Merge remote-tracking branch 'remotes/berrange/tags/qcrypto-next-pull-request' into staging (53550e81) · Commits · SUMMER2020 / students / proj-2021291

configure

+80 −0

Original line number	Diff line number	Diff line
		@@ -509,6 +509,8 @@ libpmem=""
		default_devices="yes"
		plugins="no"
		fuzzing="no"
		rng_none="no"
		secret_keyring=""

		supported_cpu="no"
		supported_os="no"
		@@ -1601,6 +1603,14 @@ for opt do
		;;
		--gdb=*) gdb_bin="$optarg"
		;;
		--enable-rng-none) rng_none=yes
		;;
		--disable-rng-none) rng_none=no
		;;
		--enable-keyring) secret_keyring="yes"
		;;
		--disable-keyring) secret_keyring="no"
		;;
		*)
		echo "ERROR: unknown option $opt"
		echo "Try '$0 --help' for more information"
		@@ -1898,6 +1908,7 @@ disabled with --disable-FEATURE, default is enabled if available:
		debug-mutex mutex debugging support
		libpmem libpmem support
		xkbcommon xkbcommon support
		rng-none dummy RNG, avoid using /dev/(u)random and getrandom()

		NOTE: The object files are built at the place where configure is launched
		EOF
		@@ -6284,6 +6295,62 @@ case "$slirp" in
		;;
		esac

		##########################################
		# check for usable __NR_keyctl syscall

		if test "$linux" = "yes" ; then

		have_keyring=no
		cat > $TMPC << EOF
		#include <errno.h>
		#include <asm/unistd.h>
		#include <linux/keyctl.h>
		#include <unistd.h>
		int main(void) {
		return syscall(__NR_keyctl, KEYCTL_READ, 0, NULL, NULL, 0);
		}
		EOF
		if compile_prog "" "" ; then
		have_keyring=yes
		fi
		fi
		if test "$secret_keyring" != "no"
		then
		if test "$have_keyring" == "yes"
		then
		secret_keyring=yes
		else
		if test "$secret_keyring" = "yes"
		then
		error_exit "syscall __NR_keyctl requested, \
		but not implemented on your system"
		else
		secret_keyring=no
		fi
		fi
		fi

		##########################################
		# check for usable keyutils.h

		if test "$linux" = "yes" ; then

		have_keyutils=no
		cat > $TMPC << EOF
		#include <errno.h>
		#include <asm/unistd.h>
		#include <unistd.h>
		#include <sys/types.h>
		#include <keyutils.h>
		int main(void) {
		return request_key("user", NULL, NULL, 0);
		}
		EOF
		if compile_prog "" "-lkeyutils"; then
		have_keyutils=yes
		fi
		fi


		##########################################
		# End of CC checks
		@@ -6767,6 +6834,8 @@ echo "default devices $default_devices"
		echo "plugin support $plugins"
		echo "fuzzing support $fuzzing"
		echo "gdb $gdb_bin"
		echo "rng-none $rng_none"
		echo "Linux keyring $secret_keyring"

		if test "$supported_cpu" = "no"; then
		echo
		@@ -7652,6 +7721,13 @@ if test -n "$gdb_bin" ; then
		echo "HAVE_GDB_BIN=$gdb_bin" >> $config_host_mak
		fi

		if test "$secret_keyring" = "yes" ; then
		echo "CONFIG_SECRET_KEYRING=y" >> $config_host_mak
		if test "$have_keyutils" = "yes" ; then
		echo "CONFIG_TEST_SECRET_KEYRING=y" >> $config_host_mak
		fi
		fi

		if test "$tcg_interpreter" = "yes"; then
		QEMU_INCLUDES="-iquote \$(SRC_PATH)/tcg/tci $QEMU_INCLUDES"
		elif test "$ARCH" = "sparc64" ; then
		@@ -7744,6 +7820,10 @@ if test "$edk2_blobs" = "yes" ; then
		echo "DECOMPRESS_EDK2_BLOBS=y" >> $config_host_mak
		fi

		if test "$rng_none" = "yes"; then
		echo "CONFIG_RNG_NONE=y" >> $config_host_mak
		fi

