This deprecate cryptolib meson option.
success() { echo >&2 -e "\033[32;1m$1\033[0m"; }
ARGS=(
- "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Dtpm=true -Dtpm2=enabled"
+ "--optimization=0 -Dopenssl=disabled -Dtpm=true -Dtpm2=enabled"
"--optimization=s -Dutmp=false"
"--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl"
"--optimization=3 -Db_lto=true -Ddns-over-tls=false"
COMPILER="${COMPILER:?}"
COMPILER_VERSION="${COMPILER_VERSION:?}"
LINKER="${LINKER:?}"
-CRYPTOLIB="${CRYPTOLIB:?}"
RELEASE="$(lsb_release -cs)"
# Note: As we use postfixed clang/gcc binaries, we need to override $AR
CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \
meson setup \
-Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \
- -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \
+ -Dnobody-group=nogroup -Ddebug=false \
$args build; then
cat build/meson-logs/meson-log.txt
fail-fast: false
matrix:
env:
- - { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd", CRYPTOLIB: "gcrypt" }
- - { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" }
- - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt" }
- - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd", CRYPTOLIB: "openssl" }
- - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld", CRYPTOLIB: "auto" }
+ - { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd" }
+ - { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold" }
+ - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold" }
+ - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd" }
+ - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld" }
env: ${{ matrix.env }}
steps:
- name: Repository checkout
set -ex
-MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto})
+MESON_ARGS=()
# (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_
# its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the
build:
runs-on: ubuntu-24.04
concurrency:
- group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }}
+ group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ github.ref }}
cancel-in-progress: true
strategy:
fail-fast: false
matrix:
run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_RELEASE, CLANG_ASAN_UBSAN, CLANG_ASAN_UBSAN_NO_DEPS]
- cryptolib: [auto]
include:
- run_phase: GCC
- cryptolib: openssl
- run_phase: CLANG
- cryptolib: gcrypt
steps:
- name: Repository checkout
uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
sudo sed -i '/^XDG_/d' /etc/environment
# Pass only specific env variables through sudo, to avoid having
# the already existing XDG_* stuff on the "other side"
- sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
+ sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP
- name: Build & test
- run: sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
- env:
- CRYPTOLIB: ${{ matrix.cryptolib }}
+ run: sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }}
dmi_arches = ['x86', 'x86_64', 'aarch64', 'arm', 'ia64', 'loongarch64', 'mips', 'riscv64']
conf.set10('HAVE_DMI', host_machine.cpu_family() in dmi_arches)
-# We support one or the other. If gcrypt is available, we assume it's there to
-# be used, and use it in preference.
-opt = get_option('cryptolib')
-if opt == 'openssl' and conf.get('HAVE_OPENSSL') == 0
- error('openssl requested as the default cryptolib, but not available')
-endif
-conf.set10('PREFER_OPENSSL',
- opt == 'openssl' or (opt == 'auto' and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_GCRYPT') == 0))
-conf.set10('HAVE_OPENSSL_OR_GCRYPT',
- conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1)
-lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? [libopenssl] : [libgcrypt, libgpg_error]
-
dns_over_tls = get_option('dns-over-tls')
have_openssl = conf.get('HAVE_OPENSSL') == 1
if dns_over_tls == 'false'
conf.set10('ENABLE_REPART', have)
default_dnssec = get_option('default-dnssec')
-if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0
- message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.')
+if default_dnssec != 'no' and conf.get('HAVE_OPENSSL') == 0
+ message('default-dnssec cannot be set to yes or allow-downgrade when openssl is disabled. Setting default-dnssec to no.')
