aboutsummaryrefslogtreecommitdiff
path: root/ConfigureChecks.cmake
AgeCommit message (Collapse)AuthorFilesLines
2019-12-16libgcrypt: Implement chacha20-poly1305@openssh.com cipher using libgcryptJussi Kivilinna1-0/+3
Libgcrypt has supported ChaCha20 and Poly1305 since 1.7.0 version and provides fast assembler implementations. v3: - initialize pointers to NULL - use 'bool' for chacha20_poly1305_keysched.initialized - pass error codes from libgcrypt calls to variable - add SSH_LOG on error paths v2: - use braces for one-line blocks - use UNUSED_PARAM/UNUSED_VAR instead of cast to void - use calloc instead of malloc+memset Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-11-07cmake: Only use OpenSSL Ed25519 implementation when possibleAnderson Toshiyuki Sasaki1-1/+6
It is possible for OpenSSL to have the type EVP_PKEY_ED25519 in openssl/evp.h, but not the single shot functions EVP_DigestSign() and EVP_DigestVerify() which are required to generate Ed25519 signatures. Only switch to use OpenSSL Ed25519 implementation when OpenSSL have all required types and functions. Fixes: T197 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-09-24cmake: Detect OpenSSL X25519 supportAnderson Toshiyuki Sasaki1-0/+4
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-09-24cmake: Detect OpenSSL support for Ed25519Anderson Toshiyuki Sasaki1-0/+4
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-09-24pki_crypto: Use EVP_DigestSign* and EVP_DigestVerify*Anderson Toshiyuki Sasaki1-0/+8
Use the newer APIs EVP_DigestSign{Init}() and EVP_DigestVerify{Init}() to generate and verify signatures instead of the older EVP_Sign{Init, Update, Final} and EVP_Verify{Init, Update, Final} if supported. Also use the single shot signature/verification if supported as all the input is provided at once. This is a preparation to use Ed25519 implementation from OpenSSL. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-07-04libcrypto: fix compilation with LibreSSLStefan Strogin1-0/+4
LibreSSL does not support FIPS mode, check for FIPS_mode() in ConfigureChecks.cmake. Signed-off-by: Stefan Strogin <steils@gentoo.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-07-04cmake: Use GNUInstallDirs for installationAndreas Schneider1-4/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2019-03-07Use a common KDF functionSimo Sorce1-0/+4
Cleanup the KDF function to use only one function per crypto backend. Improve the KDF function to properly handle requested lenght and to avoid unnecessarily reallocating buffers. In OpenSSL use the new EVP_KDF API if available. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-21buffer: Fix regression introduced by 6c7eaa and c306a6Tilo Eckert1-12/+0
Buffer (un)packing was broken on compilers that are not gcc-compatible since the checks for an argument count of -1 have been removed from ssh_buffer_(un)pack(). This fix no longer uses GCC extensions for the __VA_NARG__ macro, but only plain C99. Note: The macro can no longer count empty argument lists (results in compile error) which was not needed anyway. Signed-off-by: Tilo Eckert <tilo.eckert@flam.de> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2018-12-19crypto: Disable blowfish support by defaultAndreas Schneider1-2/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2018-11-30bignum: Use UNUSED macrosAndreas Schneider1-15/+17
2018-11-30include: Add macro for unused arguments and variablesAndreas Schneider1-0/+20
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-11-28tests: Replace tests filtering with cmocka builtin filterAnderson Toshiyuki Sasaki1-0/+8
This completely removes the tests filter code from torture.c and calls cmocka_set_test_filter() instead, if available. The checks for required libraries, headers, and the availability of cmocka_set_test_filter() were added to the cmake configuration. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-11-21libcrypto: disable AES-NI engine when running inside valgrindAris Adamantiadis1-0/+3
Valgrind detects many uninitialized memory false positives from libcrypto's AES-NI internals. Roll back to software AES when running tests. Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-11-02cmake: Only check for bounded attribute on OpenBSDAndreas Schneider1-0/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-10-24cmake: Fix -Wattributes check in ConfigureChecks.cmakeAndreas Schneider1-5/+5
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-10-09libcrypto: Implement OpenSSH-compatible AES-GCM ciphers using OpenSSLJakub Jelen1-0/+4
The commit also propares the internals throughout the code base for the inclusion of a new AEAD cipher, because previously, the source code counted only with chacha20-poly1305 cipher, which is very specific in many cases. The SSH_HMAC_AEAD_GCM mac algorithm is not actually used, but the name needed to be defined so we can match in the algorithms selection per OpenSSH specification (MACs are ignored in case GCM is select as a cipher [1]). If the provided OpenSSL does not provide EVP_aes_128_gcm() function, the AES-GCM ciphers will not be compiled in. [1] https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-09-25cmake: Add -Wattributs for configure checksAndreas Schneider1-0/+7
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-09-17cmake: Correctly detect if glob has gl_flags memberAndreas Schneider1-2/+3
Thanks to Baruch Siach. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-29misc: Add strndup implementation if not provides by the OSAndreas Schneider1-0/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-27cmake: Check if the linker supports version scriptsAndreas Schneider1-0/+14
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-20cmake: Check for -Werror in ConfigureChecks.cmakeAndreas Schneider1-1/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-16cmake: Correctly detect support for __bounded__ attributeAndreas Schneider1-3/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Only set -Werror on UNIXAndreas Schneider1-1/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Fix PACKAGE and VERSION in config.hAndreas Schneider1-2/+2
