EXTRA_CLI_OBJECTS="$EXTRA_CLI_OBJECTS $HASH_OBJ"
LIBS="$LIBS $HASH_LINK"
-if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ] && \
- echo "$HASH_LINK" | grep 'nettle' > /dev/null; then
+if [ $feat_ntp = "1" ] && [ $feat_nts = "1" ] && [ $try_gnutls = "1" ]; then
test_cflags="`pkg_config --cflags gnutls`"
test_link="`pkg_config --libs gnutls`"
if test_code 'gnutls' 'gnutls/gnutls.h' \
"$test_cflags" "$test_link" '
return gnutls_init(NULL, 0) +
gnutls_priority_init2(NULL, "", NULL, GNUTLS_PRIORITY_INIT_DEF_APPEND) +
- gnutls_prf_rfc5705(NULL, 0, "", 0, "", 16, NULL);' &&
- test_code 'AES128 in nettle' 'nettle/aes.h' '' "$LIBS" \
- 'aes128_set_encrypt_key(NULL, NULL);'
+ gnutls_prf_rfc5705(NULL, 0, "", 0, "", 16, NULL);'
then
- EXTRA_OBJECTS="$EXTRA_OBJECTS nts_ke_client.o nts_ke_server.o nts_ke_session.o"
- EXTRA_OBJECTS="$EXTRA_OBJECTS nts_ntp_auth.o nts_ntp_client.o nts_ntp_server.o"
- EXTRA_OBJECTS="$EXTRA_OBJECTS siv_nettle.o"
- LIBS="$LIBS $test_link"
- MYCPPFLAGS="$MYCPPFLAGS $test_cflags"
- add_def FEAT_NTS
-
- add_def HAVE_SIV
if test_code 'SIV in nettle' \
'nettle/siv-cmac.h' "" "$LIBS" \
'siv_cmac_aes128_set_key(NULL, NULL);'
then
+ EXTRA_OBJECTS="$EXTRA_OBJECTS siv_nettle.o"
+ add_def HAVE_SIV
add_def HAVE_NETTLE_SIV_CMAC
+ else
+ if test_code 'SIV in gnutls' 'gnutls/gnutls.h' \
+ "$test_cflags" "$test_link" '
+ return gnutls_aead_cipher_init(NULL, GNUTLS_CIPHER_AES_128_SIV, NULL);'
+ then
+ EXTRA_OBJECTS="$EXTRA_OBJECTS siv_gnutls.o"
+ add_def HAVE_SIV
+ else
+ if test_code 'AES128 in nettle' 'nettle/aes.h' '' "$LIBS" \
+ 'aes128_set_encrypt_key(NULL, NULL);'
+ then
+ EXTRA_OBJECTS="$EXTRA_OBJECTS siv_nettle.o"
+ add_def HAVE_SIV
+ fi
+ fi
+ fi
+
+ if grep '#define HAVE_SIV' config.h > /dev/null; then
+ EXTRA_OBJECTS="$EXTRA_OBJECTS nts_ke_client.o nts_ke_server.o nts_ke_session.o"
+ EXTRA_OBJECTS="$EXTRA_OBJECTS nts_ntp_auth.o nts_ntp_client.o nts_ntp_server.o"
+ LIBS="$LIBS $test_link"
+ MYCPPFLAGS="$MYCPPFLAGS $test_cflags"
+ add_def FEAT_NTS
fi
fi
fi
--- /dev/null
+/*
+ chronyd/chronyc - Programs for keeping computer clocks accurate.
+
+ **********************************************************************
+ * Copyright (C) Miroslav Lichvar 2020
+ *
+ * This program is free software; you can redistribute it and/or modify
+ * it under the terms of version 2 of the GNU General Public License as
+ * published by the Free Software Foundation.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * General Public License for more details.