default_dnssec = 'no'
endif
conf.set('DEFAULT_DNSSEC_MODE',
have = get_option('importd').require(
conf.get('HAVE_LIBCURL') == 1 and
- conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and
+ conf.get('HAVE_OPENSSL') == 1 and
conf.get('HAVE_ZLIB') == 1 and
conf.get('HAVE_XZ') == 1,
error_message : 'curl, openssl/grypt, zlib and xz required').allowed()
found += 'static-libudev(@0@)'.format(static_libudev)
endif
-if conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and conf.get('PREFER_OPENSSL') == 1
- found += 'cryptolib(openssl)'
-elif conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1
- found += 'cryptolib(gcrypt)'
-else
- missing += 'cryptolib'
-endif
-
summary({
'enabled' : ', '.join(found),
'disabled' : ', '.join(missing)},
description : 'gnutls support')
option('openssl', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
description : 'openssl support')
-option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'],
- description : 'whether to use openssl or gcrypt where both are supported')
+option('cryptolib', type : 'combo', choices : ['auto', 'openssl'],
+ description : 'This option is deprecated and will be removed in a future release')
option('p11kit', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
description : 'p11kit support')
option('libfido2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
return 0;
}
-
-# if !PREFER_OPENSSL
-int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
- _cleanup_(sym_gcry_md_closep) gcry_md_hd_t md = NULL;
- gcry_error_t err;
- size_t hash_size;
- void *hash;
- char *enc;
- int r;
-
- r = initialize_libgcrypt(false);
- if (r < 0)
- return r;
-
- hash_size = sym_gcry_md_get_algo_dlen(md_algorithm);
- assert(hash_size > 0);
-
- err = sym_gcry_md_open(&md, md_algorithm, 0);
- if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
- return -EIO;
-
- sym_gcry_md_write(md, s, len);
-
- hash = sym_gcry_md_read(md, 0);
- if (!hash)
- return -EIO;
-
- enc = hexmem(hash, hash_size);
- if (!enc)
- return -ENOMEM;
-
- *out = enc;
- return 0;
-}
-# endif
#endif
(h__)->buf[(h__)->bufpos++] = (c) & 0xff; \
} while(false)
#endif
-
-#if !PREFER_OPENSSL
-# if HAVE_GCRYPT
-int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
-# endif
-
-static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {
-# if HAVE_GCRYPT
- return string_hashsum(s, len, GCRY_MD_SHA224, out);
-# else
- return -EOPNOTSUPP;
-# endif
-}
-
-static inline int string_hashsum_sha256(const char *s, size_t len, char **out) {
-# if HAVE_GCRYPT
- return string_hashsum(s, len, GCRY_MD_SHA256, out);
-# else
- return -EOPNOTSUPP;
-# endif
-}
-#endif
'sources' : systemd_pull_sources,
'link_with' : common_libs,
'dependencies' : common_deps + [
- lib_openssl_or_gcrypt,
+ libopenssl,
],
},
libexec_template + {
#include "alloc-util.h"
#include "fd-util.h"
#include "format-util.h"
-#include "gcrypt-util.h"
#include "hexdecoct.h"
#include "import-util.h"
#include "io-util.h"
import_compress_free(&j->compress);
if (j->checksum_ctx)
-#if PREFER_OPENSSL
EVP_MD_CTX_free(j->checksum_ctx);
-#else
- gcry_md_close(j->checksum_ctx);
-#endif
free(j->url);
free(j->etag);
import_compress_free(&j->compress);
if (j->checksum_ctx) {
-#if PREFER_OPENSSL
EVP_MD_CTX_free(j->checksum_ctx);
-#else
- gcry_md_close(j->checksum_ctx);
-#endif
j->checksum_ctx = NULL;
}
if (j->checksum_ctx) {
unsigned checksum_len;
-#if PREFER_OPENSSL
uint8_t k[EVP_MAX_MD_SIZE];
r = EVP_DigestFinal_ex(j->checksum_ctx, k, &checksum_len);
goto finish;
}
assert(checksum_len <= sizeof k);
-#else
- const uint8_t *k;
-
- k = gcry_md_read(j->checksum_ctx, GCRY_MD_SHA256);
- if (!k) {
- r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get checksum.");
- goto finish;
- }
-
- checksum_len = gcry_md_get_algo_dlen(GCRY_MD_SHA256);
-#endif
j->checksum = hexmem(k, checksum_len);
if (!j->checksum) {
"Content length incorrect.");
