From libssh2-devel-bounces@cool.haxx.se Sun Oct 16 16:55:09 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9GEsjP3023108; Sun, 16 Oct 2016 16:55:04 +0200 Received: from blaine.gmane.org ([195.159.176.226]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9EAXXLd031241 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Fri, 14 Oct 2016 12:33:34 +0200 Received: from list by blaine.gmane.org with local (Exim 4.84_2) (envelope-from ) id 1buznj-0006Qd-5y for libssh2-devel@cool.haxx.se; Fri, 14 Oct 2016 12:33:19 +0200 X-Injected-Via-Gmane: http://gmane.org/ To: libssh2-devel@cool.haxx.se From: yumkam@gmail.com (Yuriy M. Kaminskiy) Subject: Re: time to release another libssh2 version! Date: Fri, 14 Oct 2016 13:33:14 +0300 Lines: 29 Message-ID: References: Mime-Version: 1.0 X-Complaints-To: usenet@blaine.gmane.org User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/24.4 (gnu/linux) Cancel-Lock: sha1:v2EFIIR2SHjhBx1Ty/Oms//fSFA= X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9GEsjP3023108 Daniel Stenberg writes: > I think it is about time we ship another release. The OpenSSL 1.1.0 > support being a major reason I think. > > So, please bring up your issues that we should squeeze in before we > release. E.g. that libssh2 uses oversized exponent (private key) in DH handshake, which renders it several times slower than it should? E.g. that libssh2 fails to verify if received field length fits in buffer size *everywhere*, and so malicious server (or maybe even MitM attacker) can trivially crash client, or steal host (client) memory? > We have a whole bunch of issues and pull-requests we could use more > eyes and hands on to deal with. Maybe we could take care of some of > them before next release? > > The mbedTLS backend for example maybe? > https://github.com/libssh2/libssh2/pull/106 > > Any suggestion on how long time we should set for ourselves to prepare > until we ship? I would like to propose that we aim for doing the > release on Tuesday October 11. And this means that if there's anything > larger anyone wants to merge, it needs to be done ASAP so that we have > at least a week with no large changes before we ship. > > Feel free to object, agree or suggest something different! _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Sun Oct 16 17:17:57 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9GFHmox017745; Sun, 16 Oct 2016 17:17:54 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9GFHlS6017664 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Sun, 16 Oct 2016 17:17:47 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u9GFHlGw017660 for ; Sun, 16 Oct 2016 17:17:47 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Sun, 16 Oct 2016 17:17:47 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: Re: time to release another libssh2 version! In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9GFHmox017745 On Fri, 14 Oct 2016, Yuriy M. Kaminskiy wrote: > E.g. that libssh2 uses oversized exponent (private key) in DH handshake, > which renders it several times slower than it should? > > E.g. that libssh2 fails to verify if received field length fits in buffer > size *everywhere*, and so malicious server (or maybe even MitM attacker) can > trivially crash client, or steal host (client) memory? Please submit your patches/pull requests and we will take them into consideration! -- / daniel.haxx.se _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Mon Oct 17 09:49:32 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9H7n9Jg025956; Mon, 17 Oct 2016 09:49:28 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9H7n7OV025904 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 17 Oct 2016 09:49:07 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u9H7n7vc025900 for ; Mon, 17 Oct 2016 09:49:07 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Mon, 17 Oct 2016 09:49:07 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: Re: time to release another libssh2 version! In-Reply-To: <20160926161808.GR10713@foo.stuge.se> Message-ID: References: <20160926161808.GR10713@foo.stuge.se> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9H7n9Jg025956 On Mon, 26 Sep 2016, Peter Stuge wrote: > Can that date please be pushed two weeks? I'm not sure I can find time to > finish the code up completely by the 11th. Now we're 8 days away from release. I think you need to subit this work ASAP if you still think you can get it into the release - so that it gets some time to sink in, get tested and reviewed. Otherwise I suggest we aim to get that merged for the next release instead. -- / daniel.haxx.se _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Mon Oct 17 15:41:54 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9HDfSAh022009; Mon, 17 Oct 2016 15:41:48 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9HDfQAH021962 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 17 Oct 2016 15:41:26 +0200 Received: (qmail 29715 invoked by uid 1000); 17 Oct 2016 14:28:24 -0000 Date: Mon, 17 Oct 2016 14:28:24 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: time to release another libssh2 version! Message-ID: <20161017142824.GL20941@foo.stuge.se> References: <20160926161808.GR10713@foo.stuge.se> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="i0/AhcQY5QxfSsSZ" Content-Disposition: inline In-Reply-To: X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --i0/AhcQY5QxfSsSZ Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hi, Daniel Stenberg wrote: > > Can that date please be pushed two weeks? I'm not sure I can > > find time to finish the code up completely by the 11th. > > Now we're 8 days away from release. I think you need to subit this > work ASAP if you still think you can get it into the release - so > that it gets some time to sink in, get tested and reviewed. I do think I can get it into the release. I can't post a complete patch today, but maybe tomorrow night. I've attached my current git diff master state for review as well as testing. It has a couple of things which still need to be done, but is already functional. The diff also includes a few unrelated cleanups; a few type issues and not using RSA if the crypto backend does not implement it. > Otherwise I suggest we aim to get that merged for the next release > instead. I would like to get it in now, and look forward to any feedback on the current patch. //Peter --i0/AhcQY5QxfSsSZ Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="libssh2-axtls-wip.patch" diff --git a/Makefile.axTLS.inc b/Makefile.axTLS.inc new file mode 100644 index 