From: Serge Hallyn Date: Fri, 14 Jun 2019 03:08:26 +0000 (+0000) Subject: Switch from gnutls to openssl for sha1 X-Git-Tag: lxc-3.2.0~27^2 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=fa2bb6ba532c5e7f92df8cbae50a68af519f9997;p=thirdparty%2Flxc.git Switch from gnutls to openssl for sha1 The reason for this is because openssl can be statically linked against, gnutls cannot. Signed-off-by: Serge Hallyn --- diff --git a/configure.ac b/configure.ac index 3caa45ba8..a041f2fdb 100644 --- a/configure.ac +++ b/configure.ac @@ -257,6 +257,8 @@ fi AM_CONDITIONAL([ENABLE_API_DOCS], [test "x$HAVE_DOXYGEN" != "x"]) +AC_CONFIG_MACRO_DIRS([config]) + # Apparmor AC_ARG_ENABLE([apparmor], [AC_HELP_STRING([--enable-apparmor], [enable apparmor support [default=auto]])], @@ -267,20 +269,21 @@ if test "$enable_apparmor" = "auto" ; then fi AM_CONDITIONAL([ENABLE_APPARMOR], [test "x$enable_apparmor" = "xyes"]) -# GnuTLS -AC_ARG_ENABLE([gnutls], - [AC_HELP_STRING([--enable-gnutls], [enable GnuTLS support [default=auto]])], - [], [enable_gnutls=auto]) +# OpenSSL +# libssl-dev +AC_ARG_ENABLE([openssl], + [AC_HELP_STRING([--enable-openssl], [enable OpenSSL support [default=auto]])], + [], [enable_openssl=auto]) + +if test "$enable_openssl" = "auto" ; then + AC_CHECK_LIB([ssl], [OPENSSL_init_ssl], [enable_openssl=yes], [enable_openssl=no]) -if test "$enable_gnutls" = "auto" ; then - AC_CHECK_LIB([gnutls], [gnutls_hash_fast], [enable_gnutls=yes], [enable_gnutls=no]) fi -AM_CONDITIONAL([ENABLE_GNUTLS], [test "x$enable_gnutls" = "xyes"]) +AM_CONDITIONAL([ENABLE_OPENSSL], [test "x$enable_openssl" = "xyes"]) -AM_COND_IF([ENABLE_GNUTLS], - [AC_CHECK_HEADER([gnutls/gnutls.h],[],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])]) - AC_CHECK_LIB([gnutls], [gnutls_hash_fast],[true],[AC_MSG_ERROR([You must install the GnuTLS development package in order to compile lxc])]) - AC_SUBST([GNUTLS_LIBS], [-lgnutls])]) +AM_COND_IF([ENABLE_OPENSSL], + [AC_CHECK_HEADER([openssl/engine.h],[],[AC_MSG_ERROR([You must install the OpenSSL development package in order to compile lxc])]) + AC_SUBST([OPENSSL_LIBS], '-lssl -lcrypto')]) # SELinux AC_ARG_ENABLE([selinux], @@ -1014,7 +1017,7 @@ Environment: - distribution: $with_distro - init script type(s): $init_script - rpath: $enable_rpath - - GnuTLS: $enable_gnutls + - OpenSSL: $enable_openssl - Bash integration: $enable_bash Security features: diff --git a/src/lxc/Makefile.am b/src/lxc/Makefile.am index 49b3b014d..4b18ac5d8 100644 --- a/src/lxc/Makefile.am +++ b/src/lxc/Makefile.am @@ -210,8 +210,8 @@ if ENABLE_APPARMOR AM_CFLAGS += -DHAVE_APPARMOR endif -if ENABLE_GNUTLS -AM_CFLAGS += -DHAVE_LIBGNUTLS +if ENABLE_OPENSSL +AM_CFLAGS += -DHAVE_OPENSSL endif if ENABLE_SECCOMP @@ -248,7 +248,7 @@ liblxc_la_LDFLAGS = -pthread \ -version-info @LXC_ABI_MAJOR@ liblxc_la_LIBADD = $(CAP_LIBS) \ - $(GNUTLS_LIBS) \ + $(OPENSSL_LIBS) \ $(SELINUX_LIBS) \ $(SECCOMP_LIBS) \ $(DLOG_LIBS) @@ -307,7 +307,7 @@ endif LDADD = liblxc.la \ @CAP_LIBS@ \ - @GNUTLS_LIBS@ \ + @OPENSSL_LIBS@ \ @SECCOMP_LIBS@ \ @SELINUX_LIBS@ \ @DLOG_LIBS@ diff --git a/src/lxc/lxccontainer.c b/src/lxc/lxccontainer.c index 253f07f68..a618645f8 100644 --- a/src/lxc/lxccontainer.c +++ b/src/lxc/lxccontainer.c @@ -79,6 +79,10 @@ #include "utils.h" #include "version.h" +#if HAVE_OPENSSL +#include +#endif + /* major()/minor() */ #ifdef MAJOR_IN_MKDEV #include @@ -1654,9 +1658,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[]) char *contents; FILE *f; int ret = -1; -#if HAVE_LIBGNUTLS - int i; - unsigned char md_value[SHA_DIGEST_LENGTH]; +#if HAVE_OPENSSL + int i, md_len = 0; + unsigned char md_value[EVP_MAX_MD_SIZE]; char *tpath; #endif @@ -1697,14 +1701,14 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[]) if (ret < 0) goto out_free_contents; -#if HAVE_LIBGNUTLS +#if HAVE_OPENSSL tpath = get_template_path(t); if (!tpath) { ERROR("Invalid template \"%s\" specified", t); goto out_free_contents; } - ret = sha1sum_file(tpath, md_value); + ret = sha1sum_file(tpath, md_value, &md_len); if (ret < 0) { ERROR("Failed to get sha1sum of %s", tpath); free(tpath); @@ -1730,9 +1734,9 @@ static bool prepend_lxc_header(char *path, const char *t, char *const argv[]) fprintf(f, "\n"); } -#if HAVE_LIBGNUTLS +#if HAVE_OPENSSL fprintf(f, "# Template script checksum (SHA-1): "); - for (i=0; i -#include +#ifdef HAVE_OPENSSL +#include -__attribute__((constructor)) -static void gnutls_lxc_init(void) +static int do_sha1_hash(const char *buf, int buflen, unsigned char *md_value, int *md_len) { - gnutls_global_init(); + EVP_MD_CTX *mdctx; + const EVP_MD *md; + + md = EVP_get_digestbyname("sha1"); + if(!md) { + printf("Unknown message digest: sha1\n"); + return -1; + } + + mdctx = EVP_MD_CTX_new(); + EVP_DigestInit_ex(mdctx, md, NULL); + EVP_DigestUpdate(mdctx, buf, buflen); + EVP_DigestFinal_ex(mdctx, md_value, md_len); + EVP_MD_CTX_free(mdctx); + + return 0; } -int sha1sum_file(char *fnam, unsigned char *digest) +int sha1sum_file(char *fnam, unsigned char *digest, int *md_len) { char *buf; int ret; @@ -394,7 +407,7 @@ int sha1sum_file(char *fnam, unsigned char *digest) } buf[flen] = '\0'; - ret = gnutls_hash_fast(GNUTLS_DIG_SHA1, buf, flen, (void *)digest); + ret = do_sha1_hash(buf, flen, (void *)digest, md_len); free(buf); return ret; } diff --git a/src/lxc/utils.h b/src/lxc/utils.h index 9f1c21ddd..dd6404f0b 100644 --- a/src/lxc/utils.h +++ b/src/lxc/utils.h @@ -98,9 +98,8 @@ extern int lxc_pclose(struct lxc_popen_FILE *fp); extern int wait_for_pid(pid_t pid); extern int lxc_wait_for_pid_status(pid_t pid); -#if HAVE_LIBGNUTLS -#define SHA_DIGEST_LENGTH 20 -extern int sha1sum_file(char *fnam, unsigned char *md_value); +#if HAVE_OPENSSL +extern int sha1sum_file(char *fnam, unsigned char *md_value, int *md_len); #endif /* initialize rand with urandom */