aboutsummaryrefslogtreecommitdiff
path: root/ConfigureChecks.cmake
AgeCommit message (Collapse)AuthorFilesLines
2024-02-22cmake: use imported targets for OpenSSL and zlibGregor Jasny1-23/+2
Imported targets are highly preferred over the individual variables for includes and libs because they will be used in a coherent way and any spelling mistakes or unavailability won't go unnoticed. Also it will prevent bugs like conan-io/conan-center-index#16900 or using mismatching header/libs combinations. Signed-off-by: Gregor Jasny <gjasny@googlemail.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2023-03-01Add support for PKCS#11 provider in OpenSSL 3.0Jakub Jelen1-3/+13
The engine API in OpenSSL 3.0 is deprecated so we are in the progress of working on a PKCS#11 provider for OpenSSL. This commit introduces a conditional build with the pkcs11-provider support (instead of engines) with all the changes required for the provider to work with existing code and tests. The CI modification is only temporary before we will have the real package in Fedora or somewhere to use. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Norbert Pocs <npocs@redhat.com>
2023-02-07fixed argp missing errorAhsen Kamal1-0/+2
Signed-off-by: Ahsen Kamal <itsahsenkamal@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2023-02-02Remove support for DSA KeysMohammad Shehar Yaar Tausif1-13/+0
Solving issue #110. The original work is at !231 Some changes were needed because the newly added features in master through time Signed-off-by: Mohammad Shehar Yaar Tausif <sheharyaar48@gmail.com> Signed-off-by: Norbert Pocs <npocs@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2022-10-31ConfigureChecks.cmake: Remove implicitly included function checksNorbert Pocs1-31/+0
Removing support for older openssl versions than 1.1.1 makes some functions implicitly included; we do not have to check the availability of these functions. Signed-off-by: Norbert Pocs <npocs@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2022-10-12Fix various spelling issues reported by codespellJakub Jelen1-1/+1
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2022-08-30cmake: Check for weak attributeAndreas Schneider1-0/+17
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2022-08-25CMake: Do not build PKCS#11 URI support with OpenSSL <1.1.1Jakub Jelen1-0/+4
The old version is missing the EVP_PKEY_up_ref(), which is needed to keep track of the EVP_PKEY references. Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2022-07-12Change cmake files for new openssl APINorbert Pocs1-0/+9
The new API does not provide EVP_KDF_CTX_new_id function, insted it works with EVP_KDF_CTX_new and fetching the algorithm. Adding a check for both to make it work with the new API too. Signed-off-by: Norbert Pocs <npocs@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-12libmbedcrypto: Fix chacha20-poly1305Anderson Toshiyuki Sasaki1-0/+6
Previously, the mbed TLS implementation wouldn't be use at all when available, being the internal implementation always used instead. This corrects few bugs and makes the mbed TLS implementation to be used when ChaCha20 and Poly1305 are available. This also makes the constant time comparison to be used when checking the authentication tag. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Cleanup AES compatibility codeDirkjan Bussink1-16/+0
OpenSSL 1.0.1 has support for CTR & GCM modes so the checks here are no longer needed. This allows for a bunch of additional cleanup of the old code. As for old MacOS versions etc, LibreSSL is a kind of compatibility layer there but things already don't work anyway with that, so it doesn't break anything that isn't already broken. OpenSSL is needed on MacOS separately anyway (like installed with Homebrew). Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove no longer needed compatibility checkDirkjan Bussink1-4/+0
CRYPTO_THREADID_set_callback is available since 1.0.1 which is the oldest supported version. This means the check and compatibility code can be removed. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2021-01-11Remove no longer needed compatibility functionDirkjan Bussink1-4/+0
Since OpenSSL 1.0.1 is the minimum version, this function is always available so no compatibility check is needed anymore. Signed-off-by: Dirkjan Bussink <d.bussink@gmail.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2020-12-10Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking against OpenSSLKevin Kane1-15/+15
The build currently breaks when attempting to link libssh.so using a statically-linked OpenSSL. -ldl and -lpthread are required when linking a binary with the static libcrypto.a. The OPENSSL_CRYPTO_LIBRARY does not include these dependencies when linking against static OpenSSL. OPENSSL_CRYPTO_LIBRARIES contains the correct dependencies in both static and shared configurations; -ldl and -lpthread are not required when linking against shared libcrypto.so. This change changes all uses of OPENSSL_CRYPTO_LIBRARY to OPENSSL_CRYPTO_LIBRARIES to let the FindOpenSSL CMake module always provide the correct libraries at link time. Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-12-10Revert "cmake: Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking ↵Andreas Schneider1-15/+15
against OpenSSL" This reverts commit 026879e9f0d766ebe651e6d3fd9809e243928391.