0000000..b63943e --- /dev/null +++ b/Makefile.axTLS.inc @@ -0,0 +1,2 @@ +CRYPTO_CSOURCES = axtls.c +CRYPTO_HHEADERS = axtls.h diff --git a/configure.ac b/configure.ac index d6bdab4..f128494 100644 --- a/configure.ac +++ b/configure.ac @@ -78,6 +78,7 @@ AC_PATH_PROGS(SSHD, [sshd], [], AM_CONDITIONAL(SSHD, test -n "$SSHD") AC_LIBTOOL_WIN32_DLL AC_PROG_LIBTOOL +PKG_PROG_PKG_CONFIG AC_C_BIGENDIAN dnl check for how to do large files @@ -93,6 +94,9 @@ AC_ARG_WITH(libgcrypt, AC_ARG_WITH(wincng, AC_HELP_STRING([--with-wincng],[Use Windows CNG for crypto]), use_wincng=$withval,use_wincng=auto) +AC_ARG_WITH(axtls, + AC_HELP_STRING([--with-axtls],[Use axTLS for crypto]), + use_axtls=$withval,use_axtls=auto) AC_ARG_WITH(libz, AC_HELP_STRING([--with-libz],[Use zlib for compression]), use_libz=$withval,use_libz=auto) @@ -163,6 +167,17 @@ AM_CONDITIONAL(WINCNG, test "$ac_cv_libbcrypt" = "yes") AM_CONDITIONAL(OS400QC3, false) +# Look for axTLS +if test "$found_crypto" = "none" && test "$use_axtls" != "no"; then + PKG_CHECK_MODULES([AXTLS], [libaxtls], [ + found_crypto=axTLS + AC_DEFINE(LIBSSH2_AXTLS, 1, [Use axTLS]) + LIBS="$LIBS $AXTLS_LIBS" + ]) +fi +AM_CONDITIONAL(AXTLS, test "$found_crypto" = "axTLS") + + # Check if crypto library was found if test "$found_crypto" = "none"; then AC_MSG_ERROR([No crypto library found! diff --git a/docs/HACKING.CRYPTO b/docs/HACKING.CRYPTO index a8a6a06..6fdcf71 100644 --- a/docs/HACKING.CRYPTO +++ b/docs/HACKING.CRYPTO @@ -316,7 +316,7 @@ _libssh2_bn_ctx Type of multiple precision computation context. May not be empty. if not used, #define as char, for example. -libssh2_bn_ctx _libssh2_bn_ctx_new(void); +_libssh2_bn_ctx _libssh2_bn_ctx_new(void); Returns a new multiple precision computation context. void _libssh2_bn_ctx_free(_libssh2_bn_ctx ctx); @@ -339,7 +339,7 @@ allocates the number. Returns a value of type _libssh2_bn *. void _libssh2_bn_free(_libssh2_bn *bn); Destroys the multiple precision number at bn. -unsigned long _libssh2_bn_bytes(libssh2_bn *bn); +unsigned long _libssh2_bn_bytes(_libssh2_bn *bn); Get the number of bytes needed to store the bits of the multiple precision number at bn. diff --git a/src/Makefile.am b/src/Makefile.am index 1334c55..cbcc812 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -14,6 +14,9 @@ endif if OS400QC3 include ../Makefile.os400qc3.inc endif +if AXTLS +include ../Makefile.axTLS.inc +endif # Makefile.inc provides the CSOURCES and HHEADERS defines include ../Makefile.inc @@ -60,6 +63,7 @@ VERSION=-version-info 1:1:0 # set age to 0. (c:r:a=0) # +libssh2_la_CFLAGS = $(AXTLS_CFLAGS) libssh2_la_LDFLAGS = $(VERSION) -no-undefined \ -export-symbols-regex '^libssh2_.*' \ - $(LTLIBGCRYPT) $(LTLIBSSL) $(LTLIBZ) + $(LTLIBGCRYPT) $(LTLIBSSL) $(AXTLS_LDFLAGS) $(LTLIBZ) diff --git a/src/axtls.c b/src/axtls.c new file mode 100644 index 0000000..c06429a --- /dev/null +++ b/src/axtls.c @@ -0,0 +1,502 @@ +/* Copyright (c) 2016 Peter Stuge + * + * Redistribution and use in source and binary forms, + * with or without modification, are permitted provided + * that the following conditions are met: + * + * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * + * Neither the name of the copyright holder nor the names + * of any other contributors may be used to endorse or + * promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY + * OF SUCH DAMAGE. + */ + +#include "libssh2_priv.h" + +#if LIBSSH2_AXTLS + +#include +#include + +static BI_CTX *axbictx = NULL; + +#ifndef MIN +#define MIN(x,y) ((x)<(y)?(x):(y)) +#endif + +#ifndef MAX +#define MAX(x,y) ((x)>(y)?(x):(y)) +#endif + + +/* 1) Crypto library initialization/termination. */ +void libssh2_crypto_init(void) { + axbictx = bi_initialize(); + RNG_initialize(); +} + +void libssh2_crypto_exit(void) { + RNG_terminate(); + bi_terminate(axbictx); +} + + +/* 2) HMAC */ + +static unsigned int hash_blocksize(enum _libssh2_axtls_hmac_type type) { + switch (type) { + case HMAC_MD5: + case HMAC_SHA1: + case HMAC_SHA256: + return 64; + case HMAC_SHA512: + return 128; + } + return 0; +} + +void libssh2_axtls_hmac_ctx_init(libssh2_hmac_ctx *ctx, enum _libssh2_axtls_hmac_type type, const void *key, int keylen) { + size_t i, klen = keylen; + const unsigned char *k = key; + + ctx->type = type; + ctx->k_size = hash_blocksize(type); + + for (i = 0; i < ctx->k_size; i++) + ctx->k[i] = (i < klen ? k[i] : 0) ^ 0x36; + + switch (ctx->type) { + case HMAC_MD5: + ctx->h.md5 = &ctx->hctx.md5; + MD5_Init(ctx->h.md5); + MD5_Update(ctx->h.md5, ctx->k, ctx->k_size); + break; + + case HMAC_SHA1: + ctx->h.sha1 = &ctx->hctx.sha1; + SHA1_Init(ctx->h.sha1); + SHA1_Update(ctx->h.sha1, ctx->k, ctx->k_size); + break; + + case HMAC_SHA256: + ctx->h.sha256 = &ctx->hctx.sha256; + SHA256_Init(ctx->h.sha256); + SHA256_Update(ctx->h.sha256, ctx->k, ctx->k_size); + break; + + case HMAC_SHA512: + ctx->h.sha512 = &ctx->hctx.sha512; + SHA512_Init(ctx->h.sha512); + SHA512_Update(ctx->h.sha512, ctx->k, ctx->k_size); + break; + } + + for (i = 0; i < ctx->k_size; i++) + ctx->k[i] = (i < klen ? k[i] : 0) ^ 0x5c; +} + +void libssh2_axtls_hmac_update(libssh2_hmac_ctx *ctx, const unsigned char *data, int datalen) { + switch (ctx->type) { + case HMAC_MD5: MD5_Update(ctx->h.md5, data, datalen); return; + case HMAC_SHA1: SHA1_Update(ctx->h.sha1, data, datalen); return; + case HMAC_SHA256: SHA256_Update(ctx->h.sha256, data, datalen); return; + case HMAC_SHA512: SHA512_Update(ctx->h.sha512, data, datalen); return; + } +} + +void libssh2_axtls_hmac_final(libssh2_hmac_ctx *ctx, unsigned char *output) { + union { + MD5_CTX md5; + SHA1_CTX sha1; + SHA256_CTX sha256; + SHA512_CTX sha512; + } hctx; + MD5_CTX *md5 = &hctx.md5; + SHA1_CTX *sha1 = &hctx.sha1; + SHA256_CTX *sha256 = &hctx.sha256; + SHA512_CTX *sha512 = &hctx.sha512; + + switch (ctx->type) { + case HMAC_MD5: + MD5_Final(output, ctx->h.md5); + MD5_Init(md5); + MD5_Update(md5, ctx->k, ctx->k_size); + MD5_Update(md5, output, MD5_SIZE); + MD5_Final(output, md5); + memset(md5, 0, sizeof hctx.md5); + break; + + case HMAC_SHA1: + SHA1_Final(output, ctx->h.sha1); + SHA1_Init(sha1); + SHA1_Update(sha1, ctx->k, ctx->k_size); + SHA1_Update(sha1, output, SHA1_SIZE); + SHA1_Final(output, sha1); + memset(sha1, 0, sizeof hctx.sha1); + break; + + case HMAC_SHA256: + SHA256_Final(output, ctx->h.sha256); + SHA256_Init(sha256); + SHA256_Update(sha256, ctx->k, ctx->k_size); + SHA256_Update(sha256, output, SHA256_SIZE); + SHA256_Final(output, sha256); + memset(sha256, 0, sizeof hctx.sha256); + break; + + case HMAC_SHA512: + SHA512_Final(output, ctx->h.sha512); + SHA512_Init(sha512); + SHA512_Update(sha512, ctx->k, ctx->k_size); + SHA512_Update(sha512, output, SHA512_SIZE); + SHA512_Final(output, sha512); + memset(sha512, 0, sizeof hctx.sha512); + break; + } +} + +void libssh2_hmac_cleanup(libssh2_hmac_ctx *ctx) { + memset(ctx->k, 0, sizeof ctx->k); + + switch (ctx->type) { + case HMAC_MD5: + memset(ctx->h.md5, 0, sizeof ctx->hctx.md5); + break; + + case HMAC_SHA1: + memset(ctx->h.sha1, 0, sizeof ctx->hctx.sha1); + break; + + case HMAC_SHA256: + memset(ctx->h.sha256, 0, sizeof ctx->hctx.sha256); + break; + + case HMAC_SHA512: + memset(ctx->h.sha512, 0, sizeof ctx->hctx.sha512); + break; + } +} + + +/* 3.1) SHA-1 */ + +int libssh2_sha1_init(libssh2_sha1_ctx *x) { + SHA1_Init(x); + return 1; +} + + +/* 3.2) SHA-256 */ + +int libssh2_sha256_init(libssh2_sha256_ctx *x) { + SHA256_Init(x); + return 1; +} + +int libssh2_sha256(const unsigned char *message, unsigned long len, unsigned char *output) { + SHA256_CTX ctx; + SHA256_Init(&ctx); + SHA256_Update(&ctx, message, len); + SHA256_Final(output, &ctx); + return 0; +} + + +/* 3.4) MD5 */ + +int libssh2_md5_init(libssh2_md5_ctx *x) { + MD5_Init(x); + return 1; +} + + +/* 4) Bidirectional Key ciphers. */ + +static AES_MODE aes_mode_from_type(_libssh2_cipher_type(algo)) { + switch (algo) { + case AES_128_CBC: return AES_MODE_128; + case AES_256_CBC: return AES_MODE_256; + } +} + +int _libssh2_cipher_init(_libssh2_cipher_ctx *h, _libssh2_cipher_type(algo), unsigned char *iv, unsigned char *secret, int encrypt) { + switch (algo) { + case AES_192_CBC: + /* not implemented in axTLS */ + return -1; + + case AES_128_CBC: + case AES_256_CBC: + AES_set_key(&h->aes, secret, iv, aes_mode_from_type(algo)); + if (!encrypt) + AES_convert_key(&h->aes); + break; + + case RC4: + RC4_setup(&h->rc4, secret, 16); + break; + } + + return 0; +} + +int _libssh2_cipher_crypt(_libssh2_cipher_ctx *ctx, _libssh2_cipher_type(algo), int encrypt, unsigned char *block, size_t blocksize) { + switch (algo) { + case AES_192_CBC: + /* not implemented in axTLS */ + return -1; + + case AES_128_CBC: + case AES_256_CBC: + if (encrypt) + AES_cbc_encrypt(&ctx->aes, block, block, blocksize); + else + AES_cbc_decrypt(&ctx->aes, block, block, blocksize); + break; + + case RC4: + RC4_crypt(&ctx->rc4, block, block, blocksize); + break; + } + + return 0; +} + +void _libssh2_cipher_dtor(_libssh2_cipher_ctx *ctx) { + memset(&ctx->aes, 0, sizeof ctx->aes); + memset(&ctx->rc4, 0, sizeof ctx->rc4); +} + + +/* 5) Big numbers. */ + +_libssh2_bn_ctx *_libssh2_bn_ctx_new(void) { + return axbictx; +} + +_libssh2_bn *_libssh2_bn_init(void) { + return int_to_bi(axbictx, 0); +} + +_libssh2_bn *_libssh2_bn_init_from_bin(void) { + return NULL; +} + +void _libssh2_bn_free(_libssh2_bn *bn) { + if (bn) + bi_free(axbictx, bn); +} + +unsigned long _libssh2_bn_bytes(_libssh2_bn *bn) { + unsigned long n = COMP_BYTE_SIZE * bn->size; + comp mask = 0xff; + + for (mask <<= COMP_BIT_SIZE-8; mask; mask >>= 8, n--) + if (bn->comps[bn->size - 1] & mask) + break; + + return n; +} + +unsigned long _libssh2_bn_bits(_libssh2_bn *bn) { + unsigned long n = COMP_BIT_SIZE * bn->size; + comp mask = 1; + + for (mask <<= COMP_BIT_SIZE-1; mask; mask >>= 1, n--) + if (bn->comps[bn->size - 1] & mask) + break; + + return n; +} + +_libssh2_bn *_libssh2_axtls_bn_free_and_new_from_ulong(_libssh2_bn *old, unsigned long val) { + _libssh2_bn *ret = int_to_bi(axbictx, val); + if (old) + bi_free(axbictx, old); + return ret; +} + +_libssh2_bn *_libssh2_axtls_bn_free_and_new_from_bin(_libssh2_bn *old, int len, const unsigned char *val) { + _libssh2_bn *ret = bi_import(axbictx, val, len); + if (old) + bi_free(axbictx, old); + return ret; +} + +int _libssh2_bn_to_bin(_libssh2_bn *bn, unsigned char *val) { + unsigned char *b, *buf; + int ret = _libssh2_bn_bytes(bn); + unsigned long n = COMP_BYTE_SIZE * bn->size; + + b = buf = malloc(n); + if (!buf) + return -1; + + bi_copy(bn); + bi_export(axbictx, bn, buf, n); + + while (!*b) + b++; + + memcpy(val, b, ret); + free(buf); + + return ret; +} + + +/* TODO +Generates a cryptographically strong pseudo-random number of bits in +length and stores it in bn. If top is -1, the most significant bit of the +random number can be zero. If top is 0, it is set to 1, and if top is 1, the +two most significant bits of the number will be set to 1, so that the product +of two such random numbers will always have 2*bits length. If bottom is true, +the number will be odd. +*/ +_libssh2_bn *_libssh2_bn_free_and_new_rand(_libssh2_bn *bn, int bits, int top, int bottom) { + int bytes = bits+7/8; + unsigned char *buf = malloc(bytes); + _libssh2_bn *ret; + + bi_free(axbictx, bn); + get_random(bytes, buf); + ret = bi_import(axbictx, buf, bytes); + free(buf); + + /* TODO: bits top bottom */ + + return ret; +} + + +/* r=a^p % m, May use the given context. */ +_libssh2_bn *_libssh2_axtls_free_and_new_bn_mod_exp(_libssh2_bn *r, _libssh2_bn *a, _libssh2_bn *p, _libssh2_bn *m, _libssh2_bn_ctx *ctx) { + bi_free(axbictx, r); + bi_copy(a); + bi_copy(p); + bi_copy(m); + return bi_mod_power2(ctx, a, m, p); +} + + +/* 6) Private key algorithms. */ + +int _libssh2_pub_priv_keyfile(LIBSSH2_SESSION *session, unsigned char **method, size_t *method_len, unsigned char **pubkeydata, size_t *pubkeydata_len, const char *privatekey, const char *passphrase) { + /* TODO */ + return -1; +} + +int _libssh2_pub_priv_keyfilememory(LIBSSH2_SESSION *session, unsigned char **method, size_t *method_len, unsigned char **pubkeydata, size_t *pubkeydata_len, const char *privatekeydata, size_t privatekeydata_len, const char *passphrase) { + /* TODO */ + return -1; +} + + +/* 6.1) RSA */ + +int _libssh2_rsa_new(libssh2_rsa_ctx **rsa, + const unsigned char *edata, unsigned long elen, + const unsigned char *ndata, unsigned long nlen, + const unsigned char *ddata, unsigned long dlen, + const unsigned char *pdata, unsigned long plen, + const unsigned char *qdata, unsigned long qlen, + const unsigned char *e1data, unsigned long e1len, + const unsigned char *e2data, unsigned long e2len, + const unsigned char *coeffdata, unsigned long coefflen) { + *rsa = NULL; + RSA_pub_key_new(rsa, ndata, nlen, edata, elen); + return 0; +} + +int _libssh2_rsa_new_private(libssh2_rsa_ctx **rsa, LIBSSH2_SESSION *session, const char *filename, unsigned const char *passphrase) { + _libssh2_init_if_needed(); + /* TODO */ + return -1; +} + +int _libssh2_rsa_new_private_frommemory(libssh2_rsa_ctx **rsa, LIBSSH2_SESSION *session, const char *data, size_t data_len, unsigned const char *passphrase) { + _libssh2_init_if_needed(); + /* TODO */ + return -1; +} + +#define OID_SHA1_LEN 15 +static const unsigned char oid_sha1[OID_SHA1_LEN] = { + 0x30, 0x21, 0x30, 0x09, 0x06, 0x05, + 0x2b, 0x0e, 0x03, 0x02, 0x1a, 0x05, 0x00, 0x04, 0x14 +}; + +int _libssh2_rsa_sha1_verify(libssh2_rsa_ctx *rsa, const unsigned char *sig, unsigned long sig_len, const unsigned char *m, unsigned long m_len) { + int ret = -1; + SHA1_CTX h; + bigint *s, *v; + unsigned long vlen; + unsigned char *p, *ver, hash[SHA1_SIZE]; + + s = bi_import(axbictx, sig, sig_len); + v = RSA_public(rsa, s); + + vlen = _libssh2_bn_bytes(v); + p = ver = malloc(vlen); + if (!ver) + return -1; + + bi_export(axbictx, v, ver, vlen); + + if (ver[0] != 0x01) + goto done; + + if (vlen < 1 + 1 + sizeof oid_sha1 + sizeof hash) + goto done; + + p = ver + (vlen - sizeof hash - sizeof oid_sha1); + if (memcmp(p, oid_sha1, sizeof oid_sha1)) + goto done; + + p += sizeof oid_sha1; + + SHA1_Init(&h); + SHA1_Update(&h, m, m_len); + SHA1_Final(hash, &h); + + if (memcmp(p, hash, sizeof hash)) + goto done; + + ret = 0; + +done: + memset(ver, 0, vlen); + memset(&h, 0, sizeof h); + free(ver); + return ret; +} + +int _libssh2_rsa_sha1_sign(LIBSSH2_SESSION *session, libssh2_rsa_ctx *rsactx, const unsigned char *hash, size_t hash_len, unsigned char **signature, size_t *signature_len) { + /* TODO */ + return -1; +} + +#endif /* LIBSSH2_AXTLS */ diff --git a/src/axtls.h b/src/axtls.h new file mode 100644 index 0000000..27bcfaa --- /dev/null +++ b/src/axtls.h @@ -0,0 +1,227 @@ +/* Copyright (c) 2016 Peter Stuge + * + * Redistribution and use in source and binary forms, + * with or without modification, are permitted provided + * that the following conditions are met: + * + * Redistributions of source code must retain the above + * copyright notice, this list of conditions and the + * following disclaimer. + * + * Redistributions in binary form must reproduce the above + * copyright notice, this list of conditions and the following + * disclaimer in the documentation and/or other materials + * provided with the distribution. + * + * Neither the name of the copyright holder nor the names + * of any other contributors may be used to endorse or + * promote products derived from this software without + * specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND + * CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, + * INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR + * CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, + * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, + * BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR + * SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS + * INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, + * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING + * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE + * USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY + * OF SUCH DAMAGE. + */ + +#ifndef _AXTLS_H_ +#define _AXTLS_H_ + +#include + + +/* 1) Crypto library initialization/termination. */ +void libssh2_crypto_init(void); +void libssh2_crypto_exit(void); + + +/* 2) HMAC */ +enum _libssh2_axtls_hmac_type { + HMAC_MD5 = 0, + HMAC_SHA1, + HMAC_SHA256, + HMAC_SHA512 +}; + +typedef struct _libssh2_axtls_hmac_ctx { + enum _libssh2_axtls_hmac_type type; + + unsigned char k[128]; + unsigned char k_size; + + union { + MD5_CTX md5; + SHA1_CTX sha1; + SHA256_CTX sha256; + SHA512_CTX sha512; + } hctx; + union { + MD5_CTX *md5; + SHA1_CTX *sha1; + SHA256_CTX *sha256; + SHA512_CTX *sha512; + } h; +} libssh2_hmac_ctx; + +void libssh2_axtls_hmac_ctx_init(libssh2_hmac_ctx *ctx, enum _libssh2_axtls_hmac_type type, const void *key, int keylen); +void libssh2_axtls_hmac_update(libssh2_hmac_ctx *ctx, const unsigned char *data, int datalen); +void libssh2_axtls_hmac_final(libssh2_hmac_ctx *ctx, unsigned char *output); + +#define libssh2_hmac_ctx_init(x) do { } while (0) +#define libssh2_hmac_update(ctx, data, datalen) libssh2_axtls_hmac_update(&(ctx), data, datalen) +#define libssh2_hmac_final(ctx, output) libssh2_axtls_hmac_final(&(ctx), output) + +void libssh2_hmac_cleanup(libssh2_hmac_ctx *ctx); + + +/* 3.1) SHA-1 */ +#define SHA_DIGEST_LENGTH SHA1_SIZE +typedef SHA1_CTX libssh2_sha1_ctx; +int libssh2_sha1_init(libssh2_sha1_ctx *x); +#define libssh2_sha1_update(ctx, data, len) SHA1_Update(&ctx, data, len) +#define libssh2_sha1_final(ctx, output) SHA1_Final(output, &ctx) +#define libssh2_hmac_sha1_init(ctx, key, keylen) libssh2_axtls_hmac_ctx_init(ctx, HMAC_SHA1, key, keylen) + + +/* 3.2) SHA-256 */ +#define SHA256_DIGEST_LENGTH SHA256_SIZE +typedef SHA256_CTX libssh2_sha256_ctx; +int libssh2_sha256_init(libssh2_sha256_ctx *x); +#define libssh2_sha256_update(ctx, data, len) SHA256_Update(&ctx, data, len) +#define libssh2_sha256_final(ctx, output) SHA256_Final(output, &ctx) +int libssh2_sha256(const unsigned char *message, unsigned long len, unsigned char *output); + +#define LIBSSH2_HMAC_SHA256 1 +#define libssh2_hmac_sha256_init(ctx, key, keylen) libssh2_axtls_hmac_ctx_init(ctx, HMAC_SHA256, key, keylen) + + +/* 3.3) SHA-512 (HMAC-SHA512) */ +#define LIBSSH2_HMAC_SHA512 1 +#define libssh2_hmac_sha512_init(ctx, key, keylen) libssh2_axtls_hmac_ctx_init(ctx, HMAC_SHA512, key, keylen) + + +/* 3.4) MD5 */ +#define LIBSSH2_MD5 1 +#define MD5_DIGEST_LENGTH MD5_SIZE +typedef MD5_CTX libssh2_md5_ctx; +int libssh2_md5_init(libssh2_md5_ctx *x); +#define libssh2_md5_update(ctx, data, len) MD5_Update(&ctx, data, len) +#define libssh2_md5_final(ctx, output) MD5_Final(output, &ctx) +#define libssh2_hmac_md5_init(ctx, key, keylen) libssh2_axtls_hmac_ctx_init(ctx, HMAC_MD5, key, keylen) + + +/* 3.5) RIPEMD-160 */ +#define LIBSSH2_HMAC_RIPEMD 0 + + +/* 4) Bidirectional Key ciphers. */ + +enum _libssh2_axtls_cipher_type { + AES_128_CBC = 0, + AES_192_CBC, + AES_256_CBC, + RC4 +}; + +typedef union _libssh2_axtls_cipher_ctx { + AES_CTX aes; + RC4_CTX rc4; +} _libssh2_cipher_ctx; + +#define _libssh2_cipher_type(name) enum _libssh2_axtls_cipher_type name + +int _libssh2_cipher_init(_libssh2_cipher_ctx *h, _libssh2_cipher_type(algo), unsigned char *iv, unsigned char *secret, int encrypt); +int _libssh2_cipher_crypt(_libssh2_cipher_ctx *ctx, _libssh2_cipher_type(algo), int encrypt, unsigned char *block, size_t blocksize); +void _libssh2_cipher_dtor(_libssh2_cipher_ctx *ctx); + + + +/* 4.1) AES +4.1.1) AES in CBC block mode. */ +#define LIBSSH2_AES 1 +#define _libssh2_cipher_aes128 AES_128_CBC +#define _libssh2_cipher_aes192 AES_192_CBC +#define _libssh2_cipher_aes256 AES_256_CBC + + +/* 4.1.2) AES in CTR block mode. */ +#define LIBSSH2_AES_CTR 0 + + +/* 4.2) Blowfish in CBC block mode. */ +#define LIBSSH2_BLOWFISH 0 + + +/* 4.3) RC4. */ +#define LIBSSH2_RC4 1 +#define _libssh2_cipher_arcfour RC4 + + +/* 4.4) CAST5 in CBC block mode. */ +#define LIBSSH2_CAST 0 + + +/* 4.5) Tripple DES in CBC block mode. */ +#define LIBSSH2_3DES 0 + + +/* 5) Big numbers. */ +typedef BI_CTX _libssh2_bn_ctx; + +_libssh2_bn_ctx *_libssh2_bn_ctx_new(void); +#define _libssh2_bn_ctx_free(ctx) do { } while (0) + +typedef bigint _libssh2_bn; + +_libssh2_bn *_libssh2_bn_init(void); +_libssh2_bn *_libssh2_bn_init_from_bin(void); +void _libssh2_bn_free(_libssh2_bn *bn); +unsigned long _libssh2_bn_bytes(_libssh2_bn *bn); +unsigned long _libssh2_bn_bits(_libssh2_bn *bn); + +_libssh2_bn *_libssh2_axtls_bn_free_and_new_from_ulong(_libssh2_bn *old, unsigned long val); +/* this is supposed to return 1, but nobody checks it */ +#define _libssh2_bn_set_word(bn, val) bn = _libssh2_axtls_bn_free_and_new_from_ulong(bn, val) + +_libssh2_bn *_libssh2_axtls_bn_free_and_new_from_bin(_libssh2_bn *old, int len, const unsigned char *val); +/* this is supposed to return NULL on error, but nobody checks it */ +#define _libssh2_bn_from_bin(bn, len, val) bn = _libssh2_axtls_bn_free_and_new_from_bin(bn, len, val) + +int _libssh2_bn_to_bin(_libssh2_bn *bn, unsigned char *val); + +_libssh2_bn *_libssh2_bn_free_and_new_rand(_libssh2_bn *bn, int bits, int top, int bottom); +#define _libssh2_bn_rand(bn, bits, top, bottom) bn = _libssh2_bn_free_and_new_rand(bn, bits, top, bottom) + +_libssh2_bn *_libssh2_axtls_free_and_new_bn_mod_exp(_libssh2_bn *r, _libssh2_bn *a, _libssh2_bn *p, _libssh2_bn *m, _libssh2_bn_ctx *ctx); +#define _libssh2_bn_mod_exp(r, a, p, m, ctx) r = _libssh2_axtls_free_and_new_bn_mod_exp(r, a, p, m, ctx) + + +/* 6.1) RSA */ +#define LIBSSH2_RSA 1 + +typedef RSA_CTX libssh2_rsa_ctx; + +#define _libssh2_rsa_free RSA_free + + +/* 6.2) DSA */ +#define LIBSSH2_DSA 0 + + +/* 7) Miscellaneous */ + +#define libssh2_prepare_iovec(vector, len) do { } while (0) +#define _libssh2_random(buf, len) get_random(len, buf) + + +#endif /* _AXTLS_H_ */ diff --git a/src/crypto.h b/src/crypto.h index caad19f..452505a 100644 --- a/src/crypto.h +++ b/src/crypto.h @@ -54,6 +54,11 @@ #include "os400qc3.h" #endif +#ifdef LIBSSH2_AXTLS +#include "axtls.h" +#endif + +#if LIBSSH2_RSA int _libssh2_rsa_new(libssh2_rsa_ctx ** rsa, const unsigned char *edata, unsigned long elen, @@ -88,6 +93,7 @@ int _libssh2_rsa_new_private_frommemory(libssh2_rsa_ctx ** rsa, LIBSSH2_SESSION * session, const char *filedata, size_t filedata_len, unsigned const char *passphrase); +#endif #if LIBSSH2_DSA int _libssh2_dsa_new(libssh2_dsa_ctx ** dsa, diff --git a/src/global.c b/src/global.c index dc45e70..353ffce 100644 --- a/src/global.c +++ b/src/global.c @@ -46,7 +46,9 @@ libssh2_init(int flags) { if (_libssh2_initialized == 0 && !(flags & LIBSSH2_INIT_NO_CRYPTO)) { libssh2_crypto_init(); +#if LIBSSH2_AES_CTR _libssh2_init_aes_ctr(); +#endif } _libssh2_initialized++; diff --git a/src/kex.c b/src/kex.c index 65b722f..fcf6c41 100644 --- a/src/kex.c +++ b/src/kex.c @@ -357,7 +357,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, libssh2_sha1_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha1_update(exchange_hash_ctx, - (char *) session->local.banner, + session->local.banner, strlen((char *) session->local.banner) - 2); } else { _libssh2_htonu32(exchange_state->h_sig_comp, @@ -365,7 +365,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, libssh2_sha1_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha1_update(exchange_hash_ctx, - LIBSSH2_SSH_DEFAULT_BANNER, + (const unsigned char *)LIBSSH2_SSH_DEFAULT_BANNER, sizeof(LIBSSH2_SSH_DEFAULT_BANNER) - 1); } @@ -517,14 +517,14 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(iv, session->local.crypt-> - iv_len, "A"); + iv_len, (unsigned char *)"A"); if (!iv) { ret = -1; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(secret, session->local.crypt-> - secret_len, "C"); + secret_len, (unsigned char *)"C"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -564,14 +564,14 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(iv, session->remote.crypt-> - iv_len, "B"); + iv_len, (unsigned char *)"B"); if (!iv) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(secret, session->remote.crypt-> - secret_len, "D"); + secret_len, (unsigned char *)"D"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -609,7 +609,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(key, session->local.mac-> - key_len, "E"); + key_len, (unsigned char *)"E"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; @@ -635,7 +635,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(key, session->remote.mac-> - key_len, "F"); + key_len, (unsigned char *)"F"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; @@ -977,7 +977,7 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, libssh2_sha256_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha256_update(exchange_hash_ctx, - (char *) session->local.banner, + session->local.banner, strlen((char *) session->local.banner) - 2); } else { _libssh2_htonu32(exchange_state->h_sig_comp, @@ -985,7 +985,7 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, libssh2_sha256_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha256_update(exchange_hash_ctx, - LIBSSH2_SSH_DEFAULT_BANNER, + (unsigned char *)LIBSSH2_SSH_DEFAULT_BANNER, sizeof(LIBSSH2_SSH_DEFAULT_BANNER) - 1); } @@ -1139,14 +1139,14 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(iv, session->local.crypt-> - iv_len, "A"); + iv_len, (unsigned char *)"A"); if (!iv) { ret = -1; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(secret, session->local.crypt-> - secret_len, "C"); + secret_len, (unsigned char *)"C"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -1186,14 +1186,14 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(iv, session->remote.crypt-> - iv_len, "B"); + iv_len, (unsigned char *)"B"); if (!iv) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(secret, session->remote.crypt-> - secret_len, "D"); + secret_len, (unsigned char *)"D"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -1231,7 +1231,7 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(key, session->local.mac-> - key_len, "E"); + key_len, (unsigned char *)"E"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; @@ -1256,8 +1256,8 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, int free_key = 0; LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(key, - session->remote.mac-> - key_len, "F"); + session->remote.mac->key_len, + (unsigned