diff options
| -rw-r--r-- | gl/gc.h | 98 | ||||
| -rw-r--r-- | lib/gnutls_cipher_int.h | 2 | ||||
| -rw-r--r-- | lib/gnutls_hash_int.h | 2 | ||||
| -rw-r--r-- | lib/x509/pkcs12_encr.c | 2 | ||||
| -rw-r--r-- | lib/x509/privkey_pkcs8.c | 14 | ||||
| -rw-r--r-- | libextra/Makefile.am | 2 |
6 files changed, 61 insertions, 59 deletions
@@ -25,33 +25,33 @@ # include <stddef.h> enum Gc_rc - { - GC_OK = 0, - GC_MALLOC_ERROR, - GC_INIT_ERROR, - GC_RANDOM_ERROR, - GC_INVALID_CIPHER, - GC_INVALID_HASH, - GC_PKCS5_INVALID_ITERATION_COUNT, - GC_PKCS5_INVALID_DERIVED_KEY_LENGTH, - GC_PKCS5_DERIVED_KEY_TOO_LONG - }; +{ + GC_OK = 0, + GC_MALLOC_ERROR, + GC_INIT_ERROR, + GC_RANDOM_ERROR, + GC_INVALID_CIPHER, + GC_INVALID_HASH, + GC_PKCS5_INVALID_ITERATION_COUNT, + GC_PKCS5_INVALID_DERIVED_KEY_LENGTH, + GC_PKCS5_DERIVED_KEY_TOO_LONG +}; typedef enum Gc_rc Gc_rc; /* Hash types. */ enum Gc_hash - { - GC_MD5, - GC_SHA1, - GC_MD2, - GC_RMD160 - }; +{ + GC_MD5, + GC_SHA1, + GC_MD2, + GC_RMD160 +}; typedef enum Gc_hash Gc_hash; enum Gc_hash_mode - { - GC_HMAC = 1 - }; +{ + GC_HMAC = 1 +}; typedef enum Gc_hash_mode Gc_hash_mode; typedef void *gc_hash_handle; @@ -61,23 +61,23 @@ typedef void *gc_hash_handle; /* Cipher types. */ enum Gc_cipher - { - GC_AES128, - GC_AES192, - GC_AES256, - GC_3DES, - GC_DES, - GC_ARCFOUR128, - GC_ARCFOUR40, - GC_ARCTWO40 - }; +{ + GC_AES128, + GC_AES192, + GC_AES256, + GC_3DES, + GC_DES, + GC_ARCFOUR128, + GC_ARCFOUR40, + GC_ARCTWO40 +}; typedef enum Gc_cipher Gc_cipher; enum Gc_cipher_mode - { - GC_CBC, - GC_STREAM - }; +{ + GC_CBC, + GC_STREAM +}; typedef enum Gc_cipher_mode Gc_cipher_mode; typedef void *gc_cipher_handle; @@ -97,9 +97,14 @@ extern void gc_set_allocators (gc_malloc_t func_malloc, gc_realloc_t func_realloc, gc_free_t func_free); +/* Randomness. */ +extern Gc_rc gc_nonce (char *data, size_t datalen); +extern Gc_rc gc_pseudo_random (char *data, size_t datalen); +extern Gc_rc gc_random (char *data, size_t datalen); + /* Ciphers. */ extern Gc_rc gc_cipher_open (Gc_cipher cipher, Gc_cipher_mode mode, - gc_cipher_handle * outhandle); + gc_cipher_handle *outhandle); extern Gc_rc gc_cipher_setkey (gc_cipher_handle handle, size_t keylen, const char *key); extern Gc_rc gc_cipher_setiv (gc_cipher_handle handle, @@ -113,8 +118,8 @@ extern Gc_rc gc_cipher_close (gc_cipher_handle handle); /* Hashes. */ extern Gc_rc gc_hash_open (Gc_hash hash, Gc_hash_mode mode, - gc_hash_handle * outhandle); -extern Gc_rc gc_hash_clone (gc_hash_handle handle, gc_hash_handle * outhandle); + gc_hash_handle *outhandle); +extern Gc_rc gc_hash_clone (gc_hash_handle handle, gc_hash_handle *outhandle); extern size_t gc_hash_digest_length (Gc_hash hash); extern void gc_hash_hmac_setkey (gc_hash_handle handle, size_t len, const char *key); @@ -136,11 +141,9 @@ gc_hash_buffer (Gc_hash hash, const void *in, size_t inlen, char *out); extern Gc_rc gc_md5 (const void *in, size_t inlen, void *resbuf); extern Gc_rc gc_sha1 (const void *in, size_t inlen, void *resbuf); extern Gc_rc gc_hmac_md5 (const void *key, size_t keylen, - const void *in, size_t inlen, - char *resbuf); + const void *in, size_t inlen, char *resbuf); extern Gc_rc gc_hmac_sha1 (const void *key, size_t keylen, - const void *in, size_t inlen, - char *resbuf); + const void *in, size_t inlen, char *resbuf); /* Derive cryptographic keys from a password P of length PLEN, with salt S of length SLEN, placing the result in pre-allocated buffer @@ -152,8 +155,7 @@ extern Gc_rc gc_hmac_sha1 (const void *key, size_t keylen, extern Gc_rc gc_pbkdf2_sha1 (const char *P, size_t Plen, const char *S, size_t Slen, - unsigned int c, - char *DK, size_t dkLen); + unsigned int c, char *DK, size_t dkLen); /* TODO: @@ -169,7 +171,7 @@ gc_pbkdf2_sha1 (const char *P, size_t Plen, > Simon Josefsson <jas@extundo.com> writes: > - >> * Perhaps the /dev/*random reading should be separated into a separate + >> * Perhaps the /dev/?random reading should be separated into a separate >> module? It might be useful outside of the