if (j->checksum_ctx) {
-#if PREFER_OPENSSL
r = EVP_DigestUpdate(j->checksum_ctx, p, sz);
if (r == 0)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Could not hash chunk.");
-#else
- gcry_md_write(j->checksum_ctx, p, sz);
-#endif
}
r = import_uncompress(&j->compress, p, sz, pull_job_write_uncompressed, j);
}
if (j->calc_checksum) {
-#if PREFER_OPENSSL
j->checksum_ctx = EVP_MD_CTX_new();
if (!j->checksum_ctx)
return log_oom();
if (r == 0)
return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Failed to initialize hash context.");
-#else
- r = initialize_libgcrypt(false);
- if (r < 0)
- return log_error_errno(r, "Failed to load libgcrypt: %m");
-
- if (gcry_md_open(&j->checksum_ctx, GCRY_MD_SHA256, 0) != 0)
- return log_error_errno(SYNTHETIC_ERRNO(EIO),
- "Failed to initialize hash context.");
-#endif
}
return 0;
usec_t last_status_usec;
bool calc_checksum;
- hash_context_t checksum_ctx;
+ EVP_MD_CTX *checksum_ctx;
char *checksum;
bool sync;
output : 'resolved-dnssd-gperf.c',
command : [gperf, '@INPUT@', '--output-file', '@OUTPUT@'])
-systemd_resolved_dependencies = [threads, libm] + [lib_openssl_or_gcrypt]
+systemd_resolved_dependencies = [threads, libm, libopenssl]
if conf.get('ENABLE_DNS_OVER_TLS') == 1
systemd_resolved_sources += files(
'resolved-dnstls.c',
)
- systemd_resolved_dependencies += libopenssl
endif
link_with = [
libsystemd_resolve_core,
],
'dependencies' : [
- lib_openssl_or_gcrypt,
+ libopenssl,
libm,
],
}
'sources' : resolvectl_sources,
'link_with' : link_with,
'dependencies' : [
- lib_openssl_or_gcrypt,
+ libopenssl,
libidn,
libm,
threads,
},
resolve_test_template + {
'sources' : files('test-dnssec.c'),
- 'conditions' : ['HAVE_OPENSSL_OR_GCRYPT'],
+ 'conditions' : ['HAVE_OPENSSL'],
},
resolve_test_template + {
'sources' : files('test-dnssec-complex.c'),
basic_dns_sources,
systemd_resolved_sources,
],
- 'dependencies' : [
- lib_openssl_or_gcrypt,
- libm,
- systemd_resolved_dependencies,
- ],
+ 'dependencies' : systemd_resolved_dependencies,
'include_directories' : resolve_includes,
},
test_template + {
basic_dns_sources,
systemd_resolved_sources,
],
- 'dependencies' : [
- lib_openssl_or_gcrypt,
- libm,
- systemd_resolved_dependencies,
- ],
+ 'dependencies' : systemd_resolved_dependencies,
'include_directories' : resolve_includes,
},
test_template + {
basic_dns_sources,
systemd_resolved_sources,
],
- 'dependencies' : [
- lib_openssl_or_gcrypt,
- libm,
- systemd_resolved_dependencies,
- ],
+ 'dependencies' : systemd_resolved_dependencies,
'include_directories' : resolve_includes,
'type' : 'manual',
},
#include "escape.h"
#include "format-ifname.h"
#include "format-table.h"
-#include "gcrypt-util.h"
#include "hostname-util.h"
#include "json-util.h"
#include "main-func.h"
return r;
}
-#if !HAVE_OPENSSL_OR_GCRYPT
+#if !HAVE_OPENSSL
if (m->dnssec_mode != DNSSEC_NO) {
- log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
+ log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without openssl. Turning off DNSSEC support.");
m->dnssec_mode = DNSSEC_NO;
}
#endif
#include "dns-domain.h"
#include "fd-util.h"
#include "fileio.h"
-#include "gcrypt-util.h"
#include "hexdecoct.h"
#include "memory-util.h"
#include "memstream-util.h"
#include "sort-util.h"
#include "string-table.h"
-#if PREFER_OPENSSL && OPENSSL_VERSION_MAJOR >= 3
+#if HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3
DISABLE_WARNING_DEPRECATED_DECLARATIONS;
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL);
return sum & UINT32_C(0xFFFF);
}
-#if HAVE_OPENSSL_OR_GCRYPT
+#if HAVE_OPENSSL
static int rr_compare(DnsResourceRecord * const *a, DnsResourceRecord * const *b) {
const DnsResourceRecord *x = *a, *y = *b;
}
static int dnssec_rsa_verify_raw(
- hash_algorithm_t hash_algorithm,
+ const EVP_MD *hash_algorithm,
const void *signature, size_t signature_size,
const void *data, size_t data_size,