		# use included Linux headers
		if test "$linux" = "yes" ; then
		mkdir -p linux-headers

crypto/Makefile.objs

+4 −1

Original line number	Diff line number	Diff line
		@@ -18,7 +18,9 @@ crypto-obj-y += tlscredsanon.o
		crypto-obj-y += tlscredspsk.o
		crypto-obj-y += tlscredsx509.o
		crypto-obj-y += tlssession.o
		crypto-obj-y += secret_common.o
		crypto-obj-y += secret.o
		crypto-obj-$(CONFIG_SECRET_KEYRING) += secret_keyring.o
		crypto-obj-y += pbkdf.o
		crypto-obj-$(CONFIG_NETTLE) += pbkdf-nettle.o
		crypto-obj-$(if $(CONFIG_NETTLE),n,$(CONFIG_GCRYPT)) += pbkdf-gcrypt.o
		@@ -35,5 +37,6 @@ crypto-obj-y += block-luks.o

		util-obj-$(CONFIG_GCRYPT) += random-gcrypt.o
		util-obj-$(if $(CONFIG_GCRYPT),n,$(CONFIG_GNUTLS)) += random-gnutls.o
		util-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,y)) += random-platform.o
		util-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,$(CONFIG_RNG_NONE))) += random-none.o
		util-obj-$(if $(CONFIG_GCRYPT),n,$(if $(CONFIG_GNUTLS),n,$(if $(CONFIG_RNG_NONE),n,y))) += random-platform.o
		util-obj-y += aes.o init.o

crypto/init.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -122,7 +122,7 @@ int qcrypto_init(Error **errp)
		#endif

		#ifdef CONFIG_GCRYPT
		if (!gcry_check_version(GCRYPT_VERSION)) {
		if (!gcry_check_version(NULL)) {
		error_setg(errp, "Unable to initialize gcrypt");
		return -1;
		}

crypto/random-none.c

0 → 100644

+38 −0

Original line number	Diff line number	Diff line
		/*
		* QEMU Crypto "none" random number provider
		*
		* Copyright (c) 2020 Marek Marczykowski-Górecki
		* <marmarek@invisiblethingslab.com>
		*
		* This library is free software; you can redistribute it and/or
		* modify it under the terms of the GNU Lesser General Public
		* License as published by the Free Software Foundation; either
		* version 2.1 of the License, or (at your option) any later version.
		*
		* This library is distributed in the hope that it will be useful,
		* but WITHOUT ANY WARRANTY; without even the implied warranty of
		* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
		* Lesser General Public License for more details.
		*
		* You should have received a copy of the GNU Lesser General Public
		* License along with this library; if not, see <http://www.gnu.org/licenses/>.
		*
		*/

		#include "qemu/osdep.h"

		#include "crypto/random.h"
		#include "qapi/error.h"

		int qcrypto_random_init(Error **errp)
		{
		return 0;
		}

		int qcrypto_random_bytes(void *buf,
		size_t buflen,
		Error **errp)
		{
		error_setg(errp, "Random bytes not available with \"none\" rng");
		return -1;
		}

crypto/secret.c

+7 −340

Original line number	Diff line number	Diff line
		@@ -20,16 +20,14 @@

		#include "qemu/osdep.h"
		#include "crypto/secret.h"
		#include "crypto/cipher.h"
		#include "qapi/error.h"
		#include "qom/object_interfaces.h"
		#include "qemu/base64.h"
		#include "qemu/module.h"
		#include "trace.h"


		static void
		qcrypto_secret_load_data(QCryptoSecret *secret,
		qcrypto_secret_load_data(QCryptoSecretCommon *sec_common,
		uint8_t **output,
		size_t *outputlen,
		Error **errp)
		@@ -38,6 +36,8 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
		size_t length = 0;
		GError *gerr = NULL;

		QCryptoSecret *secret = QCRYPTO_SECRET(sec_common);

		*output = NULL;
		*outputlen = 0;

		@@ -65,198 +65,6 @@ qcrypto_secret_load_data(QCryptoSecret *secret,
		}


		static void qcrypto_secret_decrypt(QCryptoSecret *secret,
		const uint8_t *input,
		size_t inputlen,
		uint8_t **output,
		size_t *outputlen,
		Error **errp)
		{
		g_autofree uint8_t *key = NULL;
		g_autofree uint8_t *ciphertext = NULL;
		g_autofree uint8_t *iv = NULL;
		size_t keylen, ciphertextlen, ivlen;
		g_autoptr(QCryptoCipher) aes = NULL;
		g_autofree uint8_t *plaintext = NULL;

