Commit 6e45d186 authored by Olivier Crête's avatar Olivier Crête

stun: Switch from gcrypt to gnutls

GLib already uses it, instead of adding another dep.
Reviewed-by: 's avatarPhilip Withnall <philip.withnall@collabora.co.uk>
Differential Revision: https://phabricator.freedesktop.org/D1705
parent 4c79b865
......@@ -20,7 +20,7 @@ Requirements
pkg-config
gupnp-igd >= 0.1.2 (optional)
gstreamer-0.10 >= 0.10.0 (optional)
gcrypt >= 1.4.5
gnutls >= 2.12.0
Build instructions
------------------
......
......@@ -184,14 +184,20 @@ AC_CHECK_FUNCS([poll])
AC_SUBST(LIBRT)
# Dependencies
GNUTLS_PACKAGES_PRIVATE="gnutls >= 2.12.0"
PKG_CHECK_MODULES(GNUTLS, [$GNUTLS_PACKAGES_PRIVATE])
NICE_PACKAGES_PUBLIC="glib-2.0 >= $GLIB_REQ gio-2.0 >= $GLIB_REQ gobject-2.0 >= $GLIB_REQ"
NICE_PACKAGES_PRIVATE="gthread-2.0"
NICE_PACKAGES="$NICE_PACKAGES_PUBLIC $NICE_PACKAGES_PRIVATE"
PKG_CHECK_MODULES(GLIB, [$NICE_PACKAGES_PUBLIC $NICE_PACKAGES_PRIVATE])
NICE_PACKAGES_PRIVATE="$NICE_PACKAGES_PRIVATE $GNUTLS_PACKAGES_PRIVATE"
AC_SUBST([NICE_PACKAGES_PUBLIC])
AC_SUBST([NICE_PACKAGES_PRIVATE])
AC_SUBST([NICE_PACKAGES])
PKG_CHECK_MODULES(GLIB, [$NICE_PACKAGES])
AC_ARG_WITH(gstreamer,
AS_HELP_STRING([--with-gstreamer],[build GStreamer plugin]),
......@@ -301,22 +307,6 @@ AC_SUBST([GUPNP_PACKAGES])
AC_SUBST(HAVE_GUPNP)
AC_SUBST([UPNP_ENABLED])
dnl libgcrypt
GCRYPT_VERSION=1.6.0
GCRYPT_LIBVER=1
AM_PATH_LIBGCRYPT($GCRYPT_LIBVER:$GCRYPT_VERSION,,AC_MSG_ERROR([[
***
*** libgcrypt was not found. You may want to get it from
*** ftp://ftp.gnupg.org/gcrypt/libgcrypt/
***
]]))
libgcrypt=yes
AC_DEFINE_UNQUOTED(LIBGCRYPT_VERSION, "$GCRYPT_VERSION", [Version of GCRYPT we expect])
AC_SUBST([LIBGCRYPT_CFLAGS])
AC_SUBST([LIBGCRYPT_LIBS])
dnl Test coverage
AC_ARG_ENABLE([coverage],
[AS_HELP_STRING([--enable-coverage],
......
......@@ -10,5 +10,4 @@ Version: @VERSION@
Requires: @NICE_PACKAGES_PUBLIC@ @GUPNP_PACKAGES_PUBLIC@
Requires.private: @NICE_PACKAGES_PRIVATE@ @GUPNP_PACKAGES_PRIVATE@
Libs: -L${libdir} -lnice
Libs.private: @LIBGCRYPT_LIBS@
Cflags: -I${includedir}/nice -I${includedir}
......@@ -14,7 +14,7 @@ AM_CFLAGS = \
-std=gnu99 \
-DG_LOG_DOMAIN=\"libnice-stun\" \
$(LIBNICE_CFLAGS) \
$(LIBGCRYPT_CFLAGS) \
$(GNUTLS_CFLAGS) \
$(NULL)
AM_CPPFLAGS = -I$(top_srcdir)
......@@ -38,7 +38,7 @@ libstun_la_SOURCES = constants.h \
usages/turn.c usages/turn.h \
usages/timer.c usages/timer.h
libstun_la_LIBADD = $(LIBRT) $(LIBGCRYPT_LIBS)
libstun_la_LIBADD = $(LIBRT) $(GNUTLS_LIBS)
EXTRA_DIST = win32_common.h
......