const void *exponent, size_t exponent_size,
const void *modulus, size_t modulus_size) {
int r;
-#if PREFER_OPENSSL
DISABLE_WARNING_DEPRECATED_DECLARATIONS;
_cleanup_(RSA_freep) RSA *rpubkey = NULL;
_cleanup_(EVP_PKEY_freep) EVP_PKEY *epubkey = NULL;
"Signature verification failed: 0x%lx", ERR_get_error());
REENABLE_WARNING;
-#else
- gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL;
- gcry_mpi_t n = NULL, e = NULL, s = NULL;
- gcry_error_t ge;
-
- assert(hash_algorithm);
-
- ge = gcry_mpi_scan(&s, GCRYMPI_FMT_USG, signature, signature_size, NULL);
- if (ge != 0) {
- r = -EIO;
- goto finish;
- }
-
- ge = gcry_mpi_scan(&e, GCRYMPI_FMT_USG, exponent, exponent_size, NULL);
- if (ge != 0) {
- r = -EIO;
- goto finish;
- }
-
- ge = gcry_mpi_scan(&n, GCRYMPI_FMT_USG, modulus, modulus_size, NULL);
- if (ge != 0) {
- r = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&signature_sexp,
- NULL,
- "(sig-val (rsa (s %m)))",
- s);
-
- if (ge != 0) {
- r = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&data_sexp,
- NULL,
- "(data (flags pkcs1) (hash %s %b))",
- hash_algorithm,
- (int) data_size,
- data);
- if (ge != 0) {
- r = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&public_key_sexp,
- NULL,
- "(public-key (rsa (n %m) (e %m)))",
- n,
- e);
- if (ge != 0) {
- r = -EIO;
- goto finish;
- }
-
- ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp);
- if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE)
- r = 0;
- else if (ge != 0)
- r = log_debug_errno(SYNTHETIC_ERRNO(EIO),
- "RSA signature check failed: %s", gpg_strerror(ge));
- else
- r = 1;
-
-finish:
- if (e)
- gcry_mpi_release(e);
- if (n)
- gcry_mpi_release(n);
- if (s)
- gcry_mpi_release(s);
-
- if (public_key_sexp)
- gcry_sexp_release(public_key_sexp);
- if (signature_sexp)
- gcry_sexp_release(signature_sexp);
- if (data_sexp)
- gcry_sexp_release(data_sexp);
-#endif
return r;
}
static int dnssec_rsa_verify(
- hash_algorithm_t hash_algorithm,
+ const EVP_MD *hash_algorithm,
const void *hash, size_t hash_size,
DnsResourceRecord *rrsig,
DnsResourceRecord *dnskey) {
}
static int dnssec_ecdsa_verify_raw(
- hash_algorithm_t hash_algorithm,
- elliptic_curve_t curve,
+ const EVP_MD *hash_algorithm,
+ int curve,
const void *signature_r, size_t signature_r_size,
const void *signature_s, size_t signature_s_size,
const void *data, size_t data_size,
const void *key, size_t key_size) {
int k;
-#if PREFER_OPENSSL
DISABLE_WARNING_DEPRECATED_DECLARATIONS;
_cleanup_(EC_GROUP_freep) EC_GROUP *ec_group = NULL;
_cleanup_(EC_POINT_freep) EC_POINT *p = NULL;
"Signature verification failed: 0x%lx", ERR_get_error());
REENABLE_WARNING;
-#else
- gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL;
- gcry_mpi_t q = NULL, r = NULL, s = NULL;
- gcry_error_t ge;
-
- assert(hash_algorithm);
-
- ge = gcry_mpi_scan(&r, GCRYMPI_FMT_USG, signature_r, signature_r_size, NULL);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_mpi_scan(&s, GCRYMPI_FMT_USG, signature_s, signature_s_size, NULL);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_mpi_scan(&q, GCRYMPI_FMT_USG, key, key_size, NULL);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&signature_sexp,
- NULL,
- "(sig-val (ecdsa (r %m) (s %m)))",
- r,
- s);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&data_sexp,
- NULL,
- "(data (flags rfc6979) (hash %s %b))",
- hash_algorithm,
- (int) data_size,
- data);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&public_key_sexp,
- NULL,
- "(public-key (ecc (curve %s) (q %m)))",
- curve,
- q);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp);
- if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE)
- k = 0;
- else if (ge != 0) {
- log_debug("ECDSA signature check failed: %s", gpg_strerror(ge));
- k = -EIO;
- } else
- k = 1;
-finish:
- if (r)
- gcry_mpi_release(r);
- if (s)
- gcry_mpi_release(s);
- if (q)
- gcry_mpi_release(q);
-
- if (public_key_sexp)
