From: Yu Watanabe Date: Tue, 1 Apr 2025 17:46:06 +0000 (+0900) Subject: resolve,import: always use openssl X-Git-Tag: v258-rc1~779^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e9d4b88b817b9711291d8734cffdd4faf94b584a;p=thirdparty%2Fsystemd.git resolve,import: always use openssl This deprecate cryptolib meson option. --- diff --git a/.github/workflows/build_test.sh b/.github/workflows/build_test.sh index 25ffe415fae..0f5d7a26357 100755 --- a/.github/workflows/build_test.sh +++ b/.github/workflows/build_test.sh @@ -10,7 +10,7 @@ fatal() { echo >&2 -e "\033[31;1m$1\033[0m"; exit 1; } success() { echo >&2 -e "\033[32;1m$1\033[0m"; } ARGS=( - "--optimization=0 -Dopenssl=disabled -Dcryptolib=gcrypt -Dtpm=true -Dtpm2=enabled" + "--optimization=0 -Dopenssl=disabled -Dtpm=true -Dtpm2=enabled" "--optimization=s -Dutmp=false" "--optimization=2 -Dc_args=-Wmaybe-uninitialized -Ddns-over-tls=openssl" "--optimization=3 -Db_lto=true -Ddns-over-tls=false" @@ -67,7 +67,6 @@ PACKAGES=( COMPILER="${COMPILER:?}" COMPILER_VERSION="${COMPILER_VERSION:?}" LINKER="${LINKER:?}" -CRYPTOLIB="${CRYPTOLIB:?}" RELEASE="$(lsb_release -cs)" # Note: As we use postfixed clang/gcc binaries, we need to override $AR @@ -150,7 +149,7 @@ for args in "${ARGS[@]}"; do CXX="$CXX" CXX_LD="$LINKER" CXXFLAGS="$CXXFLAGS" \ meson setup \ -Dtests=unsafe -Dslow-tests=true -Dfuzz-tests=true --werror \ - -Dnobody-group=nogroup -Dcryptolib="${CRYPTOLIB:?}" -Ddebug=false \ + -Dnobody-group=nogroup -Ddebug=false \ $args build; then cat build/meson-logs/meson-log.txt diff --git a/.github/workflows/build_test.yml b/.github/workflows/build_test.yml index f5d54e88471..86e99b0eb9c 100644 --- a/.github/workflows/build_test.yml +++ b/.github/workflows/build_test.yml @@ -25,11 +25,11 @@ jobs: fail-fast: false matrix: env: - - { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd", CRYPTOLIB: "gcrypt" } - - { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold", CRYPTOLIB: "openssl" } - - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold", CRYPTOLIB: "gcrypt" } - - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd", CRYPTOLIB: "openssl" } - - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld", CRYPTOLIB: "auto" } + - { COMPILER: "gcc", COMPILER_VERSION: "11", LINKER: "bfd" } + - { COMPILER: "gcc", COMPILER_VERSION: "13", LINKER: "mold" } + - { COMPILER: "clang", COMPILER_VERSION: "14", LINKER: "mold" } + - { COMPILER: "clang", COMPILER_VERSION: "16", LINKER: "bfd" } + - { COMPILER: "clang", COMPILER_VERSION: "18", LINKER: "lld" } env: ${{ matrix.env }} steps: - name: Repository checkout diff --git a/.github/workflows/unit_tests.sh b/.github/workflows/unit_tests.sh index 883f6489a1d..477995eafa4 100755 --- a/.github/workflows/unit_tests.sh +++ b/.github/workflows/unit_tests.sh @@ -41,7 +41,7 @@ function run_meson() { set -ex -MESON_ARGS=(-Dcryptolib=${CRYPTOLIB:-auto}) +MESON_ARGS=() # (Re)set the current oom-{score-}adj. For some reason root on GH actions is able to _decrease_ # its oom-score even after dropping all capabilities (including CAP_SYS_RESOURCE), until the diff --git a/.github/workflows/unit_tests.yml b/.github/workflows/unit_tests.yml index 12c3a685c7d..61cfabda56c 100644 --- a/.github/workflows/unit_tests.yml +++ b/.github/workflows/unit_tests.yml @@ -16,18 +16,15 @@ jobs: build: runs-on: ubuntu-24.04 concurrency: - group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ matrix.cryptolib }}-${{ github.ref }} + group: ${{ github.workflow }}-${{ matrix.run_phase }}-${{ github.ref }} cancel-in-progress: true strategy: fail-fast: false matrix: run_phase: [GCC, GCC_ASAN_UBSAN, CLANG, CLANG_RELEASE, CLANG_ASAN_UBSAN, CLANG_ASAN_UBSAN_NO_DEPS] - cryptolib: [auto] include: - run_phase: GCC - cryptolib: openssl - run_phase: CLANG - cryptolib: gcrypt steps: - name: Repository checkout uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 @@ -38,8 +35,6 @@ jobs: sudo sed -i '/^XDG_/d' /etc/environment # Pass only specific env variables through sudo, to avoid having # the already existing XDG_* stuff on the "other side" - sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP + sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh SETUP - name: Build & test - run: sudo --preserve-env=CRYPTOLIB,GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }} - env: - CRYPTOLIB: ${{ matrix.cryptolib }} + run: sudo --preserve-env=GITHUB_ACTIONS,CI .github/workflows/unit_tests.sh RUN_${{ matrix.run_phase }} diff --git a/meson.build b/meson.build index dfa40938891..0c1e3be221b 100644 --- a/meson.build +++ b/meson.build @@ -1475,18 +1475,6 @@ endif dmi_arches = ['x86', 'x86_64', 'aarch64', 'arm', 'ia64', 'loongarch64', 'mips', 'riscv64'] conf.set10('HAVE_DMI', host_machine.cpu_family() in dmi_arches) -# We support one or the other. If gcrypt is available, we assume it's there to -# be used, and use it in preference. -opt = get_option('cryptolib') -if opt == 'openssl' and conf.get('HAVE_OPENSSL') == 0 - error('openssl