......@@ -68,23 +68,13 @@ void nice_RAND_bytes (uint8_t *dst, int len)
}
#else
#include <gcrypt.h>
#include <sys/types.h>
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
void nice_RAND_bytes (uint8_t *dst, int len)
{
/* Initialise libgcrypt. The application might do this first, but we need to
* do it otherwise. Abort if this fails, as we can’t do random number
* generation. */
if (!gcry_check_version (GCRYPT_VERSION))
abort ();
if (!gcry_control (GCRYCTL_INITIALIZATION_FINISHED_P))
{
gcry_control (GCRYCTL_DISABLE_SECMEM, 0);
gcry_control (GCRYCTL_INITIALIZATION_FINISHED, 0);
}
gcry_randomize (dst, len, GCRY_STRONG_RANDOM);
gnutls_rnd (GNUTLS_RND_NONCE, dst, len);
}
#endif /* _WIN32 */
......@@ -47,40 +47,40 @@
#include <string.h>
#include <assert.h>
#include <gcrypt.h>
#include <gnutls/gnutls.h>
#include <gnutls/crypto.h>
void stun_sha1 (const uint8_t *msg, size_t len, size_t msg_len, uint8_t *sha,
const void *key, size_t keylen, int padding)
{
uint16_t fakelen = htons (msg_len);
uint8_t pad_char[64] = {0};
gcry_mac_hd_t hd;
size_t sha_len = 20;
#define TRY(s) \
if (!(s)) \
abort ();
gnutls_hmac_hd_t handle;
int ret;
assert (len >= 44u);
TRY (gcry_mac_open (&hd, GCRY_MAC_HMAC_SHA1, 0 /* flags */, NULL) == 0);
TRY (gcry_mac_setkey (hd, key, keylen) == 0);
assert (gnutls_hmac_get_len (GNUTLS_MAC_SHA1) == 20);
ret = gnutls_hmac_init (&handle, GNUTLS_MAC_SHA1, key, keylen);
assert (ret >= 0);
TRY (gcry_mac_write (hd, msg, 2) == 0);
TRY (gcry_mac_write (hd, &fakelen, 2) == 0);
TRY (gcry_mac_write (hd, msg + 4, len - 28) == 0);
ret = gnutls_hmac (handle, msg, 2);
assert (ret >= 0);
ret = gnutls_hmac (handle, &fakelen, 2);
assert (ret >= 0);
ret = gnutls_hmac (handle, msg + 4, len - 28);
assert (ret >= 0);
/* RFC 3489 specifies that the message's size should be 64 bytes,
and \x00 padding should be done */
if (padding && ((len - 24) % 64) > 0) {
uint16_t pad_size = 64 - ((len - 24) % 64);
TRY (gcry_mac_write (hd, pad_char, pad_size) == 0);
}
TRY (gcry_mac_read (hd, sha, &sha_len) == 0);
assert (sha_len == 20);
ret = gnutls_hmac (handle, pad_char, pad_size);
assert (ret >= 0);
}
gcry_mac_close (hd);
gnutls_hmac_deinit (handle, sha);
}
static const uint8_t *priv_trim_var (const uint8_t *var, size_t *var_len)
......@@ -109,19 +109,16 @@ void stun_hash_creds (const uint8_t *realm, size_t realm_len,
const uint8_t *password_trimmed = priv_trim_var (password, &password_len);
const uint8_t *realm_trimmed = priv_trim_var (realm, &realm_len);
const uint8_t *colon = (uint8_t *)":";
gnutls_hash_hd_t handle;
gnutls_hash_init (&handle, GNUTLS_DIG_MD5);
gnutls_hash (handle, username_trimmed, username_len);
gnutls_hash (handle, colon, 1);
gnutls_hash (handle, realm_trimmed, realm_len);
gnutls_hash (handle, colon, 1);
gnutls_hash (handle, password_trimmed, password_len);
/* https://gnupg.org/documentation/manuals/gcrypt/Buffer-description.html */
const gcry_buffer_t iov[] = {
/* size, off, len, data */
{ 0, 0, username_len, (void *) username_trimmed },
{ 0, 0, 1, (void *) colon },
{ 0, 0, realm_len, (void *) realm_trimmed },
{ 0, 0, 1, (void *) colon },
{ 0, 0, password_len, (void *) password_trimmed },
};
gcry_md_hash_buffers (GCRY_MD_MD5, 0 /* flags */, md5,
iov, sizeof (iov) / sizeof (*iov));
gnutls_hash_deinit (handle, md5);
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment