[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Qemu-commits] [qemu/qemu] b917da: crypto: add cryptographic random byte
|
From: |
GitHub |
|
Subject: |
[Qemu-commits] [qemu/qemu] b917da: crypto: add cryptographic random byte source |
|
Date: |
Thu, 17 Mar 2016 11:00:06 -0700 |
Branch: refs/heads/master
Home: https://github.com/qemu/qemu
Commit: b917da4cbd13dae4cda3852d5bdf3725202103ab
https://github.com/qemu/qemu/commit/b917da4cbd13dae4cda3852d5bdf3725202103ab
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M Makefile.objs
M configure
M crypto/Makefile.objs
A crypto/random-gcrypt.c
A crypto/random-gnutls.c
A crypto/random-stub.c
A include/crypto/random.h
Log Message:
-----------
crypto: add cryptographic random byte source
There are three backend impls provided. The preferred
is gnutls, which is backed by nettle in modern distros.
The gcrypt impl is provided for cases where QEMU build
against gnutls is disabled, but crypto is still desired.
No nettle impl is provided, since it is non-trivial to
use the nettle APIs for random numbers. Users of nettle
should ensure gnutls is enabled for QEMU.
Reviewed-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 37788f253a4a9ad5f27dae68aee261c784e1fa17
https://github.com/qemu/qemu/commit/37788f253a4a9ad5f27dae68aee261c784e1fa17
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M configure
M crypto/Makefile.objs
A crypto/pbkdf-gcrypt.c
A crypto/pbkdf-nettle.c
A crypto/pbkdf-stub.c
A crypto/pbkdf.c
A include/crypto/pbkdf.h
M tests/.gitignore
M tests/Makefile
A tests/test-crypto-pbkdf.c
Log Message:
-----------
crypto: add support for PBKDF2 algorithm
The LUKS data format includes use of PBKDF2 (Password-Based
Key Derivation Function). The Nettle library can provide
an implementation of this, but we don't want code directly
depending on a specific crypto library backend. Introduce
a new include/crypto/pbkdf.h header which defines a QEMU
API for invoking PBKDK2. The initial implementations are
backed by nettle & gcrypt, which are commonly available
with distros shipping GNUTLS.
The test suite data is taken from the cryptsetup codebase
under the LGPLv2.1+ license. This merely aims to verify
that whatever backend we provide for this function in QEMU
will comply with the spec.
Reviewed-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: cb730894ae284965e03a40eabbf623b87206777b
https://github.com/qemu/qemu/commit/cb730894ae284965e03a40eabbf623b87206777b
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/Makefile.objs
A crypto/ivgen-essiv.c
A crypto/ivgen-essiv.h
A crypto/ivgen-plain.c
A crypto/ivgen-plain.h
A crypto/ivgen-plain64.c
A crypto/ivgen-plain64.h
A crypto/ivgen.c
A crypto/ivgenpriv.h
A include/crypto/ivgen.h
M qapi/crypto.json
M tests/.gitignore
M tests/Makefile
A tests/test-crypto-ivgen.c
Log Message:
-----------
crypto: add support for generating initialization vectors
There are a number of different algorithms that can be used
to generate initialization vectors for disk encryption. This
introduces a simple internal QCryptoBlockIV object to provide
a consistent internal API to the different algorithms. The
initially implemented algorithms are 'plain', 'plain64' and
'essiv', each matching the same named algorithm provided
by the Linux kernel dm-crypt driver.
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 5a95e0fccdad951d8779fca459c20649c8b0cbb4
https://github.com/qemu/qemu/commit/5a95e0fccdad951d8779fca459c20649c8b0cbb4
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/Makefile.objs
A crypto/afsplit.c
A include/crypto/afsplit.h
M tests/.gitignore
M tests/Makefile
A tests/test-crypto-afsplit.c
Log Message:
-----------
crypto: add support for anti-forensic split algorithm
The LUKS format specifies an anti-forensic split algorithm which
is used to artificially expand the size of the key material on
disk. This is an implementation of that algorithm.
Reviewed-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: aa41363598735bae8d270023247da9ec0334605c
https://github.com/qemu/qemu/commit/aa41363598735bae8d270023247da9ec0334605c
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M tests/test-crypto-cipher.c
Log Message:
-----------
crypto: skip testing of unsupported cipher algorithms
We don't guarantee that all crypto backends will support
all cipher algorithms, so we should skip tests unless
the crypto backend indicates support.