requested as the default cryptolib, but not available') -endif -conf.set10('PREFER_OPENSSL', - opt == 'openssl' or (opt == 'auto' and conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_GCRYPT') == 0)) -conf.set10('HAVE_OPENSSL_OR_GCRYPT', - conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1) -lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? [libopenssl] : [libgcrypt, libgpg_error] - dns_over_tls = get_option('dns-over-tls') have_openssl = conf.get('HAVE_OPENSSL') == 1 if dns_over_tls == 'false' @@ -1525,8 +1513,8 @@ have = get_option('repart').require( conf.set10('ENABLE_REPART', have) default_dnssec = get_option('default-dnssec') -if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0 - message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.') +if default_dnssec != 'no' and conf.get('HAVE_OPENSSL') == 0 + message('default-dnssec cannot be set to yes or allow-downgrade when openssl is disabled. Setting default-dnssec to no.') default_dnssec = 'no' endif conf.set('DEFAULT_DNSSEC_MODE', @@ -1557,7 +1545,7 @@ conf.set10('ENABLE_STORAGETM', get_option('storagetm')) have = get_option('importd').require( conf.get('HAVE_LIBCURL') == 1 and - conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and + conf.get('HAVE_OPENSSL') == 1 and conf.get('HAVE_ZLIB') == 1 and conf.get('HAVE_XZ') == 1, error_message : 'curl, openssl/grypt, zlib and xz required').allowed() @@ -3125,14 +3113,6 @@ else found += 'static-libudev(@0@)'.format(static_libudev) endif -if conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 and conf.get('PREFER_OPENSSL') == 1 - found += 'cryptolib(openssl)' -elif conf.get('HAVE_OPENSSL_OR_GCRYPT') == 1 - found += 'cryptolib(gcrypt)' -else - missing += 'cryptolib' -endif - summary({ 'enabled' : ', '.join(found), 'disabled' : ', '.join(missing)}, diff --git a/meson_options.txt b/meson_options.txt index 9b1685536bc..dd174e1c0bc 100644 --- a/meson_options.txt +++ b/meson_options.txt @@ -439,8 +439,8 @@ option('gnutls', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : description : 'gnutls support') option('openssl', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' }, description : 'openssl support') -option('cryptolib', type : 'combo', choices : ['auto', 'openssl', 'gcrypt'], - description : 'whether to use openssl or gcrypt where both are supported') +option('cryptolib', type : 'combo', choices : ['auto', 'openssl'], + description : 'This option is deprecated and will be removed in a future release') option('p11kit', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' }, description : 'p11kit support') option('libfido2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' }, diff --git a/src/basic/gcrypt-util.c b/src/basic/gcrypt-util.c index 72b3bdd6ef1..28817b7da4f 100644 --- a/src/basic/gcrypt-util.c +++ b/src/basic/gcrypt-util.c @@ -105,39 +105,4 @@ int initialize_libgcrypt(bool secmem) { return 0; } - -# if !PREFER_OPENSSL -int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) { - _cleanup_(sym_gcry_md_closep) gcry_md_hd_t md = NULL; - gcry_error_t err; - size_t hash_size; - void *hash; - char *enc; - int r; - - r = initialize_libgcrypt(false); - if (r < 0) - return r; - - hash_size = sym_gcry_md_get_algo_dlen(md_algorithm); - assert(hash_size > 0); - - err = sym_gcry_md_open(&md, md_algorithm, 0); - if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md) - return -EIO; - - sym_gcry_md_write(md, s, len); - - hash = sym_gcry_md_read(md, 0); - if (!hash) - return -EIO; - - enc = hexmem(hash, hash_size); - if (!enc) - return -ENOMEM; - - *out = enc; - return 0; -} -# endif #endif diff --git a/src/basic/gcrypt-util.h b/src/basic/gcrypt-util.h index b8b9b0b1cb8..8b347285513 100644 --- a/src/basic/gcrypt-util.h +++ b/src/basic/gcrypt-util.h @@ -63,25 +63,3 @@ DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL); (h__)->buf[(h__)->bufpos++] = (c) & 0xff; \ } while(false) #endif - -#if !PREFER_OPENSSL -# if HAVE_GCRYPT -int string_hashsum(const char *s, size_t len, int md_algorithm, char **out); -# endif - -static inline int string_hashsum_sha224(const char *s, size_t len, char **out) { -# if HAVE_GCRYPT - return string_hashsum(s, len, GCRY_MD_SHA224, out); -# else - return -EOPNOTSUPP; -# endif -} - -static inline int string_hashsum_sha256(const char *s, size_t len, char **out) { -# if HAVE_GCRYPT - return string_hashsum(s, len, GCRY_MD_SHA256, out); -# else - return -EOPNOTSUPP; -# endif -} -#endif diff --git a/src/import/meson.build b/src/import/meson.build index 45500edb433..ce3944f0813 100644 --- a/src/import/meson.build +++ b/src/import/meson.build @@ -78,7 +78,7 @@ executables += [ 'sources' : systemd_pull_sources, 'link_with' : common_libs, 'dependencies' : common_deps + [ - lib_openssl_or_gcrypt, + libopenssl, ], }, libexec_template + { diff --git a/src/import/pull-job.c b/src/import/pull-job.c index 848255179b8..b093766d1a5 100644 --- a/src/import/pull-job.c +++ b/src/import/pull-job.c @@ -7,7 +7,6 @@ #include "alloc-util.h" #include "fd-util.h" #include "format-util.h" -#include "gcrypt-util.h" #include "hexdecoct.h" #include "import-util.h" #include "io-util.h" @@ -42,11 +41,7 @@ PullJob* pull_job_unref(PullJob *j) { import_compress_free(&j->compress); if (j->checksum_ctx) -#if PREFER_OPENSSL EVP_MD_CTX_free(j->checksum_ctx); -#else - gcry_md_close(j->checksum_ctx); -#endif free(j->url); free(j->etag); @@ -107,11 +102,7 @@ static int pull_job_restart(PullJob *j, const char *new_url) { import_compress_free(&j->compress); if (j->checksum_ctx) { -#if PREFER_OPENSSL EVP_MD_CTX_free(j->checksum_ctx); -#else - gcry_md_close(j->checksum_ctx); -#endif j->checksum_ctx = NULL; } @@ -210,7 +201,6 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) { if (j->checksum_ctx) { unsigned checksum_len; -#if PREFER_OPENSSL uint8_t k[EVP_MAX_MD_SIZE]; r = EVP_DigestFinal_ex(j->checksum_ctx, k, &checksum_len); @@ -219,17 +209,6 @@ void pull_job_curl_on_finished(CurlGlue *g, CURL *curl, CURLcode result) { goto finish; } assert(checksum_len <= sizeof k); -#else - const uint8_t *k; - - k = gcry_md_read(j->checksum_ctx, GCRY_MD_SHA256); - if (!k) { - r = log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to get checksum."); - goto finish; - } - - checksum_len = gcry_md_get_algo_dlen(GCRY_MD_SHA256); -#endif j->checksum = hexmem(k, checksum_len); if (!j->checksum) { @@ -380,14 +359,10 @@ static int pull_job_write_compressed(PullJob *j, void *p, size_t sz) { "Content length incorrect."); if (j->checksum_ctx) { -#if PREFER_OPENSSL r = EVP_DigestUpdate(j->checksum_ctx, p, sz); if (r == 0) return log_error_errno(SYNTHETIC_ERRNO(EIO), "Could not hash chunk."); -#else - gcry_md_write(j->checksum_ctx, p, sz); -#endif } r = import_uncompress(&j->compress, p, sz, pull_job_write_uncompressed, j); @@ -421,7 +396,6 @@ static int pull_job_open_disk(PullJob *j) { } if (j->calc_checksum) { -#if PREFER_OPENSSL j->checksum_ctx = EVP_MD_CTX_new(); if (!j->checksum_ctx) return log_oom(); @@ -430,15 +404,6 @@ static int pull_job_open_disk(PullJob *j) { if (r == 0) return log_error_errno(SYNTHETIC_ERRNO(EIO), "Failed to initialize hash context."); -#else - r = initialize_libgcrypt(false); - if (r < 0) - return log_error_errno(r, "Failed to load libgcrypt: %m"); - - if (gcry_md_open(&j->checksum_ctx, GCRY_MD_SHA256, 0) != 0) - return log_error_errno(SYNTHETIC_ERRNO(EIO), - "Failed to initialize hash context."); -#endif } return 0; diff --git a/src/import/pull-job.h b/src/import/pull-job.h index 7a98b0f2f65..0bbac0ca8a8 100644 --- a/src/import/pull-job.h +++ b/src/import/pull-job.h @@ -74,7 +74,7 @@ struct PullJob { usec_t last_status_usec; bool calc_checksum; - hash_context_t checksum_ctx; + EVP_MD_CTX *checksum_ctx; char *checksum; bool sync; diff --git a/src/resolve/meson.build b/src/resolve/meson.build index 305c41af834..076ac680e3e 100644 --- a/src/resolve/meson.build +++ b/src/resolve/meson.build @@ -100,12 +100,11 @@ systemd_resolved_sources += custom_target( output : 'resolved-dnssd-gperf.c', command : [gperf, '@INPUT@', '--output-file', '@OUTPUT@']) -systemd_resolved_dependencies = [threads, libm] + [lib_openssl_or_gcrypt] +systemd_resolved_dependencies = [threads, libm, libopenssl] if conf.get('ENABLE_DNS_OVER_TLS') == 1 systemd_resolved_sources += files( 'resolved-dnstls.c', ) - systemd_resolved_dependencies += libopenssl endif link_with = [ @@ -119,7 +118,7 @@ resolve_common_template = { libsystemd_resolve_core, ], 'dependencies' : [ - lib_openssl_or_gcrypt, + libopenssl, libm, ], } @@ -144,7 +143,7 @@ executables += [ 'sources' : resolvectl_sources, 'link_with' : link_with, 'dependencies' : [ - lib_openssl_or_gcrypt, + libopenssl, libidn, libm, threads, @@ -188,7 +187,7 @@ executables += [ }, resolve_test_template + { 'sources' : files('test-dnssec.c'), - 'conditions' : ['HAVE_OPENSSL_OR_GCRYPT'], + 'conditions' : ['HAVE_OPENSSL'], }, resolve_test_template + { 'sources' : files('test-dnssec-complex.c'), @@ -200,11 +199,7 @@ executables += [ basic_dns_sources, systemd_resolved_sources, ], - 'dependencies' : [ - lib_openssl_or_gcrypt, - libm, - systemd_resolved_dependencies, - ], + 'dependencies' : systemd_resolved_dependencies, 'include_directories' : resolve_includes, }, test_template + { @@ -257,11 +252,7 @@ executables += [ basic_dns_sources, systemd_resolved_sources, ], - 'dependencies' : [ - lib_openssl_or_gcrypt, - libm, - systemd_resolved_dependencies, - ], + 'dependencies' : systemd_resolved_dependencies, 'include_directories' : resolve_includes, }, test_template + { @@ -270,11 +261,7 @@ executables += [ basic_dns_sources, systemd_resolved_sources, ], - 'dependencies' : [ - lib_openssl_or_gcrypt, - libm, - systemd_resolved_dependencies, - ], + 'dependencies' : systemd_resolved_dependencies, 'include_directories' : resolve_includes, 'type' : 'manual', }, diff --git a/src/resolve/resolvectl.c b/src/resolve/resolvectl.c index f02fd137776..b6278f111b1 100644 --- a/src/resolve/resolvectl.c +++ b/src/resolve/resolvectl.c @@ -22,7 +22,6 @@ #include "escape.h" #include "format-ifname.h" #include "format-table.h" -#include "gcrypt-util.h" #include "hostname-util.h" #include "json-util.h" #include "main-func.h" diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c index 393e8a898ff..a09e222dabb 100644 --- a/src/resolve/resolved-conf.c +++ b/src/resolve/resolved-conf.c @@ -398,9 +398,9 @@ int manager_parse_config_file(Manager *m) { return r; } -#if !HAVE_OPENSSL_OR_GCRYPT +#if !HAVE_OPENSSL if (m->dnssec_mode != DNSSEC_NO) { - log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support."); + log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without openssl. Turning off DNSSEC support."); m->dnssec_mode = DNSSEC_NO; } #endif diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c index 5f0152c278c..09bfa8a59a6 100644 --- a/src/resolve/resolved-dns-dnssec.c +++ b/src/resolve/resolved-dns-dnssec.c @@ -4,7 +4,6 @@ #include "dns-domain.h" #include "fd-util.h" #include "fileio.h" -#include "gcrypt-util.h" #include "hexdecoct.h" #include "memory-util.h" #include "memstream-util.h" @@ -14,7 +13,7 @@ #include "sort-util.h" #include "string-table.h" -#if PREFER_OPENSSL && OPENSSL_VERSION_MAJOR >= 3 +#if HAVE_OPENSSL && OPENSSL_VERSION_MAJOR >= 3 DISABLE_WARNING_DEPRECATED_DECLARATIONS; DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(RSA*, RSA_free, NULL); DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(EC_KEY*, EC_KEY_free, NULL); @@ -68,7 +67,7 @@ uint16_t dnssec_keytag(DnsResourceRecord *dnskey, bool mask_revoke) { return sum & UINT32_C(0xFFFF); } -#if HAVE_OPENSSL_OR_GCRYPT +#if HAVE_OPENSSL static int rr_compare(DnsResourceRecord * const *a, DnsResourceRecord * const *b) { const DnsResourceRecord *x = *a, *y = *b; @@ -92,14 +91,13 @@ static int rr_compare(DnsResourceRecord * const *a, DnsResourceRecord * const *b } static int dnssec_rsa_verify_raw( - hash_algorithm_t hash_algorithm, + const EVP_MD *hash_algorithm, const void *signature, size_t signature_size, const void *data, size_t data_size, const void *exponent, size_t exponent_size, const void *modulus, size_t modulus_size) { int r; -#if PREFER_OPENSSL DISABLE_WARNING_DEPRECATED_DECLARATIONS; _cleanup_(RSA_freep) RSA *rpubkey = NULL; _cleanup_(EVP_PKEY_freep) EVP_PKEY *epubkey = NULL; @@ -152,91 +150,11 @@ static int dnssec_rsa_verify_raw( "Signature verification failed: 0x%lx", ERR_get_error()); REENABLE_WARNING; -#else - gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL; - gcry_mpi_t n = NULL, e = NULL, s = NULL; - gcry_error_t ge; - - assert(hash_algorithm); - - ge = gcry_mpi_scan(&s, GCRYMPI_FMT_USG, signature, signature_size, NULL); - if (ge != 0) { - r = -EIO; - goto finish; - } - - ge = gcry_mpi_scan(&e, GCRYMPI_FMT_USG, exponent, exponent_size, NULL); - if (ge != 0) { - r = -EIO; - goto finish; - } - - ge = gcry_mpi_scan(&n, GCRYMPI_FMT_USG, modulus, modulus_size, NULL); - if (ge != 0) { - r = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&signature_sexp, - NULL, - "(sig-val (rsa (s %m)))", - s); - - if (ge != 0) { - r = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&data_sexp, - NULL, - "(data (flags pkcs1) (hash %s %b))", - hash_algorithm, - (int) data_size, - data); - if (ge != 0) { - r = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&public_key_sexp, - NULL, - "(public-key (rsa (n %m) (e %m)))", - n, - e); - if (ge != 0) { - r = -EIO; - goto finish; - } - - ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp); - if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE) - r = 0; - else if (ge != 0) - r = log_debug_errno(SYNTHETIC_ERRNO(EIO), - "RSA signature check failed: %s", gpg_strerror(ge)); - else - r = 1; - -finish: - if (e) - gcry_mpi_release(e); - if (n) - gcry_mpi_release(n); - if (s) - gcry_mpi_release(s); - - if (public_key_sexp) - gcry_sexp_release(public_key_sexp); - if (signature_sexp) - gcry_sexp_release(signature_sexp); - if (data_sexp) - gcry_sexp_release(data_sexp); -#endif return r; } static int dnssec_rsa_verify( - hash_algorithm_t hash_algorithm, + const EVP_MD *hash_algorithm, const void *hash, size_t hash_size, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey) { @@ -292,15 +210,14 @@ static int dnssec_rsa_verify( } static int dnssec_ecdsa_verify_raw( - hash_algorithm_t hash_algorithm, - elliptic_curve_t curve, + const EVP_MD *hash_algorithm, + int curve, const void *signature_r, size_t signature_r_size, const void *signature_s, size_t signature_s_size, const void *data, size_t data_size, const void *key, size_t key_size) { int k; -#if PREFER_OPENSSL DISABLE_WARNING_DEPRECATED_DECLARATIONS; _cleanup_(EC_GROUP_freep) EC_GROUP *ec_group = NULL; _cleanup_(EC_POINT_freep) EC_POINT *p = NULL; @@ -363,96 +280,17 @@ static int dnssec_ecdsa_verify_raw( "Signature verification failed: 0x%lx", ERR_get_error()); REENABLE_WARNING; -#else - gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL; - gcry_mpi_t q = NULL, r = NULL, s = NULL; - gcry_error_t ge; - - assert(hash_algorithm); - - ge = gcry_mpi_scan(&r, GCRYMPI_FMT_USG, signature_r, signature_r_size, NULL); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_mpi_scan(&s, GCRYMPI_FMT_USG, signature_s, signature_s_size, NULL); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_mpi_scan(&q, GCRYMPI_FMT_USG, key, key_size, NULL); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&signature_sexp, - NULL, - "(sig-val (ecdsa (r %m) (s %m)))", - r, - s); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&data_sexp, - NULL, - "(data (flags rfc6979) (hash %s %b))", - hash_algorithm, - (int) data_size, - data); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&public_key_sexp, - NULL, - "(public-key (ecc (curve %s) (q %m)))", - curve, - q); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp); - if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE) - k = 0; - else if (ge != 0) { - log_debug("ECDSA signature check failed: %s", gpg_strerror(ge)); - k = -EIO; - } else - k = 1; -finish: - if (r) - gcry_mpi_release(r); - if (s) - gcry_mpi_release(s); - if (q) - gcry_mpi_release(q); - - if (public_key_sexp) - gcry_sexp_release(public_key_sexp); - if (signature_sexp) - gcry_sexp_release(signature_sexp); - if (data_sexp) - gcry_sexp_release(data_sexp); -#endif return k; } static int dnssec_ecdsa_verify( - hash_algorithm_t hash_algorithm, + const EVP_MD *hash_algorithm, int algorithm, const void *hash, size_t hash_size, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey) { - elliptic_curve_t curve; + int curve; size_t key_size; uint8_t *q; @@ -462,10 +300,10 @@ static int dnssec_ecdsa_verify( assert(dnskey); if (algorithm == DNSSEC_ALGORITHM_ECDSAP256SHA256) { - curve = OPENSSL_OR_GCRYPT(NID_X9_62_prime256v1, "NIST P-256"); /* NIST P-256 */ + curve = NID_X9_62_prime256v1; /* NIST P-256 */ key_size = 32; } else if (algorithm == DNSSEC_ALGORITHM_ECDSAP384SHA384) { - curve = OPENSSL_OR_GCRYPT(NID_secp384r1, "NIST P-384"); /* NIST P-384 */ + curve = NID_secp384r1; /* NIST P-384 */ key_size = 48; } else return -EOPNOTSUPP; @@ -490,12 +328,11 @@ static int dnssec_ecdsa_verify( } static int dnssec_eddsa_verify_raw( - elliptic_curve_t curve, + int curve, const uint8_t *signature, size_t signature_size, const uint8_t *data, size_t data_size, const uint8_t *key, size_t key_size) { -#if PREFER_OPENSSL _cleanup_(EVP_PKEY_freep) EVP_PKEY *evkey = NULL; _cleanup_(EVP_PKEY_CTX_freep) EVP_PKEY_CTX *pctx = NULL; _cleanup_(EVP_MD_CTX_freep) EVP_MD_CTX *ctx = NULL; @@ -534,67 +371,6 @@ static int dnssec_eddsa_verify_raw( "Signature verification failed: 0x%lx", ERR_get_error()); return r; - -#elif GCRYPT_VERSION_NUMBER >= 0x010600 - gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL; - gcry_error_t ge; - int k; - - assert(signature_size == key_size * 2); - - ge = gcry_sexp_build(&signature_sexp, - NULL, - "(sig-val (eddsa (r %b) (s %b)))", - (int) key_size, - signature, - (int) key_size, - signature + key_size); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&data_sexp, - NULL, - "(data (flags eddsa) (hash-algo sha512) (value %b))", - (int) data_size, - data); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_sexp_build(&public_key_sexp, - NULL, - "(public-key (ecc (curve %s) (flags eddsa) (q %b)))", - curve, - (int) key_size, - key); - if (ge != 0) { - k = -EIO; - goto finish; - } - - ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp); - if (gpg_err_code(ge) == GPG_ERR_BAD_SIGNATURE) - k = 0; - else if (ge != 0) - k = log_debug_errno(SYNTHETIC_ERRNO(EIO), - "EdDSA signature check failed: %s", gpg_strerror(ge)); - else - k = 1; -finish: - if (public_key_sexp) - gcry_sexp_release(public_key_sexp); - if (signature_sexp) - gcry_sexp_release(signature_sexp); - if (data_sexp) - gcry_sexp_release(data_sexp); - - return k; -#else - return -EOPNOTSUPP; -#endif } static int dnssec_eddsa_verify( @@ -602,11 +378,11 @@ static int dnssec_eddsa_verify( const void *data, size_t data_size, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey) { - elliptic_curve_t curve; + int curve; size_t key_size; if (algorithm == DNSSEC_ALGORITHM_ED25519) { - curve = OPENSSL_OR_GCRYPT(NID_ED25519, "Ed25519"); + curve = NID_ED25519; key_size = 32; } else return -EOPNOTSUPP; @@ -624,23 +400,13 @@ static int dnssec_eddsa_verify( dnskey->dnskey.key, key_size); } -static int md_add_uint8(hash_context_t ctx, uint8_t v) { -#if PREFER_OPENSSL +static int md_add_uint8(EVP_MD_CTX *ctx, uint8_t v) { return EVP_DigestUpdate(ctx, &v, sizeof(v)); -#else - gcry_md_write(ctx, &v, sizeof(v)); - return 0; -#endif } -static int md_add_uint16(hash_context_t ctx, uint16_t v) { +static int md_add_uint16(EVP_MD_CTX *ctx, uint16_t v) { v = htobe16(v); -#if PREFER_OPENSSL return EVP_DigestUpdate(ctx, &v, sizeof(v)); -#else - gcry_md_write(ctx, &v, sizeof(v)); - return 0; -#endif } static void fwrite_uint8(FILE *fp, uint8_t v) { @@ -745,9 +511,9 @@ static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) { return realtime < inception || realtime > expiration; } -static hash_md_t algorithm_to_implementation_id(uint8_t algorithm) { +static const EVP_MD* algorithm_to_implementation_id(uint8_t algorithm) { - /* Translates a DNSSEC signature algorithm into an openssl/gcrypt digest identifier. + /* Translates a DNSSEC signature algorithm into an openssl digest identifier. * * Note that we implement all algorithms listed as "Must implement" and "Recommended to Implement" in * RFC6944. We don't implement any algorithms that are listed as "Optional" or "Must Not Implement". @@ -757,20 +523,20 @@ static hash_md_t algorithm_to_implementation_id(uint8_t algorithm) { case DNSSEC_ALGORITHM_RSASHA1: case DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1: - return OPENSSL_OR_GCRYPT(EVP_sha1(), GCRY_MD_SHA1); + return EVP_sha1(); case DNSSEC_ALGORITHM_RSASHA256: case DNSSEC_ALGORITHM_ECDSAP256SHA256: - return OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256); + return EVP_sha256(); case DNSSEC_ALGORITHM_ECDSAP384SHA384: - return OPENSSL_OR_GCRYPT(EVP_sha384(), GCRY_MD_SHA384); + return EVP_sha384(); case DNSSEC_ALGORITHM_RSASHA512: - return OPENSSL_OR_GCRYPT(EVP_sha512(), GCRY_MD_SHA512); + return EVP_sha512(); default: - return OPENSSL_OR_GCRYPT(NULL, -EOPNOTSUPP); + return NULL; } } @@ -878,37 +644,23 @@ static int dnssec_rrset_verify_sig( assert(sig_data); assert(sig_size > 0); - hash_md_t md_algorithm; + const EVP_MD *md_algorithm; -#if PREFER_OPENSSL uint8_t hash[EVP_MAX_MD_SIZE]; unsigned hash_size; -#else - _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; - void *hash; - size_t hash_size; - int r; - - r = initialize_libgcrypt(false); - if (r < 0) - return r; -#endif switch (rrsig->rrsig.algorithm) { case DNSSEC_ALGORITHM_ED25519: -#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600 return dnssec_eddsa_verify( rrsig->rrsig.algorithm, sig_data, sig_size, rrsig, dnskey); -#endif case DNSSEC_ALGORITHM_ED448: return -EOPNOTSUPP; default: /* OK, the RRs are now in canonical order. Let's calculate the digest */ md_algorithm = algorithm_to_implementation_id(rrsig->rrsig.algorithm); -#if PREFER_OPENSSL if (!md_algorithm) return -EOPNOTSUPP; @@ -926,24 +678,6 @@ static int dnssec_rrset_verify_sig( return -EIO; assert(hash_size > 0); - -#else - if (md_algorithm < 0) - return md_algorithm; - - gcry_error_t err = gcry_md_open(&md, md_algorithm, 0); - if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md) - return -EIO; - - hash_size = gcry_md_get_algo_dlen(md_algorithm); - assert(hash_size > 0); - - gcry_md_write(md, sig_data, sig_size); - - hash = gcry_md_read(md, 0); - if (!hash) - return -EIO; -#endif } switch (rrsig->rrsig.algorithm) { @@ -953,7 +687,7 @@ static int dnssec_rrset_verify_sig( case DNSSEC_ALGORITHM_RSASHA256: case DNSSEC_ALGORITHM_RSASHA512: return dnssec_rsa_verify( - OPENSSL_OR_GCRYPT(md_algorithm, gcry_md_algo_name(md_algorithm)), + md_algorithm, hash, hash_size, rrsig, dnskey); @@ -961,7 +695,7 @@ static int dnssec_rrset_verify_sig( case DNSSEC_ALGORITHM_ECDSAP256SHA256: case DNSSEC_ALGORITHM_ECDSAP384SHA384: return dnssec_ecdsa_verify( - OPENSSL_OR_GCRYPT(md_algorithm, gcry_md_algo_name(md_algorithm)), + md_algorithm, rrsig->rrsig.algorithm, hash, hash_size, rrsig, @@ -1312,23 +1046,23 @@ int dnssec_has_rrsig(DnsAnswer *a, const DnsResourceKey *key) { return 0; } -static hash_md_t digest_to_hash_md(uint8_t algorithm) { +static const EVP_MD* digest_to_hash_md(uint8_t algorithm) { - /* Translates a DNSSEC digest algorithm into an openssl/gcrypt digest identifier */ + /* Translates a DNSSEC digest algorithm into an openssl digest identifier */ switch (algorithm) { case DNSSEC_DIGEST_SHA1: - return OPENSSL_OR_GCRYPT(EVP_sha1(), GCRY_MD_SHA1); + return EVP_sha1(); case DNSSEC_DIGEST_SHA256: - return OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256); + return EVP_sha256(); case DNSSEC_DIGEST_SHA384: - return OPENSSL_OR_GCRYPT(EVP_sha384(), GCRY_MD_SHA384); + return EVP_sha384(); default: - return OPENSSL_OR_GCRYPT(NULL, -EOPNOTSUPP); + return NULL; } } @@ -1363,9 +1097,7 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, return r; encoded_length = r; - hash_md_t md_algorithm = digest_to_hash_md(ds->ds.digest_type); - -#if PREFER_OPENSSL + const EVP_MD *md_algorithm = digest_to_hash_md(ds->ds.digest_type); if (!md_algorithm) return -EOPNOTSUPP; @@ -1405,40 +1137,6 @@ int dnssec_verify_dnskey_by_ds(DnsResourceRecord *dnskey, DnsResourceRecord *ds, if (EVP_DigestFinal_ex(ctx, result, NULL) <= 0) return -EIO; -#else - if (md_algorithm < 0) - return -EOPNOTSUPP; - - r = initialize_libgcrypt(false); - if (r < 0) - return r; - - _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; - - size_t hash_size = gcry_md_get_algo_dlen(md_algorithm); - assert(hash_size > 0); - - if (ds->ds.digest_size != hash_size) - return 0; - - gcry_error_t err = gcry_md_open(&md, md_algorithm, 0); - if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md) - return -EIO; - - gcry_md_write(md, wire_format, encoded_length); - if (mask_revoke) - md_add_uint16(md, dnskey->dnskey.flags & ~DNSKEY_FLAG_REVOKE); - else - md_add_uint16(md, dnskey->dnskey.flags); - md_add_uint8(md, dnskey->dnskey.protocol); - md_add_uint8(md, dnskey->dnskey.algorithm); - gcry_md_write(md, dnskey->dnskey.key, dnskey->dnskey.key_size); - - void *result = gcry_md_read(md, 0); - if (!result) - return -EIO; -#endif - return memcmp(result, ds->ds.digest, ds->ds.digest_size) == 0; } @@ -1480,17 +1178,17 @@ int dnssec_verify_dnskey_by_ds_search(DnsResourceRecord *dnskey, DnsAnswer *vali return 0; } -static hash_md_t nsec3_hash_to_hash_md(uint8_t algorithm) { +static const EVP_MD* nsec3_hash_to_hash_md(uint8_t algorithm) { - /* Translates a DNSSEC NSEC3 hash algorithm into an openssl/gcrypt digest identifier */ + /* Translates a DNSSEC NSEC3 hash algorithm into an openssl digest identifier */ switch (algorithm) { case NSEC3_ALGORITHM_SHA1: - return OPENSSL_OR_GCRYPT(EVP_sha1(), GCRY_MD_SHA1); + return EVP_sha1(); default: - return OPENSSL_OR_GCRYPT(NULL, -EOPNOTSUPP); + return NULL; } } @@ -1510,8 +1208,7 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) { "Ignoring NSEC3 RR %s with excessive number of iterations.", dns_resource_record_to_string(nsec3)); - hash_md_t algorithm = nsec3_hash_to_hash_md(nsec3->nsec3.algorithm); -#if PREFER_OPENSSL + const EVP_MD *algorithm = nsec3_hash_to_hash_md(nsec3->nsec3.algorithm); if (!algorithm) return -EOPNOTSUPP; @@ -1552,51 +1249,6 @@ int dnssec_nsec3_hash(DnsResourceRecord *nsec3, const char *name, void *ret) { if (EVP_DigestFinal_ex(ctx, result, NULL) <= 0) return -EIO; } -#else - if (algorithm < 0) - return algorithm; - - r = initialize_libgcrypt(false); - if (r < 0) - return r; - - size_t encoded_length; - unsigned hash_size = gcry_md_get_algo_dlen(algorithm); - assert(hash_size > 0); - - if (nsec3->nsec3.next_hashed_name_size != hash_size) - return -EINVAL; - - r = dns_name_to_wire_format(name, wire_format, sizeof(wire_format), true); - if (r < 0) - return r; - encoded_length = r; - - _cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL; - gcry_error_t err = gcry_md_open(&md, algorithm, 0); - if (gcry_err_code(err) != GPG_ERR_NO_ERROR || !md) - return -EIO; - - gcry_md_write(md, wire_format, encoded_length); - gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size); - - void *result = gcry_md_read(md, 0); - if (!result) - return -EIO; - - for (unsigned k = 0; k < nsec3->nsec3.iterations; k++) { - uint8_t tmp[hash_size]; - memcpy(tmp, result, hash_size); - - gcry_md_reset(md); - gcry_md_write(md, tmp, hash_size); - gcry_md_write(md, nsec3->nsec3.salt, nsec3->nsec3.salt_size); - - result = gcry_md_read(md, 0); - if (!result) - return -EIO; - } -#endif memcpy(ret, result, hash_size); return (int) hash_size; @@ -1616,13 +1268,8 @@ static int nsec3_is_good(DnsResourceRecord *rr, DnsResourceRecord *nsec3) { return 0; /* Ignore NSEC3 RRs whose algorithm we don't know */ -#if PREFER_OPENSSL if (!nsec3_hash_to_hash_md(rr->nsec3.algorithm)) return 0; -#else - if (nsec3_hash_to_hash_md(rr->nsec3.algorithm) < 0) - return 0; -#endif /* Ignore NSEC3 RRs with an excessive number of required iterations */ if (rr->nsec3.iterations > NSEC3_ITERATIONS_MAX) diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c index 049262e6da2..61adc617f63 100644 --- a/src/resolve/resolved-dns-packet.c +++ b/src/resolve/resolved-dns-packet.c @@ -1,9 +1,5 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ -#if HAVE_GCRYPT -# include -#endif - #include "alloc-util.h" #include "dns-domain.h" #include "escape.h" @@ -813,7 +809,7 @@ int dns_packet_append_opt( static const uint8_t rfc6975[] = { 0, DNS_EDNS_OPT_DAU, /* OPTION_CODE */ -#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600) +#if HAVE_OPENSSL 0, 7, /* LIST_LENGTH */ #else 0, 6, /* LIST_LENGTH */ @@ -824,7 +820,7 @@ int dns_packet_append_opt( DNSSEC_ALGORITHM_RSASHA512, DNSSEC_ALGORITHM_ECDSAP256SHA256, DNSSEC_ALGORITHM_ECDSAP384SHA384, -#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600) +#if HAVE_OPENSSL DNSSEC_ALGORITHM_ED25519, #endif diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c index df4b5993a3b..88adc6840f2 100644 --- a/src/resolve/resolved-link.c +++ b/src/resolve/resolved-link.c @@ -418,11 +418,11 @@ void link_set_dnssec_mode(Link *l, DnssecMode mode) { assert(l); -#if !HAVE_OPENSSL_OR_GCRYPT +#if !HAVE_OPENSSL if (IN_SET(mode, DNSSEC_YES, DNSSEC_ALLOW_DOWNGRADE)) log_link_warning(l, "DNSSEC option for the link cannot be enabled or set to allow-downgrade " - "when systemd-resolved is built without a cryptographic library. " + "when systemd-resolved is built without openssl. " "Turning off DNSSEC support."); return; #endif diff --git a/src/resolve/test-dnssec.c b/src/resolve/test-dnssec.c index 6b0ab66ae74..59ce0c7b2d5 100644 --- a/src/resolve/test-dnssec.c +++ b/src/resolve/test-dnssec.c @@ -4,10 +4,6 @@ #include #include -#if HAVE_GCRYPT -# include -#endif - #include "alloc-util.h" #include "hexdecoct.h" #include "resolved-dns-dnssec.h" @@ -173,11 +169,7 @@ TEST(dnssec_verify_rfc8080_ed25519_example1) { assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey, rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0); -#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600 assert_se(result == DNSSEC_VALIDATED); -#else - assert_se(result == DNSSEC_UNSUPPORTED_ALGORITHM); -#endif } TEST(dnssec_verify_rfc8080_ed25519_example2) { @@ -265,11 +257,7 @@ TEST(dnssec_verify_rfc8080_ed25519_example2) { assert_se(dnssec_verify_rrset(answer, mx->key, rrsig, dnskey, rrsig->rrsig.inception * USEC_PER_SEC, &result) >= 0); -#if PREFER_OPENSSL || GCRYPT_VERSION_NUMBER >= 0x010600 assert_se(result == DNSSEC_VALIDATED); -#else - assert_se(result == DNSSEC_UNSUPPORTED_ALGORITHM); -#endif } TEST(dnssec_verify_rfc6605_example1) { diff --git a/src/shared/openssl-util.c b/src/shared/openssl-util.c index b19c18e56ed..cceab4eaaf9 100644 --- a/src/shared/openssl-util.c +++ b/src/shared/openssl-util.c @@ -1223,7 +1223,6 @@ int pkcs7_new(X509 *certificate, EVP_PKEY *private_key, PKCS7 **ret_p7, PKCS7_SI return 0; } -# if PREFER_OPENSSL int string_hashsum( const char *s, size_t len, @@ -1250,7 +1249,6 @@ int string_hashsum( *ret = TAKE_PTR(enc); return 0; } -# endif static int ecc_pkey_generate_volume_keys( EVP_PKEY *pkey, diff --git a/src/shared/openssl-util.h b/src/shared/openssl-util.h index d936ef54f44..6ab84e266cd 100644 --- a/src/shared/openssl-util.h +++ b/src/shared/openssl-util.h @@ -169,6 +169,8 @@ int digest_and_sign(const EVP_MD *md, EVP_PKEY *privkey, const void *data, size_ int pkcs7_new(X509 *certificate, EVP_PKEY *private_key, PKCS7 **ret_p7, PKCS7_SIGNER_INFO **ret_si); +int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret); + #else typedef struct X509 X509; @@ -198,6 +200,10 @@ static inline void* ASN1_STRING_free(ASN1_STRING *p) { return NULL; } +static inline int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret) { + return -EOPNOTSUPP; +} + #endif DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(X509*, X509_free, NULL); @@ -230,29 +236,6 @@ int openssl_load_private_key( EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_user_interface); -#if PREFER_OPENSSL -/* The openssl definition */ -typedef const EVP_MD* hash_md_t; -typedef const EVP_MD* hash_algorithm_t; -typedef int elliptic_curve_t; -typedef EVP_MD_CTX* hash_context_t; -# define OPENSSL_OR_GCRYPT(a, b) (a) - -#elif HAVE_GCRYPT - -# include - -/* The gcrypt definition */ -typedef int hash_md_t; -typedef const char* hash_algorithm_t; -typedef const char* elliptic_curve_t; -typedef gcry_md_hd_t hash_context_t; -# define OPENSSL_OR_GCRYPT(a, b) (b) -#endif - -#if PREFER_OPENSSL -int string_hashsum(const char *s, size_t len, const char *md_algorithm, char **ret); - static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) { return string_hashsum(s, len, "SHA224", ret); } @@ -260,4 +243,3 @@ static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) { static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) { return string_hashsum(s, len, "SHA256", ret); } -#endif diff --git a/src/test/meson.build b/src/test/meson.build index 4ef296a41aa..32200da424c 100644 --- a/src/test/meson.build +++ b/src/test/meson.build @@ -266,8 +266,8 @@ executables += [ }, test_template + { 'sources' : files('test-cryptolib.c'), - 'dependencies' : lib_openssl_or_gcrypt, - 'conditions' : ['HAVE_OPENSSL_OR_GCRYPT'], + 'dependencies' : libopenssl, + 'conditions' : ['HAVE_OPENSSL'], }, test_template + { 'sources' : files('test-display-quota.c'), diff --git a/src/test/test-cryptolib.c b/src/test/test-cryptolib.c index 9f9be4d3727..4f51ead42ad 100644 --- a/src/test/test-cryptolib.c +++ b/src/test/test-cryptolib.c @@ -1,7 +1,6 @@ /* SPDX-License-Identifier: LGPL-2.1-or-later */ #include "alloc-util.h" -#include "gcrypt-util.h" #include "macro.h" #include "openssl-util.h" #include "string-util.h" @@ -11,25 +10,25 @@ TEST(string_hashsum) { _cleanup_free_ char *out1 = NULL, *out2 = NULL, *out3 = NULL, *out4 = NULL; assert_se(string_hashsum("asdf", 4, - OPENSSL_OR_GCRYPT("SHA224", GCRY_MD_SHA224), + "SHA224", &out1) == 0); /* echo -n 'asdf' | sha224sum - */ ASSERT_STREQ(out1, "7872a74bcbf298a1e77d507cd95d4f8d96131cbbd4cdfc571e776c8a"); assert_se(string_hashsum("asdf", 4, - OPENSSL_OR_GCRYPT("SHA256", GCRY_MD_SHA256), + "SHA256", &out2) == 0); /* echo -n 'asdf' | sha256sum - */ ASSERT_STREQ(out2, "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"); assert_se(string_hashsum("", 0, - OPENSSL_OR_GCRYPT("SHA224", GCRY_MD_SHA224), + "SHA224", &out3) == 0); /* echo -n '' | sha224sum - */ ASSERT_STREQ(out3, "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"); assert_se(string_hashsum("", 0, - OPENSSL_OR_GCRYPT("SHA256", GCRY_MD_SHA256), + "SHA256", &out4) == 0); /* echo -n '' | sha256sum - */ ASSERT_STREQ(out4, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855");