+ *
+ * You should have received a copy of the GNU General Public License along
+ * with this program; if not, write to the Free Software Foundation, Inc.,
+ * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
+ *
+ **********************************************************************
+
+ =======================================================================
+
+ SIV ciphers using the GnuTLS library
+ */
+
+#include "config.h"
+
+#include "sysincl.h"
+
+#include <gnutls/crypto.h>
+
+#include "logging.h"
+#include "memory.h"
+#include "siv.h"
+
+struct SIV_Instance_Record {
+ gnutls_cipher_algorithm_t algorithm;
+ gnutls_aead_cipher_hd_t cipher;
+};
+
+/* ================================================== */
+
+static int instance_counter = 0;
+static int gnutls_initialised = 0;
+
+/* ================================================== */
+
+static void
+init_gnutls(void)
+{
+ int r;
+
+ if (gnutls_initialised)
+ return;
+
+ r = gnutls_global_init();
+ if (r < 0)
+ LOG_FATAL("Could not initialise %s : %s", "gnutls", gnutls_strerror(r));
+
+ DEBUG_LOG("Initialised");
+ gnutls_initialised = 1;
+}
+
+/* ================================================== */
+
+static void
+deinit_gnutls(void)
+{
+ assert(gnutls_initialised);
+ gnutls_global_deinit();
+ gnutls_initialised = 0;
+ DEBUG_LOG("Deinitialised");
+}
+
+/* ================================================== */
+
+static gnutls_cipher_algorithm_t
+get_cipher_algorithm(SIV_Algorithm algorithm)
+{
+ switch (algorithm) {
+ case AEAD_AES_SIV_CMAC_256:
+ return GNUTLS_CIPHER_AES_128_SIV;
+ default:
+ return 0;
+ }
+}
+
+/* ================================================== */
+
+SIV_Instance
+SIV_CreateInstance(SIV_Algorithm algorithm)
+{
+ gnutls_cipher_algorithm_t calgo;
+ SIV_Instance instance;
+
+ calgo = get_cipher_algorithm(algorithm);
+ if (calgo == 0)
+ return NULL;
+
+ if (instance_counter == 0)
+ init_gnutls();
+
+ /* Check if the cipher is actually supported */
+ if (gnutls_cipher_get_tag_size(calgo) == 0)
+ return NULL;
+
+ instance = MallocNew(struct SIV_Instance_Record);
+ instance->algorithm = calgo;
+ instance->cipher = NULL;
+
+ instance_counter++;
+
+ return instance;
+}
+
+/* ================================================== */
+
+void
+SIV_DestroyInstance(SIV_Instance instance)
+{
+ if (instance->cipher)
+ gnutls_aead_cipher_deinit(instance->cipher);
+ Free(instance);
+
+ instance_counter--;
+ if (instance_counter == 0)
+ deinit_gnutls();
+}
+
+/* ================================================== */
+
+int
+SIV_GetKeyLength(SIV_Algorithm algorithm)
+{
+ gnutls_cipher_algorithm_t calgo = get_cipher_algorithm(algorithm);
+
+ if (calgo == 0)
+ return 0;
+
+ return gnutls_cipher_get_key_size(calgo);
+}
+
+/* ================================================== */
+
+int
+SIV_SetKey(SIV_Instance instance, const unsigned char *key, int length)
+{
+ gnutls_aead_cipher_hd_t cipher;
+ gnutls_datum_t datum;
+ int r;
+
+ if (length <= 0 || length != gnutls_cipher_get_key_size(instance->algorithm))
+ return 0;
+
+ datum.data = (unsigned char *)key;
+ datum.size = length;
+
+ /* Initialise a new cipher with the provided key (gnutls does not seem to
+ have a function to change the key directly) */
+ r = gnutls_aead_cipher_init(&cipher, instance->algorithm, &datum);
+ if (r < 0) {
+ DEBUG_LOG("Could not initialise %s : %s", "cipher", gnutls_strerror(r));
+ return 0;
+ }
+
+ /* Replace the previous cipher */
+ if (instance->cipher)
+ gnutls_aead_cipher_deinit(instance->cipher);
+ instance->cipher = cipher;
+
+ return 1;
+}
+
+/* ================================================== */
+
+int
+SIV_GetTagLength(SIV_Instance instance)
+{
+ return gnutls_cipher_get_tag_size(instance->algorithm);
+}
+
+/* ================================================== */
+
+int
+SIV_Encrypt(SIV_Instance instance,
+ const unsigned char *nonce, int nonce_length,
+ const void *assoc, int assoc_length,
+ const void *plaintext, int plaintext_length,
+ unsigned char *ciphertext, int ciphertext_length)
+{
+ size_t clen = ciphertext_length;
+
+ if (nonce_length < 1 || assoc_length < 0 ||
+ plaintext_length < 0 || ciphertext_length < 0)
+ return 0;
+
+ assert(assoc && plaintext);
+
+ if (gnutls_aead_cipher_encrypt(instance->cipher,
+ nonce, nonce_length, assoc, assoc_length, 0,
+ plaintext, plaintext_length, ciphertext, &clen) < 0)
+ return 0;
+
+ if (clen != ciphertext_length)
+ return 0;
+
+ return 1;
+}
+
+/* ================================================== */
+
+int
+SIV_Decrypt(SIV_Instance instance,
+ const unsigned char *nonce, int nonce_length,
+ const void *assoc, int assoc_length,
+ const unsigned char *ciphertext, int ciphertext_length,
+ void *plaintext, int plaintext_length)
+{
+ size_t plen = plaintext_length;
+
+ if (nonce_length < 1 || assoc_length < 0 ||
+ plaintext_length < 0 || ciphertext_length < 0)
+ return 0;
+
+ assert(assoc && plaintext);
+
+ if (gnutls_aead_cipher_decrypt(instance->cipher,
+ nonce, nonce_length, assoc, assoc_length, 0,
+ ciphertext, ciphertext_length, plaintext, &plen) < 0)
+ return 0;
+
+ if (plen != plaintext_length)
+ return 0;
+
+ return 1;
+}
projects / thirdparty / chrony.git / commitdiff