gc layer too. > > Absolutely. I've been meaning to do that for months (for a "shuffle" @@ -180,9 +182,9 @@ gc_pbkdf2_sha1 (const char *P, size_t Plen, I'll write a separate module for that part. I think we should even add a good PRNG that is re-seeded from - /dev/*random frequently. GnuTLS can need a lot of random data on a + /dev/?random frequently. GnuTLS can need a lot of random data on a big server, more than /dev/random can supply. And /dev/urandom might - not be strong enough. Further, the security of /dev/*random can also + not be strong enough. Further, the security of /dev/?random can also be questionable. >> I'm also not sure about the names of those functions, they suggest @@ -220,12 +222,12 @@ gc_pbkdf2_sha1 (const char *P, size_t Plen, it isn't called too often. You can guess what the next value will be, but it will always be different. - The problem is that /dev/*random doesn't offer any kind of semantic + The problem is that /dev/?random doesn't offer any kind of semantic guarantees. But applications need an API that make that promise. I think we should do this in several steps: - 1) Write a module that can read from /dev/*random. + 1) Write a module that can read from /dev/?random. 2) Add a module for a known-good PRNG suitable for random number generation, that can be continuously re-seeded. diff --git a/lib/gnutls_cipher_int.h b/lib/gnutls_cipher_int.h index e9c84e423f..a74d012602 100644 --- a/lib/gnutls_cipher_int.h +++ b/lib/gnutls_cipher_int.h @@ -25,7 +25,7 @@ #ifndef GNUTLS_CIPHER_INT # define GNUTLS_CIPHER_INT -#define cipher_hd_t gc_cipher +#define cipher_hd_t gc_cipher_handle #define GNUTLS_CIPHER_FAILED NULL cipher_hd_t _gnutls_cipher_init(gnutls_cipher_algorithm_t cipher, diff --git a/lib/gnutls_hash_int.h b/lib/gnutls_hash_int.h index 2e210306e8..ea15b26323 100644 --- a/lib/gnutls_hash_int.h +++ b/lib/gnutls_hash_int.h @@ -30,7 +30,7 @@ /* for message digests */ typedef struct { - gc_hash handle; + gc_hash_handle handle; gnutls_mac_algorithm_t algorithm; const void *key; int keysize; diff --git a/lib/x509/pkcs12_encr.c b/lib/x509/pkcs12_encr.c index da237c1789..e7827b14fb 100644 --- a/lib/x509/pkcs12_encr.c +++ b/lib/x509/pkcs12_encr.c @@ -59,7 +59,7 @@ _pkcs12_string_to_key(unsigned int id, const opaque * salt, { int rc; unsigned int i, j; - gc_hash md; + gc_hash_handle md; mpi_t num_b1 = NULL; unsigned int pwlen; opaque hash[20], buf_b[64], buf_i[128], *p; diff --git a/lib/x509/privkey_pkcs8.c b/lib/x509/privkey_pkcs8.c index a89ee7f685..b6bae9a242 100644 --- a/lib/x509/privkey_pkcs8.c +++ b/lib/x509/privkey_pkcs8.c @@ -1237,9 +1237,9 @@ static int decrypt_data(schema_id schema, ASN1_TYPE pkcs8_asn, /* generate the key */ if (schema == PBES2) { - result = gc_pkcs5_pbkdf2_sha1(password, strlen(password), - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, key_size, key); + result = gc_pbkdf2_sha1(password, strlen(password), + kdf_params->salt, kdf_params->salt_size, + kdf_params->iter_count, key, key_size); if (result != GC_OK) { gnutls_assert(); @@ -1515,10 +1515,10 @@ static int generate_key(schema_id schema, if (schema == PBES2) { - ret = gc_pkcs5_pbkdf2_sha1(password, strlen(password), - kdf_params->salt, kdf_params->salt_size, - kdf_params->iter_count, - kdf_params->key_size, key->data); + ret = gc_pbkdf2_sha1(password, strlen(password), + kdf_params->salt, kdf_params->salt_size, + kdf_params->iter_count, + key->data, kdf_params->key_size); if (ret != GC_OK) { gnutls_assert(); return GNUTLS_E_ENCRYPTION_FAILED; diff --git a/libextra/Makefile.am b/libextra/Makefile.am index c83cdbc339..e570665368 100644 --- a/libextra/Makefile.am +++ b/libextra/Makefile.am @@ -68,7 +68,7 @@ lib_LTLIBRARIES += libgnutls-openssl.la libgnutls_openssl_la_SOURCES = gnutls_openssl.c openssl_compat.h \ openssl_compat.c -libgnutls_openssl_la_LIBADD = ../lib/libgnutls.la +libgnutls_openssl_la_LIBADD = ../lib/libgnutls.la ../gl/libgnu.la libgnutls_openssl_la_LDFLAGS += -version-info $(LT_CURRENT):$(LT_REVISION):$(LT_AGE) |