1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

port string_hashsum from libgcrypt to openssl^gcrypt

This allows resolved and importd to be built without libgcrypt.

Note that we now say either 'cryptographic library' or 'cryptolib'.

Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2021-10-27 15:39:48 +02:00
parent fc169a6fb2
commit 7e8facb36b
13 changed files with 96 additions and 37 deletions

4
TODO
View File

@ -433,9 +433,7 @@ Features:
* socket units: allow creating a udev monitor socket with ListenDevices= or so,
with matches, then activate app through that passing socket over
* unify on openssl (as soon as OpenSSL 3.0 is out, and the Debian license
confusion is gone)
- port resolved over from libgcrypt (DNSSEC code)
* unify on openssl:
- port journald + fsprg over from libgcrypt
- when that's done: kill gnutls support in resolved

View File

@ -1448,18 +1448,6 @@ else
endif
conf.set10('HAVE_DBUS', have)
default_dnssec = get_option('default-dnssec')
if skip_deps
default_dnssec = 'no'
endif
if default_dnssec != 'no' and conf.get('HAVE_GCRYPT') == 0
message('default-dnssec cannot be set to yes or allow-downgrade when gcrypt is disabled. Setting default-dnssec to no.')
default_dnssec = 'no'
endif
conf.set('DEFAULT_DNSSEC_MODE',
'DNSSEC_' + default_dnssec.underscorify().to_upper())
conf.set_quoted('DEFAULT_DNSSEC_MODE_STR', default_dnssec)
dns_over_tls = get_option('dns-over-tls')
if dns_over_tls != 'false'
if dns_over_tls == 'openssl'
@ -1535,6 +1523,18 @@ conf.set10('HAVE_OPENSSL_OR_GCRYPT',
conf.get('HAVE_OPENSSL') == 1 or conf.get('HAVE_GCRYPT') == 1)
lib_openssl_or_gcrypt = conf.get('PREFER_OPENSSL') == 1 ? libopenssl : libgcrypt
default_dnssec = get_option('default-dnssec')
if skip_deps
default_dnssec = 'no'
endif
if default_dnssec != 'no' and conf.get('HAVE_OPENSSL_OR_GCRYPT') == 0
message('default-dnssec cannot be set to yes or allow-downgrade openssl and gcrypt are disabled. Setting default-dnssec to no.')
default_dnssec = 'no'
endif
conf.set('DEFAULT_DNSSEC_MODE',
'DNSSEC_' + default_dnssec.underscorify().to_upper())
conf.set_quoted('DEFAULT_DNSSEC_MODE_STR', default_dnssec)
want_importd = get_option('importd')
if want_importd != 'false'
have = (conf.get('HAVE_LIBCURL') == 1 and

View File

@ -48,7 +48,7 @@ const char* const systemd_features =
" -SECCOMP"
#endif
/* crypto libraries */
/* cryptographic libraries */
#if HAVE_GCRYPT
" +GCRYPT"

View File

@ -18,6 +18,7 @@ void initialize_libgcrypt(bool secmem) {
gcry_control(GCRYCTL_INITIALIZATION_FINISHED, 0);
}
# if !PREFER_OPENSSL
int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
_cleanup_(gcry_md_closep) gcry_md_hd_t md = NULL;
gcry_error_t err;
@ -47,4 +48,5 @@ int string_hashsum(const char *s, size_t len, int md_algorithm, char **out) {
*out = enc;
return 0;
}
# endif
#endif

View File

@ -12,23 +12,28 @@
#include "macro.h"
void initialize_libgcrypt(bool secmem);
int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(gcry_md_hd_t, gcry_md_close, NULL);
#endif
#if !PREFER_OPENSSL
# if HAVE_GCRYPT
int string_hashsum(const char *s, size_t len, int md_algorithm, char **out);
# endif
static inline int string_hashsum_sha224(const char *s, size_t len, char **out) {
#if HAVE_GCRYPT
# if HAVE_GCRYPT
return string_hashsum(s, len, GCRY_MD_SHA224, out);
#else
# else
return -EOPNOTSUPP;
#endif
# endif
}
static inline int string_hashsum_sha256(const char *s, size_t len, char **out) {
#if HAVE_GCRYPT
# if HAVE_GCRYPT
return string_hashsum(s, len, GCRY_MD_SHA256, out);
#else
# else
return -EOPNOTSUPP;
#endif
# endif
}
#endif

View File

@ -23,6 +23,7 @@
#include "main-func.h"
#include "missing_network.h"
#include "netlink-util.h"
#include "openssl-util.h"
#include "pager.h"
#include "parse-argument.h"
#include "parse-util.h"

View File

@ -498,14 +498,14 @@ int manager_parse_config_file(Manager *m) {
return r;
}
#if ! HAVE_GCRYPT
#if !HAVE_OPENSSL_OR_GCRYPT
if (m->dnssec_mode != DNSSEC_NO) {
log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
log_warning("DNSSEC option cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
m->dnssec_mode = DNSSEC_NO;
}
#endif
#if ! ENABLE_DNS_OVER_TLS
#if !ENABLE_DNS_OVER_TLS
if (m->dns_over_tls_mode != DNS_OVER_TLS_NO) {
log_warning("DNS-over-TLS option cannot be enabled or set to opportunistic when systemd-resolved is built without DNS-over-TLS support. Turning off DNS-over-TLS support.");
m->dns_over_tls_mode = DNS_OVER_TLS_NO;

