This allows resolved and importd to be built without libgcrypt.
Note that we now say either 'cryptographic library' or 'cryptolib'.
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
* socket units: allow creating a udev monitor socket with ListenDevices= or so,
with matches, then activate app through that passing socket over
-* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
- confusion is gone)
- - port resolved over from libgcrypt (DNSSEC code)
+* unify on openssl:
- port journald + fsprg over from libgcrypt
- when that's done: kill gnutls support in resolved
endif
conf.set10('HAVE_DBUS', have)
-default_dnssec = get_option('default-dnssec')
-if skip_deps
- default_dnssec = 'no'
-endif
-if default_dnssec != 'no' and conf.get('HAVE_GCRYPT') == 0
- message('default-dnssec cannot be set to yes or allow-downgrade when gcrypt is disabled. Setting default-dnssec to no.')
- default_dnssec = 'no'
-endif
-conf.set('DEFAULT_DNSSEC_MODE',
- 'DNSSEC_' + default_dnssec.underscorify().to_upper())
-conf.set_quoted('DEFAULT_DNSSEC_MODE_STR', default_dnssec)
-
dns_over_tls = get_option('dns-over-tls')
if dns_over_tls != 'false'
if dns_over_tls == 'openssl'
conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1)
lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? libopenssl : libgcrypt
+default_dnssec = get_option('default-dnssec')
+if skip_deps
+ default_dnssec = 'no'
+endif
+if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0
+ message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.')
+ default_dnssec = 'no'
+endif
+conf.set('DEFAULT_DNSSEC_MODE',
+ 'DNSSEC_' + default_dnssec.underscorify().to_upper())
+conf.set_quoted('DEFAULT_DNSSEC_MODE_STR', default_dnssec)
+
want_importd = get_option('importd')
if want_importd != 'false'
have = (conf.get('HAVE_LIBCURL') == 1 and
" -SECCOMP"
#endif
- /* crypto libraries */
+ /* cryptographic libraries */
#if HAVE_GCRYPT
" +GCRYPT"
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
}
+# if !PREFER_OPENSSL
int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
_cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
gcry_error_t err;
*out = enc;
return 0;
}
+# endif
#endif
#include "macro.h"
void initialize_libgcrypt(bool secmem);
-int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL);
#endif
+#if !PREFER_OPENSSL
+# if HAVE_GCRYPT
+int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
+# endif
+
static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {
-#if HAVE_GCRYPT
+# if HAVE_GCRYPT
return string_hashsum(s, len, GCRY_MD_SHA224, out);
-#else
+# else
return -EOPNOTSUPP;
-#endif
+# endif
}
static inline int string_hashsum_sha256(const char *s, size_t len, char **out) {
-#if HAVE_GCRYPT
+# if HAVE_GCRYPT
return string_hashsum(s, len, GCRY_MD_SHA256, out);
-#else
+# else
return -EOPNOTSUPP;
-#endif
+# endif
}
+#endif
#include "main-func.h"
#include "missing_network.h"
#include "netlink-util.h"
+#include "openssl-util.h"
#include "pager.h"
#include "parse-argument.h"
#include "parse-util.h"
return r;
}
-#if ! HAVE_GCRYPT
+#if !HAVE_OPENSSL_OR_GCRYPT
if (m->dnssec_mode != DNSSEC_NO) {
- log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+ log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
m->dnssec_mode = DNSSEC_NO;
}
#endif
-#if ! ENABLE_DNS_OVER_TLS
+#if !ENABLE_DNS_OVER_TLS
if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
log_warning("DNS-over-TLS option cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
m->dns_over_tls_mode = DNS_OVER_TLS_NO;
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#if HAVE_GCRYPT