- gcry_sexp_release(public_key_sexp);
- if (signature_sexp)
- gcry_sexp_release(signature_sexp);
- if (data_sexp)
- gcry_sexp_release(data_sexp);
-#endif
return k;
}
static int dnssec_ecdsa_verify(
- hash_algorithm_t hash_algorithm,
+ const EVP_MD *hash_algorithm,
int algorithm,
const void *hash, size_t hash_size,
DnsResourceRecord *rrsig,
DnsResourceRecord *dnskey) {
- elliptic_curve_t curve;
+ int curve;
size_t key_size;
uint8_t *q;
assert(dnskey);
if (algorithm == DNSSEC_ALGORITHM_ECDSAP256SHA256) {
- curve = OPENSSL_OR_GCRYPT(NID_X9_62_prime256v1, "NIST P-256"); /* NIST P-256 */
+ curve = NID_X9_62_prime256v1; /* NIST P-256 */
key_size = 32;
} else if (algorithm == DNSSEC_ALGORITHM_ECDSAP384SHA384) {
- curve = OPENSSL_OR_GCRYPT(NID_secp384r1, "NIST P-384"); /* NIST P-384 */
+ curve = NID_secp384r1; /* NIST P-384 */
key_size = 48;
} else
return -EOPNOTSUPP;
}
static int dnssec_eddsa_verify_raw(
- elliptic_curve_t curve,
+ int curve,
const uint8_t *signature, size_t signature_size,
const uint8_t *data, size_t data_size,
const uint8_t *key, size_t key_size) {
-#if PREFER_OPENSSL
_cleanup_(EVP_PKEY_freep) EVP_PKEY *evkey = NULL;
_cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *pctx = NULL;
_cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *ctx = NULL;
"Signature verification failed: 0x%lx", ERR_get_error());
return r;
-
-#elif GCRYPT_VERSION_NUMBER >= 0x010600
- gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL;
- gcry_error_t ge;
- int k;
-
- assert(signature_size == key_size * 2);
-
- ge = gcry_sexp_build(&signature_sexp,
- NULL,
- "(sig-val (eddsa (r %b) (s %b)))",
- (int) key_size,
- signature,
- (int) key_size,
- signature + key_size);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&data_sexp,
- NULL,
- "(data (flags eddsa) (hash-algo sha512) (value %b))",
- (int) data_size,
- data);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_sexp_build(&public_key_sexp,
- NULL,
- "(public-key (ecc (curve %s) (flags eddsa) (q %b)))",
- curve,
- (int) key_size,
- key);
- if (ge != 0) {
- k = -EIO;
- goto finish;
- }
-
- ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp);
- if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE)
- k = 0;
- else if (ge != 0)
- k = log_debug_errno(SYNTHETIC_ERRNO(EIO),
- "EdDSA signature check failed: %s", gpg_strerror(ge));
- else
- k = 1;
-finish:
- if (public_key_sexp)
- gcry_sexp_release(public_key_sexp);
- if (signature_sexp)
- gcry_sexp_release(signature_sexp);
- if (data_sexp)
- gcry_sexp_release(data_sexp);
-
- return k;
-#else
- return -EOPNOTSUPP;
-#endif
}
static int dnssec_eddsa_verify(
const void *data, size_t data_size,
DnsResourceRecord *rrsig,
DnsResourceRecord *dnskey) {
- elliptic_curve_t curve;
+ int curve;
size_t key_size;
if (algorithm == DNSSEC_ALGORITHM_ED25519) {
- curve = OPENSSL_OR_GCRYPT(NID_ED25519, "Ed25519");
+ curve = NID_ED25519;
key_size = 32;
} else
return -EOPNOTSUPP;
dnskey->dnskey.key, key_size);
}
-static int md_add_uint8(hash_context_t ctx, uint8_t v) {
-#if PREFER_OPENSSL
+static int md_add_uint8(EVP_MD_CTX *ctx, uint8_t v) {
return EVP_DigestUpdate(ctx, &v, sizeof(v));
-#else
- gcry_md_write(ctx, &v, sizeof(v));
- return 0;
-#endif
}
-static int md_add_uint16(hash_context_t ctx, uint16_t v) {
+static int md_add_uint16(EVP_MD_CTX *ctx, uint16_t v) {
v = htobe16(v);
-#if PREFER_OPENSSL
return EVP_DigestUpdate(ctx, &v, sizeof(v));
-#else
- gcry_md_write(ctx, &v, sizeof(v));
- return 0;
-#endif
}
static void fwrite_uint8(FILE *fp, uint8_t v) {
return realtime < inception || realtime > expiration;
}
-static hash_md_t algorithm_to_implementation_id(uint8_t algorithm) {
+static const EVP_MD* algorithm_to_implementation_id(uint8_t algorithm) {
- /* Translates a DNSSEC signature algorithm into an openssl/gcrypt digest identifier.
+ /* Translates a DNSSEC signature algorithm into an openssl digest identifier.