Reviewed-by: Fam Zheng <address@hidden>
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 084a85eeddfe1ab84b861971b6efd976d2ae3d1f
https://github.com/qemu/qemu/commit/084a85eeddfe1ab84b861971b6efd976d2ae3d1f
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/cipher-gcrypt.c
M crypto/cipher-nettle.c
M crypto/cipher.c
M qapi/crypto.json
M tests/test-crypto-cipher.c
Log Message:
-----------
crypto: add support for the cast5-128 cipher algorithm
A new cipher algorithm 'cast-5-128' is defined for the
Cast-5 algorithm with 128 bit key size. Smaller key sizes
are supported by Cast-5, but nothing in QEMU should use
them, so only 128 bit keys are permitted.
The nettle and gcrypt cipher backends are updated to
support the new cipher and a test vector added to the
cipher test suite. The new algorithm is enabled in the
LUKS block encryption driver.
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 94318522ed7930863924b3191ea8fee1d8cbe506
https://github.com/qemu/qemu/commit/94318522ed7930863924b3191ea8fee1d8cbe506
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/cipher-gcrypt.c
M crypto/cipher-nettle.c
M crypto/cipher.c
M qapi/crypto.json
M tests/test-crypto-cipher.c
Log Message:
-----------
crypto: add support for the serpent cipher algorithm
New cipher algorithms 'serpent-128', 'serpent-192' and
'serpent-256' are defined for the Serpent algorithm.
The nettle and gcrypt cipher backends are updated to
support the new cipher and a test vector added to the
cipher test suite. The new algorithm is enabled in the
LUKS block encryption driver.
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 50f6753e2787b60475c2c5c07c6be5d600aa84de
https://github.com/qemu/qemu/commit/50f6753e2787b60475c2c5c07c6be5d600aa84de
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/cipher-gcrypt.c
M crypto/cipher-nettle.c
M crypto/cipher.c
M qapi/crypto.json
M tests/test-crypto-cipher.c
Log Message:
-----------
crypto: add support for the twofish cipher algorithm
New cipher algorithms 'twofish-128', 'twofish-192' and
'twofish-256' are defined for the Twofish algorithm.
The gcrypt backend does not support 'twofish-192'.
The nettle and gcrypt cipher backends are updated to
support the new cipher and a test vector added to the
cipher test suite. The new algorithm is enabled in the
LUKS block encryption driver.
Reviewed-by: Eric Blake <address@hidden>
Reviewed-by: Fam Zheng <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 84f7f180b034b2a08b558bd3fbb5be1ae88f74c1
https://github.com/qemu/qemu/commit/84f7f180b034b2a08b558bd3fbb5be1ae88f74c1
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/Makefile.objs
A crypto/xts.c
A include/crypto/xts.h
M tests/.gitignore
M tests/Makefile
A tests/test-crypto-xts.c
Log Message:
-----------
crypto: import an implementation of the XTS cipher mode
The XTS (XEX with tweaked-codebook and ciphertext stealing)
cipher mode is commonly used in full disk encryption. There
is unfortunately no implementation of it in either libgcrypt
or nettle, so we need to provide our own.
The libtomcrypt project provides a repository of crypto
algorithms under a choice of either "public domain" or
the "what the fuck public license".
So this impl is taken from the libtomcrypt GIT repo and
adapted to be compatible with the way we need to call
ciphers provided by nettle/gcrypt.
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: e3ba0b67014b9fa15239f99bfcc227200e89024b
https://github.com/qemu/qemu/commit/e3ba0b67014b9fa15239f99bfcc227200e89024b
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/cipher-builtin.c
M crypto/cipher-nettle.c
Log Message:
-----------
crypto: refactor code for dealing with AES cipher
The built-in and nettle cipher backends for AES maintain
two separate AES contexts, one for encryption and one for
decryption. This is going to be inconvenient for the future
code dealing with XTS, so wrap them up in a single struct
so there is just one pointer to pass around for both
encryption and decryption.
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: eaec903c5b830ed9d9610ba72072b97763c2f996
https://github.com/qemu/qemu/commit/eaec903c5b830ed9d9610ba72072b97763c2f996
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/cipher-builtin.c
M crypto/cipher-gcrypt.c
M crypto/cipher-nettle.c
M crypto/cipher.c
M qapi/crypto.json
M tests/test-crypto-cipher.c
Log Message:
-----------
crypto: wire up XTS mode for cipher APIs
Introduce 'XTS' as a permitted mode for the cipher APIs.
With XTS the key provided must be twice the size of the
key normally required for any given algorithm. This is
because the key will be split into two pieces for use
in XTS mode.
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 7d9690148ac25bc755a759adab7d63f517d092b1
https://github.com/qemu/qemu/commit/7d9690148ac25bc755a759adab7d63f517d092b1
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/Makefile.objs
A crypto/block-qcow.c
A crypto/block-qcow.h
A crypto/block.c
A crypto/blockpriv.h
A include/crypto/block.h
M qapi/crypto.json
M tests/.gitignore
M tests/Makefile
A tests/test-crypto-block.c
Log Message:
-----------
crypto: add block encryption framework
Add a generic framework for supporting different block encryption
formats. Upon instantiating a QCryptoBlock object, it will read
the encryption header and extract the encryption keys. It is
then possible to call methods to encrypt/decrypt data buffers.
There is also a mode whereby it will create/initialize a new
encryption header on a previously unformatted volume.
The initial framework comes with support for the legacy QCow
AES based encryption. This enables code in the QCow driver to
be consolidated later.
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 3e308f20edfd65a21c98eb2d8079dacd47957444
https://github.com/qemu/qemu/commit/3e308f20edfd65a21c98eb2d8079dacd47957444
Author: Daniel P. Berrange <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M crypto/Makefile.objs
A crypto/block-luks.c
A crypto/block-luks.h
M crypto/block.c
M qapi/crypto.json
M tests/test-crypto-block.c
Log Message:
-----------
crypto: implement the LUKS block encryption format
Provide a block encryption implementation that follows the
LUKS/dm-crypt specification.
This supports all combinations of hash, cipher algorithm,
cipher mode and iv generator that are implemented by the
current crypto layer.
There is support for opening existing volumes formatted
by dm-crypt, and for formatting new volumes. In the latter
case it will only use key slot 0.
Reviewed-by: Eric Blake <address@hidden>
Signed-off-by: Daniel P. Berrange <address@hidden>
Commit: 879c26fb9fd950eefcac64cc854b22edc05e317a
https://github.com/qemu/qemu/commit/879c26fb9fd950eefcac64cc854b22edc05e317a
Author: Peter Maydell <address@hidden>
Date: 2016-03-17 (Thu, 17 Mar 2016)
Changed paths:
M Makefile.objs
M configure
M crypto/Makefile.objs
A crypto/afsplit.c
A crypto/block-luks.c
A crypto/block-luks.h
A crypto/block-qcow.c
A crypto/block-qcow.h
A crypto/block.c
A crypto/blockpriv.h
M crypto/cipher-builtin.c
M crypto/cipher-gcrypt.c
M crypto/cipher-nettle.c
M crypto/cipher.c
A crypto/ivgen-essiv.c
A crypto/ivgen-essiv.h
A crypto/ivgen-plain.c
A crypto/ivgen-plain.h
A crypto/ivgen-plain64.c
A crypto/ivgen-plain64.h
A crypto/ivgen.c
A crypto/ivgenpriv.h
A crypto/pbkdf-gcrypt.c
A crypto/pbkdf-nettle.c
A crypto/pbkdf-stub.c
A crypto/pbkdf.c
A crypto/random-gcrypt.c
A crypto/random-gnutls.c
A crypto/random-stub.c
A crypto/xts.c
A include/crypto/afsplit.h
A include/crypto/block.h
A include/crypto/ivgen.h
A include/crypto/pbkdf.h
A include/crypto/random.h
A include/crypto/xts.h
M qapi/crypto.json
M tests/.gitignore
M tests/Makefile
A tests/test-crypto-afsplit.c
A tests/test-crypto-block.c
M tests/test-crypto-cipher.c
A tests/test-crypto-ivgen.c
A tests/test-crypto-pbkdf.c
A tests/test-crypto-xts.c
Log Message:
-----------
Merge remote-tracking branch
'remotes/berrange/tags/pull-qcrypto-2016-03-17-3' into staging
Merge QCrypto 2016/03/17 v3
# gpg: Signature made Thu 17 Mar 2016 16:51:32 GMT using RSA key ID 15104FDF
# gpg: Good signature from "Daniel P. Berrange <address@hidden>"
# gpg: aka "Daniel P. Berrange <address@hidden>"
* remotes/berrange/tags/pull-qcrypto-2016-03-17-3:
crypto: implement the LUKS block encryption format
crypto: add block encryption framework
crypto: wire up XTS mode for cipher APIs
crypto: refactor code for dealing with AES cipher
crypto: import an implementation of the XTS cipher mode
crypto: add support for the twofish cipher algorithm
crypto: add support for the serpent cipher algorithm
crypto: add support for the cast5-128 cipher algorithm
crypto: skip testing of unsupported cipher algorithms
crypto: add support for anti-forensic split algorithm
crypto: add support for generating initialization vectors
crypto: add support for PBKDF2 algorithm
crypto: add cryptographic random byte source
Signed-off-by: Peter Maydell <address@hidden>
Compare: https://github.com/qemu/qemu/compare/6741d38ad0f2...879c26fb9fd9
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Qemu-commits] [qemu/qemu] b917da: crypto: add cryptographic random byte source,
GitHub <=