char *)"F"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; diff --git a/src/userauth.c b/src/userauth.c index cdfa25e..51c6afb 100644 --- a/src/userauth.c +++ b/src/userauth.c @@ -786,6 +786,10 @@ userauth_hostbased_fromfile(LIBSSH2_SESSION *session, { int rc; +#if !LIBSSH2_RSA + return -1; +#endif + if (session->userauth_host_state == libssh2_NB_state_idle) { const LIBSSH2_HOSTKEY_METHOD *privkeyobj; unsigned char *pubkeydata, *sig = NULL; @@ -1378,6 +1382,10 @@ userauth_publickey_frommemory(LIBSSH2_SESSION *session, void *abstract = &privkey_file; int rc; +#if !LIBSSH2_RSA + return -1; +#endif + privkey_file.filename = privatekeydata; privkey_file.passphrase = passphrase; @@ -1435,6 +1443,10 @@ userauth_publickey_fromfile(LIBSSH2_SESSION *session, void *abstract = &privkey_file; int rc; +#if !LIBSSH2_RSA + return -1; +#endif + privkey_file.filename = privatekey; privkey_file.passphrase = passphrase; --i0/AhcQY5QxfSsSZ Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --i0/AhcQY5QxfSsSZ-- From libssh2-devel-bounces@cool.haxx.se Mon Oct 17 16:19:38 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9HEJS8d013262; Mon, 17 Oct 2016 16:19:36 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9HEJRpj013208 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 17 Oct 2016 16:19:27 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u9HEJQ2b013205 for ; Mon, 17 Oct 2016 16:19:26 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Mon, 17 Oct 2016 16:19:26 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: Re: time to release another libssh2 version! In-Reply-To: <20161017142824.GL20941@foo.stuge.se> Message-ID: References: <20160926161808.GR10713@foo.stuge.se> <20161017142824.GL20941@foo.stuge.se> User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9HEJS8d013262 On Mon, 17 Oct 2016, Peter Stuge wrote: > I've attached my current git diff master state for review as well as > testing. It has a couple of things which still need to be done, but is > already functional. > > The diff also includes a few unrelated cleanups; a few type issues and not > using RSA if the crypto backend does not implement it. Here's some quick first questions/notes: Which axTLS version or versions does this work with? (I couldn't even figure out how to build axTLS 2.0.1 so I didn't try it out yet) Your configure check doesn't work at all like the other crypto backends and it doesn't seem to support a custom install path. I would expect that you be fairly common with this crypto lib. Does it even ship a pkg-config file itself? It also adds a requirement for the pkg-config autoconf stuff, which I guess I'm fine with but I know that in other projects that make people uncomfortable because it adds more prerequisits to the build process. src/axtls.[ch] don't use our source code style: tabs, wrong indent level, long lines, starting brace in function declaration on the wrong line, case + return on the same line. -- / daniel.haxx.se _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Wed Oct 19 00:24:35 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9IMO2FG001504; Wed, 19 Oct 2016 00:24:27 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9IMNxLW001401 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Wed, 19 Oct 2016 00:23:59 +0200 Received: (qmail 9044 invoked by uid 1000); 18 Oct 2016 23:10:51 -0000 Date: Tue, 18 Oct 2016 23:10:51 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: time to release another libssh2 version! Message-ID: <20161018231051.GM20941@foo.stuge.se> References: <20160926161808.GR10713@foo.stuge.se> <20161017142824.GL20941@foo.stuge.se> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9IMO2FG001504 Daniel Stenberg wrote: > > I've attached my current git diff master state for review as well as > > testing. > > Here's some quick first questions/notes: Thanks for checking it out! > Which axTLS version or versions does this work with? I've tested it with r250 of the svn repo, which is now at r270. https://svn.code.sf.net/p/axtls/code/trunk > (I couldn't even figure out how to build axTLS 2.0.1 so I didn't try > it out yet) make menuconfig in the top dir, go through the settings, then make and make install. The install prefix is set in the menuconfig. > Your configure check doesn't work at all like the other crypto backends You're right. Because pkg-config is *so* much easier to deal with than just about everything else I made a tiny .pc file for axtls during development. > and it doesn't seem to support a custom install path. > I would expect that you be fairly common with this crypto lib. This is one of the very handy things about pkg-config. Set PKG_CONFIG_PATH to include extra search directories, or set PKG_CONFIG_LIBDIR to replace the default search directories. The latter is what to use when cross-compiling. > Does it even ship a pkg-config file itself? This is what I use for development. Set prefix as in menuconfig. --8<-- axtls.pc prefix=/tmp/ax exec_prefix=${prefix} libdir=${exec_prefix}/lib includedir=${prefix}/include Name: axtls Description: axTLS Version: 250 Libs: -L${libdir} -laxtls Cflags: -I${includedir} -->8-- > It also adds a requirement for the pkg-config autoconf stuff, which > I guess I'm fine with but I know that in other projects that make > people uncomfortable because it adds more prerequisits to the build > process. That's true. I would like it if all libraries could provide both a .pc file for me and a .cmake file for the cmake folks, but not all libraries have even one of the two. I'll rework configure.ac to not use pkg-config, at least as long as upstream doesn't provide a .pc file. :) > src/axtls.