*
* Note that we implement all algorithms listed as "Must implement" and "Recommended to Implement" in
* RFC6944. We don't implement any algorithms that are listed as "Optional" or "Must Not Implement".
case DNSSEC_ALGORITHM_RSASHA1:
case DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1:
- return OPENSSL_OR_GCRYPT(EVP_sha1(), GCRY_MD_SHA1);
+ return EVP_sha1();
case DNSSEC_ALGORITHM_RSASHA256:
case DNSSEC_ALGORITHM_ECDSAP256SHA256:
- return OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256);
+ return EVP_sha256();
case DNSSEC_ALGORITHM_ECDSAP384SHA384:
- return OPENSSL_OR_GCRYPT(EVP_sha384(), GCRY_MD_SHA384);
+ return EVP_sha384();
case DNSSEC_ALGORITHM_RSASHA512:
- return OPENSSL_OR_GCRYPT(EVP_sha512(), GCRY_MD_SHA512);
+ return EVP_sha512();
default:
- return OPENSSL_OR_GCRYPT(NULL, -EOPNOTSUPP);
+ return NULL;
}
}
assert(sig_data);
assert(sig_size > 0);
- hash_md_t md_algorithm;
+ const EVP_MD *md_algorithm;
-#if PREFER_OPENSSL
uint8_t hash[EVP_MAX_MD_SIZE];
unsigned hash_size;
-#else
- _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
- void *hash;
- size_t hash_size;
- int r;
-
- r = initialize_libgcrypt(false);
- if (r < 0)
- return r;
-#endif
switch (rrsig->rrsig.algorithm) {
case DNSSEC_ALGORITHM_ED25519:
-#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600
return dnssec_eddsa_verify(
rrsig->rrsig.algorithm,
sig_data, sig_size,
rrsig,
dnskey);
-#endif
case DNSSEC_ALGORITHM_ED448:
return -EOPNOTSUPP;
default:
/* OK, the RRs are now in canonical order. Let's calculate the digest */
md_algorithm = algorithm_to_implementation_id(rrsig->rrsig.algorithm);
-#if PREFER_OPENSSL
if (!md_algorithm)
return -EOPNOTSUPP;
return -EIO;
assert(hash_size > 0);
-
-#else
- if (md_algorithm < 0)
- return md_algorithm;
-
- gcry_error_t err = gcry_md_open(&md, md_algorithm, 0);
- if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
- return -EIO;
-
- hash_size = gcry_md_get_algo_dlen(md_algorithm);
- assert(hash_size > 0);
-
- gcry_md_write(md, sig_data, sig_size);
-
- hash = gcry_md_read(md, 0);
- if (!hash)
- return -EIO;
-#endif
}
switch (rrsig->rrsig.algorithm) {
case DNSSEC_ALGORITHM_RSASHA256:
case DNSSEC_ALGORITHM_RSASHA512:
return dnssec_rsa_verify(
- OPENSSL_OR_GCRYPT(md_algorithm, gcry_md_algo_name(md_algorithm)),
+ md_algorithm,
hash, hash_size,
rrsig,
dnskey);
case DNSSEC_ALGORITHM_ECDSAP256SHA256:
case DNSSEC_ALGORITHM_ECDSAP384SHA384:
return dnssec_ecdsa_verify(
- OPENSSL_OR_GCRYPT(md_algorithm, gcry_md_algo_name(md_algorithm)),
+ md_algorithm,
rrsig->rrsig.algorithm,
hash, hash_size,
rrsig,
return 0;
}
-static hash_md_t digest_to_hash_md(uint8_t algorithm) {
+static const EVP_MD* digest_to_hash_md(uint8_t algorithm) {
- /* Translates a DNSSEC digest algorithm into an openssl/gcrypt digest identifier */
+ /* Translates a DNSSEC digest algorithm into an openssl digest identifier */
switch (algorithm) {
case DNSSEC_DIGEST_SHA1:
- return OPENSSL_OR_GCRYPT(EVP_sha1(), GCRY_MD_SHA1);
+ return EVP_sha1();
case DNSSEC_DIGEST_SHA256:
- return OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256);
+ return EVP_sha256();
case DNSSEC_DIGEST_SHA384:
- return OPENSSL_OR_GCRYPT(EVP_sha384(), GCRY_MD_SHA384);
+ return EVP_sha384();
default:
- return OPENSSL_OR_GCRYPT(NULL, -EOPNOTSUPP);
+ return NULL;
}
}
return r;
encoded_length = r;
- hash_md_t md_algorithm = digest_to_hash_md(ds->ds.digest_type);
-
-#if PREFER_OPENSSL
+ const EVP_MD *md_algorithm = digest_to_hash_md(ds->ds.digest_type);
if (!md_algorithm)
return -EOPNOTSUPP;
if (EVP_DigestFinal_ex(ctx, result, NULL) <= 0)
return -EIO;
-#else
- if (md_algorithm < 0)
- return -EOPNOTSUPP;
-
- r = initialize_libgcrypt(false);
- if (r < 0)
- return r;
-
- _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
-
- size_t hash_size = gcry_md_get_algo_dlen(md_algorithm);
- assert(hash_size > 0);
-
