_SHA256
+
+#if WITH_GNUTLS
+
 struct virHashInfo {
-    void *(*func)(const char *buf, size_t len, void *res);
+    gnutls_digest_algorithm_t algorithm;
     size_t hashlen;
 } hashinfo[] = {
-    { md5_buffer, MD5_DIGEST_SIZE },
-    { sha256_buffer, SHA256_DIGEST_SIZE },
+    { GNUTLS_DIG_MD5, VIR_CRYPTO_HASH_SIZE_MD5 },
+    { GNUTLS_DIG_SHA256, VIR_CRYPTO_HASH_SIZE_SHA256 },
 };
 
-#define VIR_CRYPTO_LARGEST_DIGEST_SIZE SHA256_DIGEST_SIZE
 
 verify(ARRAY_CARDINALITY(hashinfo) == VIR_CRYPTO_HASH_LAST);
 
@@ -58,20 +59,33 @@ virCryptoHashBuf(virCryptoHash hash,
                  const char *input,
                  unsigned char *output)
 {
+    int rc;
     if (hash >= VIR_CRYPTO_HASH_LAST) {
         virReportError(VIR_ERR_INVALID_ARG,
                        _("Unknown crypto hash %d"), hash);
         return -1;
     }
 
-    if (!(hashinfo[hash].func(input, strlen(input), output))) {
-        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
-                       _("Unable to compute hash of data"));
+    rc = gnutls_hash_fast(hashinfo[hash].algorithm, input, strlen(input), output);
+    if (rc < 0) {
+        virReportError(VIR_ERR_INTERNAL_ERROR,
+                       _("Unable to compute hash of data: %s"),
+                       gnutls_strerror(rc));
         return -1;
     }
 
     return 0;
 }
+#else
+int
+virCryptoHashBuf(virCryptoHash hash,
+                 const char *input ATTRIBUTE_UNUSED,
+                 unsigned char *output ATTRIBUTE_UNUSED)
+{
+    virReportError(VIR_ERR_INVALID_ARG,
+                   _("algorithm=%d is not supported"), hash);
+}
+#endif
 
 int
 virCryptoHashString(virCryptoHash hash,
-- 
2.16.1

--
libvir-list mailing list
libvir-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/libvir-list