		*output = NULL;
		*outputlen = 0;

		if (qcrypto_secret_lookup(secret->keyid,
		&key, &keylen,
		errp) < 0) {
		return;
		}

		if (keylen != 32) {
		error_setg(errp, "Key should be 32 bytes in length");
		return;
		}

		if (!secret->iv) {
		error_setg(errp, "IV is required to decrypt secret");
		return;
		}

		iv = qbase64_decode(secret->iv, -1, &ivlen, errp);
		if (!iv) {
		return;
		}
		if (ivlen != 16) {
		error_setg(errp, "IV should be 16 bytes in length not %zu",
		ivlen);
		return;
		}

		aes = qcrypto_cipher_new(QCRYPTO_CIPHER_ALG_AES_256,
		QCRYPTO_CIPHER_MODE_CBC,
		key, keylen,
		errp);
		if (!aes) {
		return;
		}

		if (qcrypto_cipher_setiv(aes, iv, ivlen, errp) < 0) {
		return;
		}

		if (secret->format == QCRYPTO_SECRET_FORMAT_BASE64) {
		ciphertext = qbase64_decode((const gchar*)input,
		inputlen,
		&ciphertextlen,
		errp);
		if (!ciphertext) {
		return;
		}
		plaintext = g_new0(uint8_t, ciphertextlen + 1);
		} else {
		ciphertextlen = inputlen;
		plaintext = g_new0(uint8_t, inputlen + 1);
		}
		if (qcrypto_cipher_decrypt(aes,
		ciphertext ? ciphertext : input,
		plaintext,
		ciphertextlen,
		errp) < 0) {
		return;
		}

		if (plaintext[ciphertextlen - 1] > 16 \|\|
		plaintext[ciphertextlen - 1] > ciphertextlen) {
		error_setg(errp, "Incorrect number of padding bytes (%d) "
		"found on decrypted data",
		(int)plaintext[ciphertextlen - 1]);
		return;
		}

		/* Even though plaintext may contain arbitrary NUL
		* ensure it is explicitly NUL terminated.
		*/
		ciphertextlen -= plaintext[ciphertextlen - 1];
		plaintext[ciphertextlen] = '\0';

		*output = g_steal_pointer(&plaintext);
		*outputlen = ciphertextlen;
		}


		static void qcrypto_secret_decode(const uint8_t *input,
		size_t inputlen,
		uint8_t **output,
		size_t *outputlen,
		Error **errp)
		{
		output = qbase64_decode((const gchar)input,
		inputlen,
		outputlen,
		errp);
		}


		static void
		qcrypto_secret_prop_set_loaded(Object *obj,
		bool value,
		Error **errp)
		{
		QCryptoSecret *secret = QCRYPTO_SECRET(obj);

		if (value) {
		Error *local_err = NULL;
		uint8_t *input = NULL;
		size_t inputlen = 0;
		uint8_t *output = NULL;
		size_t outputlen = 0;

		qcrypto_secret_load_data(secret, &input, &inputlen, &local_err);
		if (local_err) {
		error_propagate(errp, local_err);
		return;
		}

		if (secret->keyid) {
		qcrypto_secret_decrypt(secret, input, inputlen,
		&output, &outputlen, &local_err);
		g_free(input);
		if (local_err) {
		error_propagate(errp, local_err);
		return;
		}
		input = output;
		inputlen = outputlen;
		} else {
		if (secret->format == QCRYPTO_SECRET_FORMAT_BASE64) {
		qcrypto_secret_decode(input, inputlen,
		&output, &outputlen, &local_err);
		g_free(input);
		if (local_err) {
		error_propagate(errp, local_err);
		return;
		}
		input = output;
		inputlen = outputlen;
		}
		}

		secret->rawdata = input;
		secret->rawlen = inputlen;
		} else {
		g_free(secret->rawdata);
		secret->rawdata = NULL;
		secret->rawlen = 0;
		}
		}


		static bool
		qcrypto_secret_prop_get_loaded(Object *obj,
		Error **errp G_GNUC_UNUSED)
		{
		QCryptoSecret *secret = QCRYPTO_SECRET(obj);
		return secret->rawdata != NULL;
		}


		static void
		qcrypto_secret_prop_set_format(Object *obj,
		int value,
		Error **errp G_GNUC_UNUSED)
		{
		QCryptoSecret *creds = QCRYPTO_SECRET(obj);

		creds->format = value;
		}


		static int
		qcrypto_secret_prop_get_format(Object *obj,
		Error **errp G_GNUC_UNUSED)
		{
		QCryptoSecret *creds = QCRYPTO_SECRET(obj);

		return creds->format;
		}


		static void
		qcrypto_secret_prop_set_data(Object *obj,
		const char *value,
		@@ -299,48 +107,6 @@ qcrypto_secret_prop_get_file(Object *obj,
		}


		static void
		qcrypto_secret_prop_set_iv(Object *obj,
		const char *value,
		Error **errp)
		{
		QCryptoSecret *secret = QCRYPTO_SECRET(obj);

		g_free(secret->iv);
		secret->iv = g_strdup(value);
		}


		static char *
		qcrypto_secret_prop_get_iv(Object *obj,
		Error **errp)
		{
		QCryptoSecret *secret = QCRYPTO_SECRET(obj);
		return g_strdup(secret->iv);
		}