-#include <gcrypt.h>
+# include <gcrypt.h>
#endif
#include "alloc-util.h"
static const uint8_t rfc6975[] = {
0, 5, /* OPTION_CODE: DAU */
-#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
+#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
0, 7, /* LIST_LENGTH */
#else
0, 6, /* LIST_LENGTH */
DNSSEC_ALGORITHM_RSASHA512,
DNSSEC_ALGORITHM_ECDSAP256SHA256,
DNSSEC_ALGORITHM_ECDSAP384SHA384,
-#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
+#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
DNSSEC_ALGORITHM_ED25519,
#endif
assert(l);
-#if ! HAVE_GCRYPT
+#if !HAVE_OPENSSL_OR_GCRYPT
if (IN_SET(mode, DNSSEC_YES, DNSSEC_ALLOW_DOWNGRADE))
- log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
+ log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
return;
#endif
#include "openssl-util.h"
#include "alloc-util.h"
+#include "hexdecoct.h"
#if HAVE_OPENSSL
int openssl_hash(const EVP_MD *alg,
*ret_suitable_key_size = suitable_key_size;
return 0;
}
+
+# if PREFER_OPENSSL
+int string_hashsum(
+ const char *s,
+ size_t len,
+ const EVP_MD *md_algorithm,
+ char **ret) {
+
+ uint8_t hash[EVP_MAX_MD_SIZE];
+ size_t hash_size;
+ char *enc;
+ int r;
+
+ hash_size = EVP_MD_size(md_algorithm);
+ assert(hash_size > 0);
+
+ r = openssl_hash(md_algorithm, s, len, hash, NULL);
+ if (r < 0)
+ return r;
+
+ enc = hexmem(hash, hash_size);
+ if (!enc)
+ return -ENOMEM;
+
+ *ret = enc;
+ return 0;
+
+}
+# endif
#endif
typedef gcry_md_hd_t hash_context_t;
# define OPENSSL_OR_GCRYPT(a, b) (b)
#endif
+
+#if PREFER_OPENSSL
+int string_hashsum(const char *s, size_t len, hash_algorithm_t md_algorithm, char **ret);
+
+static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
+ return string_hashsum(s, len, EVP_sha224(), ret);
+}
+
+static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
+ return string_hashsum(s, len, EVP_sha256(), ret);
+}
+#endif
[['src/test/test-id128.c']],
- [['src/test/test-gcrypt-util.c'],
- [], [], [], 'HAVE_GCRYPT'],
+ [['src/test/test-cryptolib.c'],
+ [libshared],
+ [lib_openssl_or_gcrypt],
+ [], 'HAVE_OPENSSL_OR_GCRYPT'],
[['src/test/test-nss-hosts.c',
'src/test/nss-test-util.c',
#include "alloc-util.h"
#include "gcrypt-util.h"
#include "macro.h"
+#include "openssl-util.h"
#include "string-util.h"
#include "tests.h"
TEST(string_hashsum) {
_cleanup_free_ char *out1 = NULL, *out2 = NULL, *out3 = NULL, *out4 = NULL;
- assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA224, &out1) == 0);
+ assert_se(string_hashsum("asdf", 4,
+ OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
+ &out1) == 0);
/* echo -n 'asdf' | sha224sum - */
assert_se(streq(out1, "7872a74bcbf298a1e77d507cd95d4f8d96131cbbd4cdfc571e776c8a"));
- assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA256, &out2) == 0);
+ assert_se(string_hashsum("asdf", 4,
+ OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
+ &out2) == 0);
/* echo -n 'asdf' | sha256sum - */
assert_se(streq(out2, "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"));
- assert_se(string_hashsum("", 0, GCRY_MD_SHA224, &out3) == 0);
+ assert_se(string_hashsum("", 0,
+ OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
+ &out3) == 0);
/* echo -n '' | sha224sum - */
assert_se(streq(out3, "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"));
- assert_se(string_hashsum("", 0, GCRY_MD_SHA256, &out4) == 0);
+ assert_se(string_hashsum("", 0,
+ OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
+ &out4) == 0);
/* echo -n '' | sha256sum - */
assert_se(streq(out4, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
}