vircrypto: Rely on GnuTLS for hash functions

Ditch the use of gnulib's digest functions in favor of GnuTLS, which might be more likely to get FIPS-certified. Signed-off-by: Ján Tomko <jtomko@redhat.com>
2024-12-22 05:35:25 +00:00 · 2018-05-11 16:18:17 +02:00 · 2018-05-11 16:18:17 +02:00 · 799011bbe7
commit 799011bbe7
parent c038a3cfed
2 changed files with 23 additions and 11 deletions
--- a/bootstrap.conf
+++ b/bootstrap.conf
@ -37,8 +37,6 @@ connect
 configmake
 count-leading-zeros
 count-one-bits
 crypto/md5
 crypto/sha256
 dirname-lgpl
 environ
 execinfo
--- a/src/util/vircrypto.c
+++ b/src/util/vircrypto.c
@ -26,8 +26,6 @@
 #include "viralloc.h"
 #include "virrandom.h"
 #include "md5.h"
 #include "sha256.h"
 #ifdef WITH_GNUTLS
 # include <gnutls/gnutls.h>
 # if HAVE_GNUTLS_CRYPTO_H
@ -41,15 +39,18 @@ VIR_LOG_INIT("util.crypto");
 static const char hex[] = "0123456789abcdef";
 #define VIR_CRYPTO_LARGEST_DIGEST_SIZE VIR_CRYPTO_HASH_SIZE_SHA256
 #if WITH_GNUTLS
 struct virHashInfo {
-    void *(*func)(const char *buf, size_t len, void *res);
+    gnutls_digest_algorithm_t algorithm;
    size_t hashlen;
 } hashinfo[] = {
-    { md5_buffer, MD5_DIGEST_SIZE },
+    { GNUTLS_DIG_MD5, VIR_CRYPTO_HASH_SIZE_MD5 },
-    { sha256_buffer, SHA256_DIGEST_SIZE },
+    { GNUTLS_DIG_SHA256, VIR_CRYPTO_HASH_SIZE_SHA256 },
 };
 #define VIR_CRYPTO_LARGEST_DIGEST_SIZE SHA256_DIGEST_SIZE
 verify(ARRAY_CARDINALITY(hashinfo) == VIR_CRYPTO_HASH_LAST);
@ -58,20 +59,33 @@ virCryptoHashBuf(virCryptoHash hash,
                 const char *input,
                 unsigned char *output)
 {
    int rc;
    if (hash >= VIR_CRYPTO_HASH_LAST) {
        virReportError(VIR_ERR_INVALID_ARG,
                       _("Unknown crypto hash %d"), hash);
        return -1;
    }
-    if (!(hashinfo[hash].func(input, strlen(input), output))) {
+    rc = gnutls_hash_fast(hashinfo[hash].algorithm, input, strlen(input), output);
-        virReportError(VIR_ERR_INTERNAL_ERROR, "%s",
+    if (rc < 0) {
-                       _("Unable to compute hash of data"));
+        virReportError(VIR_ERR_INTERNAL_ERROR,
                       _("Unable to compute hash of data: %s"),
                       gnutls_strerror(rc));
        return -1;
    }
    return 0;
 }
 #else
 int
 virCryptoHashBuf(virCryptoHash hash,
                 const char *input ATTRIBUTE_UNUSED,
                 unsigned char *output ATTRIBUTE_UNUSED)
 {
    virReportError(VIR_ERR_INVALID_ARG,
                   _("algorithm=%d is not supported"), hash);
 }
 #endif
 int
 virCryptoHashString(virCryptoHash hash,