View File

@ -1,7 +1,7 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#if HAVE_GCRYPT
#include <gcrypt.h>
# include <gcrypt.h>
#endif
#include "alloc-util.h"
@ -776,7 +776,7 @@ int dns_packet_append_opt(
static const uint8_t rfc6975[] = {
0, 5, /* OPTION_CODE: DAU */
#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
0, 7, /* LIST_LENGTH */
#else
0, 6, /* LIST_LENGTH */
@ -787,7 +787,7 @@ int dns_packet_append_opt(
DNSSEC_ALGORITHM_RSASHA512,
DNSSEC_ALGORITHM_ECDSAP256SHA256,
DNSSEC_ALGORITHM_ECDSAP384SHA384,
#if HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600
#if PREFER_OPENSSL || (HAVE_GCRYPT && GCRYPT_VERSION_NUMBER >= 0x010600)
DNSSEC_ALGORITHM_ED25519,
#endif

View File

@ -414,9 +414,9 @@ void link_set_dnssec_mode(Link *l, DnssecMode mode) {
assert(l);
#if ! HAVE_GCRYPT
#if !HAVE_OPENSSL_OR_GCRYPT
if (IN_SET(mode, DNSSEC_YES, DNSSEC_ALLOW_DOWNGRADE))
log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without gcrypt support. Turning off DNSSEC support.");
log_warning("DNSSEC option for the link cannot be enabled or set to allow-downgrade when systemd-resolved is built without a cryptographic library. Turning off DNSSEC support.");
return;
#endif

View File

@ -2,6 +2,7 @@
#include "openssl-util.h"
#include "alloc-util.h"
#include "hexdecoct.h"
#if HAVE_OPENSSL
int openssl_hash(const EVP_MD *alg,
@ -107,4 +108,33 @@ int rsa_pkey_to_suitable_key_size(
*ret_suitable_key_size = suitable_key_size;
return 0;
}
# if PREFER_OPENSSL
int string_hashsum(
const char *s,
size_t len,
const EVP_MD *md_algorithm,
char **ret) {
uint8_t hash[EVP_MAX_MD_SIZE];
size_t hash_size;
char *enc;
int r;
hash_size = EVP_MD_size(md_algorithm);
assert(hash_size > 0);
r = openssl_hash(md_algorithm, s, len, hash, NULL);
if (r < 0)
return r;
enc = hexmem(hash, hash_size);
if (!enc)
return -ENOMEM;
*ret = enc;
return 0;
}
# endif
#endif

View File

@ -62,3 +62,15 @@ typedef const char* elliptic_curve_t;
typedef gcry_md_hd_t hash_context_t;
# define OPENSSL_OR_GCRYPT(a, b) (b)
#endif
#if PREFER_OPENSSL
int string_hashsum(const char *s, size_t len, hash_algorithm_t md_algorithm, char **ret);
static inline int string_hashsum_sha224(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, EVP_sha224(), ret);
}
static inline int string_hashsum_sha256(const char *s, size_t len, char **ret) {
return string_hashsum(s, len, EVP_sha256(), ret);
}
#endif

View File

@ -594,8 +594,10 @@ tests += [
[['src/test/test-id128.c']],
[['src/test/test-gcrypt-util.c'],
[], [], [], 'HAVE_GCRYPT'],
[['src/test/test-cryptolib.c'],
[libshared],
[lib_openssl_or_gcrypt],
[], 'HAVE_OPENSSL_OR_GCRYPT'],
[['src/test/test-nss-hosts.c',
'src/test/nss-test-util.c',

View File

@ -3,25 +3,34 @@
#include "alloc-util.h"
#include "gcrypt-util.h"
#include "macro.h"
#include "openssl-util.h"
#include "string-util.h"
#include "tests.h"
TEST(string_hashsum) {
_cleanup_free_ char *out1 = NULL, *out2 = NULL, *out3 = NULL, *out4 = NULL;
assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA224, &out1) == 0);
assert_se(string_hashsum("asdf", 4,
OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
&out1) == 0);
/* echo -n 'asdf' | sha224sum - */
assert_se(streq(out1, "7872a74bcbf298a1e77d507cd95d4f8d96131cbbd4cdfc571e776c8a"));
assert_se(string_hashsum("asdf", 4, GCRY_MD_SHA256, &out2) == 0);
assert_se(string_hashsum("asdf", 4,
OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
&out2) == 0);
/* echo -n 'asdf' | sha256sum - */
assert_se(streq(out2, "f0e4c2f76c58916ec258f246851bea091d14d4247a2fc3e18694461b1816e13b"));
assert_se(string_hashsum("", 0, GCRY_MD_SHA224, &out3) == 0);
assert_se(string_hashsum("", 0,
OPENSSL_OR_GCRYPT(EVP_sha224(), GCRY_MD_SHA224),
&out3) == 0);
/* echo -n '' | sha224sum - */
assert_se(streq(out3, "d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f"));
assert_se(string_hashsum("", 0, GCRY_MD_SHA256, &out4) == 0);
assert_se(string_hashsum("", 0,
OPENSSL_OR_GCRYPT(EVP_sha256(), GCRY_MD_SHA256),
&out4) == 0);
/* echo -n '' | sha256sum - */
assert_se(streq(out4, "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"));
}