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Detect constructor and destructor attributesAndreas Schneider1-0/+24
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Fix fallthrough attribute detectionAndreas Schneider1-13/+11
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Fix check for bounded attributeAndreas Schneider1-3/+7
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-07-05libcrypto: Use new RAND_priv_bytes() for strong randomnessAndreas Schneider1-0/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-30cmake: Unset CMAKE_REQUIRED_* variablesAndreas Schneider1-8/+10
This should fix the 'gcc -m32' build! Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-29kex: Enable chacha20-poly1304 KEX with mbedtlsAndreas Schneider1-1/+0
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-28chacha: fix build for mbedTLSJon Simons1-1/+2
Fix the build for mbedTLS: * set HAVE_CHACHA for non-mbedTLS builds * only compile chachapoly.c when HAVE_CHACHA * use empty CHACHA20 in src/kex.c unless HAVE_CHACHA Signed-off-by: Jon Simons <jon@jonsimons.org> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-28cmake: detect "bounded" compiler attributeAris Adamantiadis1-0/+5
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-28external: Add ChaCha and Poly1305 implementations from OpenSSHAris Adamantiadis1-0/+1
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-04cmake: add WITH_PACKET_DEBUG optionAris Adamantiadis1-0/+4
Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-03-11misc: Use SecureZeroMemory if available for explicit_bzeroAlberto Aguirre1-0/+2
Useful on Windows platforms where SecureZeroMemory is available. Signed-off-by: Alberto Aguirre <albaguirre@gmail.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-03-11misc: Use memset_s if available for explicit_bzeroAlberto Aguirre1-0/+1
Useful on OSX where memset_s is available. Signed-off-by: Alberto Aguirre <albaguirre@gmail.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-03-02priv: Implement explicit_bzero as a function if not availableAndreas Schneider1-1/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Alberto Aguirre <albaguirre@gmail.com>
2018-02-12src: Use explicit_bzero() if available on the platformAndreas Schneider1-0/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2017-12-28add mbedtls crypto supportJuraj Vijtiuk1-2/+11
Summary: This patch adds support for mbedTLS as a crypto backend for libssh. mbedTLS is an SSL/TLS library that has been designed to mainly be used in embedded systems. It is loosely coupled and has a low memory footprint. mbedTLS also provides a cryptography library (libmbedcrypto) that can be used without the TLS modules. The patch is unfortunately quite big, since several new files had to be added. DSA is disabled at compile time, since mbedTLS doesn't support DSA Patch review and feedback would be appreciated, and if any issues or suggestions appear, I'm willing to work on them. Signed-off-by: Juraj Vijtiuk <juraj.vijtiuk@sartura.hr> Test Plan: * The patch has been tested with a Debug and MinSizeRel build, with libssh unit tests, client tests and the pkd tests. * All the tests have been run with valgrind's memcheck, drd and helgrind tools. * The examples/samplessh client works when built with the patch. Reviewers: asn, aris Subscribers: simonsj Differential Revision: https://bugs.libssh.org/D1
2017-12-21config: Add CMake check for glob()Jakub Jelen1-0/+5
2017-08-25cmake: Add check for fallthrough attributeAndreas Schneider1-0/+27
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2017-02-23cmake: Check for EVP_CIPHER_CTX_newAndreas Schneider1-0/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2016-11-07cmake: Use configure check for CRYPTO_ctr128_encryptAndreas Schneider1-0/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2016-11-07threads: Use new API call for OpenSSL CRYPTO THREADIDAndreas Schneider1-0/+3
BUG: https://red.libssh.org/issues/222 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2016-11-06cmake: Check for io.h on WindowsAndreas Schneider1-0/+2
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2016-11-06cmake: Correctly check for sys/[u]time.hAndreas Schneider1-0/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2016-11-06cmake: Always check for strtoullAndreas Schneider1-1/+1
This fixes building with different compilers on Windows BUG: https://red.libssh.org/issues/225 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2016-11-05cmake: Correctly check for *snprintf functions on WindowsAndreas Schneider1-7/+12
BUG: https://red.libssh.org/issues/205 Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2016-11-03pki_gcrypt: Handle ECDSA keys and signaturesJustus Winter1-2/+2
* ConfigureChecks.cmake: Set 'HAVE_ECC' and 'HAVE_GCRYPT_ECC' if applicable. * include/libssh/pki.h (struct ssh_key_struct): Fix type of field 'ecdsa'. (struct ssh_signature_struct): Likewise for 'ecdsa_sig'. * src/pki.c (ssh_pki_key_ecdsa_name): Relax guard now that the used function is also provided by the gcrypt backend. (ssh_signature_free): Free ecdsa signature. * src/pki_gcrypt.c (ECDSA_HEADER_{BEGIN,END}): New macros. (privatekey_string_to_buffer): Handle ECDSA keys. (pki_key_ecdsa_to_nid): New function. (pki_key_ecdsa_nid_to_gcrypt_name): Likewise. (pki_key_ecdsa_nid_to_name): Likewise. (pki_key_ecdsa_nid_to_char): Likewise. (pki_key_ecdsa_nid_from_name): Implement. (asn1_oi_to_nid): New function. (b64decode_ecdsa_privatekey): Likewise. (pki_private_key_from_base64): Handle ECDSA keys. (pki_pubkey_build_ecdsa): Implement. (pki_key_dup): Handle ECDSA keys. (pki_key_generate): Likewise. (pki_key_generate_ecdsa): Implement. (pki_key_compare): Handle ECDSA keys. (pki_publickey_to_blob): Likewise. (pki_signature_from_blob): Likewise. (pki_signature_verify): Likewise. (pki_do_sign): Likewise. (pki_do_sign_sessionid): Likewise. Signed-off-by: Justus Winter <justus@g10code.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>