- if (ds->ds.digest_size != hash_size)
- return 0;
-
- gcry_error_t err = gcry_md_open(&md, md_algorithm, 0);
- if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
- return -EIO;
-
- gcry_md_write(md, wire_format, encoded_length);
- if (mask_revoke)
- md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE);
- else
- md_add_uint16(md, dnskey->dnskey.flags);
- md_add_uint8(md, dnskey->dnskey.protocol);
- md_add_uint8(md, dnskey->dnskey.algorithm);
- gcry_md_write(md, dnskey->dnskey.key, dnskey->dnskey.key_size);
-
- void *result = gcry_md_read(md, 0);
- if (!result)
- return -EIO;
-#endif
-
return memcmp(result, ds->ds.digest, ds->ds.digest_size) == 0;
}
return 0;
}
-static hash_md_t nsec3_hash_to_hash_md(uint8_t algorithm) {
+static const EVP_MD* nsec3_hash_to_hash_md(uint8_t algorithm) {
- /* Translates a DNSSEC NSEC3 hash algorithm into an openssl/gcrypt digest identifier */
+ /* Translates a DNSSEC NSEC3 hash algorithm into an openssl digest identifier */
switch (algorithm) {
case NSEC3_ALGORITHM_SHA1:
- return OPENSSL_OR_GCRYPT(EVP_sha1(), GCRY_MD_SHA1);
+ return EVP_sha1();
default:
- return OPENSSL_OR_GCRYPT(NULL, -EOPNOTSUPP);
+ return NULL;
}
}
"Ignoring NSEC3 RR %s with excessive number of iterations.",
dns_resource_record_to_string(nsec3));
- hash_md_t algorithm = nsec3_hash_to_hash_md(nsec3->nsec3.algorithm);
-#if PREFER_OPENSSL
+ const EVP_MD *algorithm = nsec3_hash_to_hash_md(nsec3->nsec3.algorithm);
if (!algorithm)
return -EOPNOTSUPP;
if (EVP_DigestFinal_ex(ctx, result, NULL) <= 0)
return -EIO;
}
-#else
- if (algorithm < 0)
- return algorithm;
-
- r = initialize_libgcrypt(false);
- if (r < 0)
- return r;
-
- size_t encoded_length;
- unsigned hash_size = gcry_md_get_algo_dlen(algorithm);
- assert(hash_size > 0);
-
- if (nsec3->nsec3.next_hashed_name_size != hash_size)
- return -EINVAL;
-
- r = dns_name_to_wire_format(name, wire_format, sizeof(wire_format), true);
- if (r < 0)
- return r;
- encoded_length = r;
-
- _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
- gcry_error_t err = gcry_md_open(&md, algorithm, 0);
- if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md)
- return -EIO;
-
- gcry_md_write(md, wire_format, encoded_length);
- gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size);
-
- void *result = gcry_md_read(md, 0);
- if (!result)
- return -EIO;
-
- for (unsigned k = 0; k < nsec3->nsec3.iterations; k++) {
- uint8_t tmp[hash_size];
- memcpy(tmp, result, hash_size);
-
- gcry_md_reset(md);
- gcry_md_write(md, tmp, hash_size);
- gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size);
-
- result = gcry_md_read(md, 0);
- if (!result)
- return -EIO;
- }
-#endif
memcpy(ret, result, hash_size);
return (int) hash_size;
return 0;
/* Ignore NSEC3 RRs whose algorithm we don't know */
-#if PREFER_OPENSSL
if (!nsec3_hash_to_hash_md(rr->nsec3.algorithm))
return 0;
-#else
- if (nsec3_hash_to_hash_md(rr->nsec3.algorithm) < 0)
- return 0;
-#endif
/* Ignore NSEC3 RRs with an excessive number of required iterations */
if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX)
/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#if HAVE_GCRYPT
-# include <gcrypt.h>
-#endif
-
#include "alloc-util.h"
#include "dns-domain.h"
#include "escape.h"
static const uint8_t rfc6975[] = {
0, DNS_EDNS_OPT_DAU, /* OPTION_CODE */
-#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
+#if HAVE_OPENSSL
0, 7, /* LIST_LENGTH */
#else
0, 6, /* LIST_LENGTH */
DNSSEC_ALGORITHM_RSASHA512,
DNSSEC_ALGORITHM_ECDSAP256SHA256,
DNSSEC_ALGORITHM_ECDSAP384SHA384,
-#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
+#if HAVE_OPENSSL
DNSSEC_ALGORITHM_ED25519,
#endif
assert(l);
-#if !HAVE_OPENSSL_OR_GCRYPT
+#if !HAVE_OPENSSL
if (IN_SET(mode, DNSSEC_YES, DNSSEC_ALLOW_DOWNGRADE))
log_link_warning(l,
"DNSSEC option for the link cannot be enabled or set to allow-downgrade "