2020-12-10cmake: Use OPENSSL_CRYPTO_LIBRARIES CMake variable when linking against OpenSSLKevin Kane1-15/+15
The build currently breaks when attempting to link libssh.so using a statically-linked OpenSSL. -ldl and -lpthread are required when linking a binary with the static libcrypto.a. The OPENSSL_CRYPTO_LIBRARY does not include these dependencies when linking against static OpenSSL. OPENSSL_CRYPTO_LIBRARIES contains the correct dependencies in both static and shared configurations; -ldl and -lpthread are not required when linking against shared libcrypto.so. This change changes all uses of OPENSSL_CRYPTO_LIBRARY to OPENSSL_CRYPTO_LIBRARIES to let the FindOpenSSL CMake module always provide the correct libraries at link time. Signed-off-by: Kevin Kane <kkane@microsoft.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-09-02ConfigureChecks.cmake: Disable HAVE_DSA by default (when mbedTLS is not enabled)Sahana Prasad1-4/+13
Ensure that it is not possible to enable it back with mbedTLS Signed-off-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2020-01-23Implement ChaCha20-poly1305 cipher using native OpenSSLJakub Jelen1-0/+8
Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-12-20cmake: Add new option for PKCS11 URI supportSahana Prasad1-0/+11
Signed-off-by: Sahana Prasad <sahana@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-12-16libgcrypt: Implement chacha20-poly1305@openssh.com cipher using libgcryptJussi Kivilinna1-0/+3
Libgcrypt has supported ChaCha20 and Poly1305 since 1.7.0 version and provides fast assembler implementations. v3: - initialize pointers to NULL - use 'bool' for chacha20_poly1305_keysched.initialized - pass error codes from libgcrypt calls to variable - add SSH_LOG on error paths v2: - use braces for one-line blocks - use UNUSED_PARAM/UNUSED_VAR instead of cast to void - use calloc instead of malloc+memset Signed-off-by: Jussi Kivilinna <jussi.kivilinna@iki.fi> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-11-07cmake: Only use OpenSSL Ed25519 implementation when possibleAnderson Toshiyuki Sasaki1-1/+6
It is possible for OpenSSL to have the type EVP_PKEY_ED25519 in openssl/evp.h, but not the single shot functions EVP_DigestSign() and EVP_DigestVerify() which are required to generate Ed25519 signatures. Only switch to use OpenSSL Ed25519 implementation when OpenSSL have all required types and functions. Fixes: T197 Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-09-24cmake: Detect OpenSSL X25519 supportAnderson Toshiyuki Sasaki1-0/+4
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-09-24cmake: Detect OpenSSL support for Ed25519Anderson Toshiyuki Sasaki1-0/+4
Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-09-24pki_crypto: Use EVP_DigestSign* and EVP_DigestVerify*Anderson Toshiyuki Sasaki1-0/+8
Use the newer APIs EVP_DigestSign{Init}() and EVP_DigestVerify{Init}() to generate and verify signatures instead of the older EVP_Sign{Init, Update, Final} and EVP_Verify{Init, Update, Final} if supported. Also use the single shot signature/verification if supported as all the input is provided at once. This is a preparation to use Ed25519 implementation from OpenSSL. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-07-04libcrypto: fix compilation with LibreSSLStefan Strogin1-0/+4
LibreSSL does not support FIPS mode, check for FIPS_mode() in ConfigureChecks.cmake. Signed-off-by: Stefan Strogin <steils@gentoo.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2019-07-04cmake: Use GNUInstallDirs for installationAndreas Schneider1-4/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com>
2019-03-07Use a common KDF functionSimo Sorce1-0/+4
Cleanup the KDF function to use only one function per crypto backend. Improve the KDF function to properly handle requested lenght and to avoid unnecessarily reallocating buffers. In OpenSSL use the new EVP_KDF API if available. Signed-off-by: Simo Sorce <simo@redhat.com> Reviewed-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2019-02-21buffer: Fix regression introduced by 6c7eaa and c306a6Tilo Eckert1-12/+0