[ch] don't use our source code style: tabs, wrong indent > level, long lines, starting brace in function declaration on the > wrong line, case + return on the same line. Ack, thanks a lot for the list! I'll make sure to fix those. No new patch tonight, nor tomorrow, but I'll post something by Monday morning at the very latest. //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Tue Oct 25 08:53:18 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9P6qol7022570; Tue, 25 Oct 2016 08:53:13 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9P6qmUn022559 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 25 Oct 2016 08:52:48 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u9P6qmpY022554 for ; Tue, 25 Oct 2016 08:52:48 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Tue, 25 Oct 2016 08:52:48 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: [RELEASE] libssh2 1.8.0 Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9P6qol7022570 Hi friends, I've just packaged, signed and uploaded libssh2 1.8.0. Enjoy! As always, you'll find it here: https://www.libssh2.org/ libssh2 1.8.0 This release includes the following changes: o added a basic dockerised test suite o crypto: add support for the mbedTLS backend This release includes the following bugfixes: o libgcrypt: fixed a NULL pointer dereference on OOM o VMS: can't use %zd for off_t format o VMS: update vms/libssh2_config.h o windows: link with crypt32.lib o libssh2_channel_open: speeling error fixed in channel error message o msvc: fixed 14 compilation warnings o tests: HAVE_NETINET_IN_H was not defined correctly o openssl: add OpenSSL 1.1.0 compatibility o cmake: Add CLEAR_MEMORY option, analogously to that for autoconf o configure: make the --with-* options override the OpenSSL default o libssh2_wait_socket: set err_msg on errors o libssh2_wait_socket: Fix comparison with api_timeout to use milliseconds This release would not have looked like this without help, code, reports and advice from friends like these: Alexander Lamaison, Antenore Gatta, Brad Harder, Charles Collicutt, Craig A. Berry, Dan Fandrich, Daniel Stenberg, Kamil Dudka, Keno Fischer, Taylor Holberton, Viktor Szakats, Will Cosgrove, Zenju (12 contributors) Thanks! (and sorry if I forgot to mention someone) -- / daniel.haxx.se _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Tue Oct 25 23:41:17 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9PLemRc030592; Tue, 25 Oct 2016 23:41:12 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9PLekNr030581 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 25 Oct 2016 23:40:46 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u9PLekM8030577 for ; Tue, 25 Oct 2016 23:40:46 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Tue, 25 Oct 2016 23:40:46 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: Buffer overflow with mbedTLS Message-ID: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9PLemRc030592 Hey all, I'm forwarding this just to make sure you all are aware - this is not what I normally do with bugs. The mbedTLS crypto backend is obviously brand new so this flaw shouldn't hurt anyone's use of libssh2 in production but should perhaps make you pause if you had plans to. I suppose this could warrant a follow-up release once this is fixed. -- / daniel.haxx.se ---------- Forwarded message ---------- Date: Tue, 25 Oct 2016 23:35:32 From: doublex Reply-To: libssh2/libssh2 To: libssh2/libssh2 Subject: [libssh2/libssh2] Buffer overflow (#138) I have tried libssh2 with mbedtls. "AddressSanitizer" aborts the progress due a heap-buffer overflow: ```` ================================================================= ==4888==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61300000cad0 at pc 0x7f94e1993bec bp 0x7ffd2af357e0 sp 0x7ffd2af34f88 WRITE of size 384 at 0x61300000cad0 thread T0 #0 0x7f94e1993beb in __asan_memset (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x8cbeb) #1 0xd7a240 in mbedtls_rsa_init mbedtls/rsa.c:71 #2 0xecee57 in _libssh2_mbedtls_rsa_new ssh2/mbedtls.c:279 #3 0xebbf5b in hostkey_method_ssh_rsa_init ssh2/hostkey.c:96 #4 0xec3af4 in diffie_hellman_sha256 ssh2/kex.c:928 #5 0xec8e2a in kex_method_diffie_hellman_group_exchange_sha256_key_exchange ssh2/kex.c:1657 #6 0xeccaa9 in _libssh2_kex_exchange ssh2/kex.c:2542 #7 0xede6f7 in session_startup ssh2/session.c:726 #8 0xedec95 in libssh2_session_handshake ssh2/session.c:804 #9 0xeded2e in libssh2_session_startup ssh2/session.c:823 #10 0x10e2b24 in ssh2_session_init ssh.cpp:1386 #11 0x10e389a in ssh2_connect ssh.cpp:1440 #12 0xfbcfbc in update update.cpp:98 #13 0xfbdb60 in main update.cpp:2195 #14 0x7f94e000782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x40a358 in _start (update+0x40a358) 0x61300000cad0 is located 0 bytes to the right of 336-byte region [0x61300000c980,0x61300000cad0) allocated by thread T0 here: #0 0x7f94e199f79a in __interceptor_calloc (/usr/lib/x86_64-linux-gnu/libasan.so.2+0x9879a) #1 0xecee36 in _libssh2_mbedtls_rsa_new ssh2/mbedtls.c:277 #2 0xebbf5b in hostkey_method_ssh_rsa_init ssh2/hostkey.c:96 #3 0xec3af4 in diffie_hellman_sha256 ssh2/kex.c:928 #4 0xec8e2a in kex_method_diffie_hellman_group_exchange_sha256_key_exchange ssh2/kex.c:1657 #5 0xeccaa9 in _libssh2_kex_exchange ssh2/kex.c:2542 #6 0xede6f7 in session_startup ssh2/session.c:726 #7 0xedec95 in libssh2_session_handshake ssh2/session.c:804 #8 0xeded2e in libssh2_session_startup ssh2/session.c:823 #9 0x10e2b24 in ssh2_session_init ssh.cpp:1386 #10 0x10e389a in ssh2_connect ssh.cpp:1440 #11 0xfbcfbc in update update.cpp:98 #12 0xfbdb60 in main update.cpp:2195 #13 0x7f94e000782f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) ```` -- You are receiving this because you are subscribed to this thread. Reply to this email directly or view it on GitHub: https://github.com/libssh2/libssh2/issues/138 _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Tue Oct 25 23:47:57 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9PLlsK7002296; Tue, 25 Oct 2016 23:47:56 +0200 Received: from giant.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9PLlrur002247 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Tue, 25 Oct 2016 23:47:53 +0200 Received: from localhost (dast@localhost) by giant.haxx.se (8.15.2/8.15.2/Submit) with ESMTP id u9PLlr9C002243 for ; Tue, 25 Oct 2016 23:47:53 +0200 X-Authentication-Warning: giant.haxx.se: dast owned process doing -bs Date: Tue, 25 Oct 2016 23:47:53 +0200 (CEST) From: Daniel Stenberg X-X-Sender: dast@giant.haxx.se To: libssh2 development Subject: Re: Buffer overflow with mbedTLS In-Reply-To: Message-ID: References: User-Agent: Alpine 2.20 (DEB 67 2015-01-07) X-fromdanielhimself: yes MIME-Version: 1.0 X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8"; Format="flowed" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9PLlsK7002296 On Tue, 25 Oct 2016, Daniel Stenberg wrote: > I'm forwarding this just to make sure you all are aware - this is not what I > normally do with bugs. The mbedTLS crypto backend is obviously brand new so > this flaw shouldn't hurt anyone's use of libssh2 in production but should > perhaps make you pause if you had plans to. Hm, okay I trigged really fast due to the possible importance but the bug was closed again... Sorry for being alarmist. But let's keep our eyes open and I think it is reasonable to be careful with a brand new backend like