- "when systemd-resolved is built without a cryptographic library. "
+ "when systemd-resolved is built without openssl. "
"Turning off DNSSEC support.");
return;
#endif
#include <netinet/in.h>
#include <sys/socket.h>
-#if HAVE_GCRYPT
-# include <gcrypt.h>
-#endif
-
#include "alloc-util.h"
#include "hexdecoct.h"
#include "resolved-dns-dnssec.h"
assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey,
rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
-#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600
assert_se(result == DNSSEC_VALIDATED);
-#else
- assert_se(result == DNSSEC_UNSUPPORTED_ALGORITHM);
-#endif
}
TEST(dnssec_verify_rfc8080_ed25519_example2) {
assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey,
rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0);
-#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600
assert_se(result == DNSSEC_VALIDATED);
-#else
- assert_se(result == DNSSEC_UNSUPPORTED_ALGORITHM);
-#endif
}
TEST(dnssec_verify_rfc6605_example1) {
return 0;
}
-# if PREFER_OPENSSL
int string_hashsum(
const char *s,
size_t len,
*ret = TAKE_PTR(enc);
return 0;
}
-# endif
static int ecc_pkey_generate_volume_keys(
EVP_PKEY *pkey,
int pkcs7_new(X509 *certificate, EVP_PKEY *private_key, PKCS7 **ret_p7, PKCS7_SIGNER_INFO **ret_si);
+int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret);
+
#else
typedef struct X509 X509;
return NULL;
}
+static inline int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret) {
+ return -EOPNOTSUPP;
+}
+
#endif
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL);
EVP_PKEY **ret_private_key,
OpenSSLAskPasswordUI **ret_user_interface);
-#if PREFER_OPENSSL
-/* The openssl definition */
-typedef const EVP_MD* hash_md_t;
-typedef const EVP_MD* hash_algorithm_t;
-typedef int elliptic_curve_t;
-typedef EVP_MD_CTX* hash_context_t;
-# define OPENSSL_OR_GCRYPT(a, b) (a)
-
-#elif HAVE_GCRYPT
-
-# include <gcrypt.h>
-
-/* The gcrypt definition */
-typedef int hash_md_t;
-typedef const char* hash_algorithm_t;
-typedef const char* elliptic_curve_t;
-typedef gcry_md_hd_t hash_context_t;
-# define OPENSSL_OR_GCRYPT(a, b) (b)
-#endif
-
-#if PREFER_OPENSSL
-int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret);
-
static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, "SHA224", ret);
}
static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, "SHA256", ret);
}
-#endif
},
test_template + {
'sources' : files('test-cryptolib.c'),
- 'dependencies' : lib_openssl_or_gcrypt,
- 'conditions' : ['HAVE_OPENSSL_OR_GCRYPT'],
+ 'dependencies' : libopenssl,
+ 'conditions' : ['HAVE_OPENSSL'],
},
test_template + {
'sources' : files('test-display-quota.c'),
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "alloc-util.h"
-#include "gcrypt-util.h"
#include "macro.h"
#include "openssl-util.h"
#include "string-util.h"
_cleanup_free_ char *out1 = NULL, *out2 = NULL, *out3 = NULL, *out4 = NULL;
assert_se(string_hashsum("asdf", 4,
- OPENSSL_OR_GCRYPT("SHA224", GCRY_MD_SHA224),
+ "SHA224",
&out1) == 0);
/* echo -n 'asdf' | sha224sum - */
ASSERT_STREQ(out1, "7872a74bcbf298a1e77d507cd95d4f8d96131cbbd4cdfc571e776c8a");
assert_se(string_hashsum("asdf", 4,
- OPENSSL_OR_GCRYPT("SHA256", GCRY_MD_SHA256),
+ "SHA256",
&out2) == 0);
/* echo -n 'asdf' | sha256sum - */
ASSERT_STREQ(out2, "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b");
assert_se(string_hashsum("", 0,
- OPENSSL_OR_GCRYPT("SHA224", GCRY_MD_SHA224),
+ "SHA224",
&out3) == 0);
/* echo -n '' | sha224sum - */
ASSERT_STREQ(out3, "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f");
assert_se(string_hashsum("", 0,
- OPENSSL_OR_GCRYPT("SHA256", GCRY_MD_SHA256),
+ "SHA256",
&out4) == 0);
/* echo -n '' | sha256sum - */
ASSERT_STREQ(out4, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");
projects / thirdparty / systemd.git / commitdiff