Buffer (un)packing was broken on compilers that are not gcc-compatible since the checks for an argument count of -1 have been removed from ssh_buffer_(un)pack(). This fix no longer uses GCC extensions for the __VA_NARG__ macro, but only plain C99. Note: The macro can no longer count empty argument lists (results in compile error) which was not needed anyway. Signed-off-by: Tilo Eckert <tilo.eckert@flam.de> Reviewed-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2018-12-19crypto: Disable blowfish support by defaultAndreas Schneider1-2/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org> Reviewed-by: Jakub Jelen <jjelen@redhat.com>
2018-11-30bignum: Use UNUSED macrosAndreas Schneider1-15/+17
2018-11-30include: Add macro for unused arguments and variablesAndreas Schneider1-0/+20
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-11-28tests: Replace tests filtering with cmocka builtin filterAnderson Toshiyuki Sasaki1-0/+8
This completely removes the tests filter code from torture.c and calls cmocka_set_test_filter() instead, if available. The checks for required libraries, headers, and the availability of cmocka_set_test_filter() were added to the cmake configuration. Signed-off-by: Anderson Toshiyuki Sasaki <ansasaki@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-11-21libcrypto: disable AES-NI engine when running inside valgrindAris Adamantiadis1-0/+3
Valgrind detects many uninitialized memory false positives from libcrypto's AES-NI internals. Roll back to software AES when running tests. Signed-off-by: Aris Adamantiadis <aris@0xbadc0de.be> Reviewed-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-11-02cmake: Only check for bounded attribute on OpenBSDAndreas Schneider1-0/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-10-24cmake: Fix -Wattributes check in ConfigureChecks.cmakeAndreas Schneider1-5/+5
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-10-09libcrypto: Implement OpenSSH-compatible AES-GCM ciphers using OpenSSLJakub Jelen1-0/+4
The commit also propares the internals throughout the code base for the inclusion of a new AEAD cipher, because previously, the source code counted only with chacha20-poly1305 cipher, which is very specific in many cases. The SSH_HMAC_AEAD_GCM mac algorithm is not actually used, but the name needed to be defined so we can match in the algorithms selection per OpenSSH specification (MACs are ignored in case GCM is select as a cipher [1]). If the provided OpenSSL does not provide EVP_aes_128_gcm() function, the AES-GCM ciphers will not be compiled in. [1] https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD Signed-off-by: Jakub Jelen <jjelen@redhat.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2018-09-25cmake: Add -Wattributs for configure checksAndreas Schneider1-0/+7
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-09-17cmake: Correctly detect if glob has gl_flags memberAndreas Schneider1-2/+3
Thanks to Baruch Siach. Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-29misc: Add strndup implementation if not provides by the OSAndreas Schneider1-0/+1
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-27cmake: Check if the linker supports version scriptsAndreas Schneider1-0/+14
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-20cmake: Check for -Werror in ConfigureChecks.cmakeAndreas Schneider1-1/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-16cmake: Correctly detect support for __bounded__ attributeAndreas Schneider1-3/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Only set -Werror on UNIXAndreas Schneider1-1/+3
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Fix PACKAGE and VERSION in config.hAndreas Schneider1-2/+2
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Detect constructor and destructor attributesAndreas Schneider1-0/+24
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Fix fallthrough attribute detectionAndreas Schneider1-13/+11
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-08-13cmake: Fix check for bounded attributeAndreas Schneider1-3/+7
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-07-05libcrypto: Use new RAND_priv_bytes() for strong randomnessAndreas Schneider1-0/+4
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-30cmake: Unset CMAKE_REQUIRED_* variablesAndreas Schneider1-8/+10
This should fix the 'gcc -m32' build! Signed-off-by: Andreas Schneider <asn@cryptomilk.org>
2018-06-29kex: Enable chacha20-poly1304 KEX with mbedtlsAndreas Schneider1-1/+0
Signed-off-by: Andreas Schneider <asn@cryptomilk.org>