diff options
author | Steve Lhomme <robux4@ycbcr.xyz> | 2020-04-29 10:32:08 +0200 |
---|---|---|
committer | Steve Lhomme <robux4@ycbcr.xyz> | 2020-05-28 07:44:47 +0200 |
commit | 2a94a7b12d3bfb8384e1ca4d55eea28ccc5b2fe5 (patch) | |
tree | 9a48bf952ffd17b89e7d2cbbcc991b8a0c481de2 | |
parent | 2f28cf6e7304a0f8b3c08823846752a2b55aabcf (diff) | |
download | gnutls-2a94a7b12d3bfb8384e1ca4d55eea28ccc5b2fe5.tar.gz |
win32: use bcrypt instead of CryptoAPI on Vista+ for random numbers
CryptoAPI is a deprecated API [1] that is forbidden in UWP builds.
Rewrite the CryptoAPI calls in bcrypt.
bcrypt is used instead of CryptoAPI when targeting Windows Vista and above.
https://docs.microsoft.com/en-us/windows/win32/api/wincrypt/nf-wincrypt-cryptdecrypt
Signed-off-by: Steve Lhomme <robux4@ycbcr.xyz>
-rw-r--r-- | configure.ac | 7 | ||||
-rw-r--r-- | lib/gnutls.pc.in | 2 | ||||
-rw-r--r-- | lib/nettle/Makefile.am | 4 | ||||
-rw-r--r-- | lib/nettle/sysrng-bcrypt.c | 88 |
4 files changed, 100 insertions, 1 deletions
diff --git a/configure.ac b/configure.ac index 9ea53b7344..cda77c177e 100644 --- a/configure.ac +++ b/configure.ac @@ -596,6 +596,13 @@ fi AM_CONDITIONAL(HAVE_LIBIDN2, test "$with_libidn2" != "no") +if test "x$have_vista_dynamic" = "xno"; then + AC_CHECK_TYPES([BCRYPT_ALG_HANDLE],[LIBBCRYPT="-lbcrypt"],[],[#include <windows.h> + #include <bcrypt.h>]) +fi +AM_CONDITIONAL(HAVE_BCRYPT, test "$ac_cv_type_BCRYPT_ALG_HANDLE" = "yes") +AC_SUBST([LIBBCRYPT]) + AC_ARG_ENABLE(non-suiteb-curves, AS_HELP_STRING([--disable-non-suiteb-curves], [disable curves not in SuiteB]), enable_non_suiteb=$enableval, enable_non_suiteb=yes) diff --git a/lib/gnutls.pc.in b/lib/gnutls.pc.in index 15d3ab057c..0ed41e2ddd 100644 --- a/lib/gnutls.pc.in +++ b/lib/gnutls.pc.in @@ -19,6 +19,6 @@ Description: Transport Security Layer implementation for the GNU system URL: https://www.gnutls.org/ Version: @VERSION@ Libs: -L${libdir} -lgnutls -Libs.private: @LIBINTL@ @LIBSOCKET@ @INET_PTON_LIB@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBATOMIC_LIBS@ @LIB_CRYPT32@ @LIBNCRYPT@ +Libs.private: @LIBINTL@ @LIBSOCKET@ @INET_PTON_LIB@ @LIBPTHREAD@ @LIB_SELECT@ @TSS_LIBS@ @GMP_LIBS@ @LIBUNISTRING@ @LIBATOMIC_LIBS@ @LIB_CRYPT32@ @LIBNCRYPT@ @LIBBCRYPT@ @GNUTLS_REQUIRES_PRIVATE@ Cflags: -I${includedir} diff --git a/lib/nettle/Makefile.am b/lib/nettle/Makefile.am index 936f20c6ad..aae87e0902 100644 --- a/lib/nettle/Makefile.am +++ b/lib/nettle/Makefile.am @@ -49,7 +49,11 @@ libcrypto_la_SOURCES = pk.c mpi.c mac.c cipher.c init.c \ int/block8.h backport/block-internal.h if WINDOWS +if HAVE_BCRYPT +libcrypto_la_SOURCES += sysrng-bcrypt.c +else libcrypto_la_SOURCES += sysrng-windows.c +endif else if HAVE_GETENTROPY libcrypto_la_SOURCES += sysrng-getentropy.c diff --git a/lib/nettle/sysrng-bcrypt.c b/lib/nettle/sysrng-bcrypt.c new file mode 100644 index 0000000000..10dc9ac83a --- /dev/null +++ b/lib/nettle/sysrng-bcrypt.c @@ -0,0 +1,88 @@ +/* + * Copyright (C) 2010-2016 Free Software Foundation, Inc. + * Copyright (C) 2015-2016 Red Hat, Inc. + * Copyright (C) 2000, 2001, 2008 Niels Möller + * + * Author: Nikos Mavrogiannopoulos + * + * This file is part of GNUTLS. + * + * The GNUTLS library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public License + * as published by the Free Software Foundation; either version 2.1 of + * the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public License + * along with this program. If not, see <https://www.gnu.org/licenses/> + * + */ + +/* Here are the common parts of the random generator layer. + * Some of this code was based on the LSH + * random generator (the trivia and device source functions for POSIX) + * and modified to fit gnutls' needs. Relicenced with permission. + * Original author Niels Möller. + */ + +#include "gnutls_int.h" +#include "errors.h" +#include <locks.h> +#include <num.h> +#include <nettle/yarrow.h> +#include <errno.h> +#include <rnd-common.h> +#include <hash-pjw-bare.h> + +#include <sys/types.h> +#include <sys/stat.h> +#include <unistd.h> + +/* The windows randomness gatherer. + */ + +#include <windows.h> +#include <bcrypt.h> + +get_entropy_func _rnd_get_system_entropy = NULL; + +static BCRYPT_ALG_HANDLE device_fd = 0; + +static +int _rnd_get_system_entropy_win32(void* rnd, size_t size) +{ + NTSTATUS err = BCryptGenRandom(device_fd, rnd, size, 0); + if (!BCRYPT_SUCCESS(err)) { + _gnutls_debug_log("Error in BCryptGenRandom: %ld\n", err); + return GNUTLS_E_RANDOM_DEVICE_ERROR; + } + + return 0; +} + +int _rnd_system_entropy_check(void) +{ + return 0; +} + +int _rnd_system_entropy_init(void) +{ + NTSTATUS err = BCryptOpenAlgorithmProvider + (&device_fd, BCRYPT_RNG_ALGORITHM, NULL, 0); + if (!BCRYPT_SUCCESS(err)) { + _gnutls_debug_log("error in BCryptOpenAlgorithmProvider!\n"); + return GNUTLS_E_RANDOM_DEVICE_ERROR; + } + + _rnd_get_system_entropy = _rnd_get_system_entropy_win32; + return 0; +} + +void _rnd_system_entropy_deinit(void) +{ + BCryptCloseAlgorithmProvider(device_fd, 0); +} |