		static void
		qcrypto_secret_prop_set_keyid(Object *obj,
		const char *value,
		Error **errp)
		{
		QCryptoSecret *secret = QCRYPTO_SECRET(obj);

		g_free(secret->keyid);
		secret->keyid = g_strdup(value);
		}


		static char *
		qcrypto_secret_prop_get_keyid(Object *obj,
		Error **errp)
		{
		QCryptoSecret *secret = QCRYPTO_SECRET(obj);
		return g_strdup(secret->keyid);
		}


		static void
		qcrypto_secret_complete(UserCreatable uc, Error *errp)
		{
		@@ -353,129 +119,30 @@ qcrypto_secret_finalize(Object *obj)
		{
		QCryptoSecret *secret = QCRYPTO_SECRET(obj);

		g_free(secret->iv);
		g_free(secret->file);
		g_free(secret->keyid);
		g_free(secret->rawdata);
		g_free(secret->data);
		}

		static void
		qcrypto_secret_class_init(ObjectClass oc, void data)
		{
		UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
		QCryptoSecretCommonClass *sic = QCRYPTO_SECRET_COMMON_CLASS(oc);
		sic->load_data = qcrypto_secret_load_data;

		UserCreatableClass *ucc = USER_CREATABLE_CLASS(oc);
		ucc->complete = qcrypto_secret_complete;

		object_class_property_add_bool(oc, "loaded",
		qcrypto_secret_prop_get_loaded,
		qcrypto_secret_prop_set_loaded);
		object_class_property_add_enum(oc, "format",
		"QCryptoSecretFormat",
		&QCryptoSecretFormat_lookup,
		qcrypto_secret_prop_get_format,
		qcrypto_secret_prop_set_format);
		object_class_property_add_str(oc, "data",
		qcrypto_secret_prop_get_data,
		qcrypto_secret_prop_set_data);
		object_class_property_add_str(oc, "file",
		qcrypto_secret_prop_get_file,
		qcrypto_secret_prop_set_file);
		object_class_property_add_str(oc, "keyid",
		qcrypto_secret_prop_get_keyid,
		qcrypto_secret_prop_set_keyid);
		object_class_property_add_str(oc, "iv",
		qcrypto_secret_prop_get_iv,
		qcrypto_secret_prop_set_iv);
		}


		int qcrypto_secret_lookup(const char *secretid,
		uint8_t **data,
		size_t *datalen,
		Error **errp)
		{
		Object *obj;
		QCryptoSecret *secret;

		obj = object_resolve_path_component(
		object_get_objects_root(), secretid);
		if (!obj) {
		error_setg(errp, "No secret with id '%s'", secretid);
		return -1;
		}

		secret = (QCryptoSecret *)
		object_dynamic_cast(obj,
		TYPE_QCRYPTO_SECRET);
		if (!secret) {
		error_setg(errp, "Object with id '%s' is not a secret",
		secretid);
		return -1;
		}

		if (!secret->rawdata) {
		error_setg(errp, "Secret with id '%s' has no data",
		secretid);
		return -1;
		}

		*data = g_new0(uint8_t, secret->rawlen + 1);
		memcpy(*data, secret->rawdata, secret->rawlen);
		(*data)[secret->rawlen] = '\0';
		*datalen = secret->rawlen;

		return 0;
		}


		char qcrypto_secret_lookup_as_utf8(const char secretid,
		Error **errp)
		{
		uint8_t *data;
		size_t datalen;

		if (qcrypto_secret_lookup(secretid,
		&data,
		&datalen,
		errp) < 0) {
		return NULL;
		}

		if (!g_utf8_validate((const gchar*)data, datalen, NULL)) {
		error_setg(errp,
		"Data from secret %s is not valid UTF-8",
		secretid);
		g_free(data);
		return NULL;
		}

		return (char *)data;
		}


		char qcrypto_secret_lookup_as_base64(const char secretid,
		Error **errp)
		{
		uint8_t *data;
		size_t datalen;
		char *ret;

		if (qcrypto_secret_lookup(secretid,
		&data,
		&datalen,
		errp) < 0) {
		return NULL;
		}

		ret = g_base64_encode(data, datalen);
		g_free(data);
		return ret;
		}


		static const TypeInfo qcrypto_secret_info = {
		.parent = TYPE_OBJECT,
		.parent = TYPE_QCRYPTO_SECRET_COMMON,
		.name = TYPE_QCRYPTO_SECRET,
		.instance_size = sizeof(QCryptoSecret),
		.instance_finalize = qcrypto_secret_finalize,