this. -- / daniel.haxx.se _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Wed Oct 26 01:11:43 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9PNBQHk022716; Wed, 26 Oct 2016 01:11:39 +0200 Received: from mail-vk0-x235.google.com (mail-vk0-x235.google.com [IPv6:2607:f8b0:400c:c05:0:0:0:235]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9PNBMj7022529 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Wed, 26 Oct 2016 01:11:23 +0200 Received: by mail-vk0-x235.google.com with SMTP id d65so10996769vkg.0 for ; Tue, 25 Oct 2016 16:11:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=PfWAzasURaSmR8PauKOXI1ImF9N3xmeaVmGNZa4pDZ8=; b=WuHX5AlGRaDAUMBNkemCzxQQwFKZjHxwSdruZcPg20eexmi85BXVRmVm1nhD8hESNH IljYR+WIWvWmOLX1HQWw9fPfTUweTKQqS1ih8THIGZ0KVkL+CUd1n76Z56H+cJglMCCn 1F4CZIS1klm58NPdsmYlHZaEhrkSwsovCZd4wm5ZV5VLTM+HL68mZO5DZ9XLAuw7STIF V2b2q4mhGcfQgMwO4uvGmLbjqaBunDx3q2LeSPaxOiwZrJ1kU7IRsPRFUM1w5zYzQOvJ mSq06ZID50RaTR8zNSnpuvbjpxQyayuEzc1GLhryLzmGiGISr8HxLxb/dDJKI83qCElA EXOQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=PfWAzasURaSmR8PauKOXI1ImF9N3xmeaVmGNZa4pDZ8=; b=AQeQGI+ewFpFTOELaneeH8vnpNaiFR1EEWmSudjK/q9oqRQ+v0ZlvVjy4PMhFO2hxO LxgR5Y2aDRUFB2qzqw3IH9qrgKnqkRA8ZDUnwhVKymIQEfCMbVmIY2Qa2uVKcicnYTgN wKiMBrnFI/XixWDV/ZRrRXFWwBqTiL89mXQ99L31gdNlXanFwkwfMEzFV4UuquJ2xa70 O4XIRHCnNP4QFkp/Z8PuwhCdBVZM1YwsWGuWrSQOfCMCO/e4702mDuvEGPbxIxN7vWmh I1r+CA/WT6k85I/pj37NxrrgcCLPofVIDqu2zTNvWIF9qu6VBVlf44sBo18D2+1oRDJ3 VQRw== X-Gm-Message-State: ABUngven4HlVLXDcopQp3nWnpD8JlFprk4rt1U34VsqVnDVap5CSnaEDiL/iQNGVe+c92NN+VQlztqYgvpCuxw== X-Received: by 10.31.159.65 with SMTP id i62mr16479787vke.130.1477437078643; Tue, 25 Oct 2016 16:11:18 -0700 (PDT) MIME-Version: 1.0 Received: by 10.103.98.199 with HTTP; Tue, 25 Oct 2016 16:10:38 -0700 (PDT) In-Reply-To: References: From: Eduardo Silva Date: Tue, 25 Oct 2016 17:10:38 -0600 Message-ID: Subject: Re: Buffer overflow with mbedTLS To: libssh2 development X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9PNBQHk022716 what version of mbedTLS is that ? On Tue, Oct 25, 2016 at 3:47 PM, Daniel Stenberg wrote: > On Tue, 25 Oct 2016, Daniel Stenberg wrote: > >> I'm forwarding this just to make sure you all are aware - this is not what >> I normally do with bugs. The mbedTLS crypto backend is obviously brand new >> so this flaw shouldn't hurt anyone's use of libssh2 in production but should >> perhaps make you pause if you had plans to. > > > Hm, okay I trigged really fast due to the possible importance but the bug > was closed again... Sorry for being alarmist. But let's keep our eyes open > and I think it is reasonable to be careful with a brand new backend like > this. > > -- > > / daniel.haxx.se > _______________________________________________ > libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel -- Eduardo Silva http://edsiper.linuxchile.cl http://monkey-project.com _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 01:49:56 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9QNnNZe009136; Thu, 27 Oct 2016 01:49:50 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9QNnN8L008633 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 01:49:23 +0200 Received: (qmail 1082 invoked by uid 1000); 27 Oct 2016 00:35:42 -0000 Date: Thu, 27 Oct 2016 00:35:42 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: configure.ac crypto library checks [was: 1.8.0] Message-ID: <20161027003542.GY20941@foo.stuge.se> References: MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9QNnNZe009136 Good stuff! I'm back on axTLS after hunting bugs in other software for some time. While reworking configure.ac I found an issue.. Daniel Stenberg wrote: > o configure: make the --with-* options override the OpenSSL default Maybe it's related, but I don't think so.. Both --with-openssl and --with-libssl-prefix are fine, configure.ac does exactly the right thing there, but for libgcrypt and mbedtls the following problems hold true: * Neither --without-x nor --with-x=no makes configure skip the check and disregard a found library. * --with-x=/path is prefered over --with-x-prefix=/path The former is "accepted" by libssh2-specific code in acinclude.m4: ($use_libgcrypt gets set to the value of --with-libgcrypt=) if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib" CFLAGS="$CFLAGS -I$use_libgcrypt/include" fi And this code comes before AC_LIB_HAVE_LINKFLAGS(), which is what creates and parses the --with-x-prefix= options. The AC_LIB_HAVE_LINKFLAGS() call is furthermore unconditional, which is why --without-x still makes configure check for and accept x. I've fixed that by putting the call inside of: if test "$use_libgcrypt" != "no"; then fi But it should be similar to what happens for OpenSSL and I'd also like to remove the LDFLAGS and CFLAGS stuff; AC_LIB_HAVE_LINKFLAGS already sets LTLIBGCRYPT and LTLIBMBEDTLS anyway. Any objections? //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 02:10:52 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9R0Aj38010345; Thu, 27 Oct 2016 02:10:50 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9R0AhC2009740 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 02:10:43 +0200 Received: (qmail 1191 invoked by uid 1000); 27 Oct 2016 00:57:03 -0000 Date: Thu, 27 Oct 2016 00:57:03 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: configure.ac crypto library checks [was: 1.8.0] Message-ID: <20161027005703.GA20941@foo.stuge.se> References: <20161027003542.GY20941@foo.stuge.se> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="aT9PWwzfKXlsBJM1" Content-Disposition: inline In-Reply-To: <20161027003542.GY20941@foo.stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --aT9PWwzfKXlsBJM1 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Peter Stuge wrote: > * Neither --without-x nor --with-x=no makes configure skip the check > * --with-x=/path is prefered over --with-x-prefix=/path .. > it should be similar to what happens for OpenSSL and I'd also > like to remove the LDFLAGS and CFLAGS stuff; AC_LIB_HAVE_LINKFLAGS > already sets LTLIBGCRYPT and LTLIBMBEDTLS anyway. Here's my proposed patch. If no objections I'll send a proper commit. //Peter --aT9PWwzfKXlsBJM1 Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="cryptocheck.patch" diff --git a/acinclude.m4 b/acinclude.m4 index 06583e9..28b85c2 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -382,80 +382,56 @@ AC_DEFUN([CURL_CONFIGURE_REENTRANT], [ # ]) -AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS - if test -n "$use_mbedtls" && test "$use_mbedtls" != "no"; then - LDFLAGS="$LDFLAGS -L$use_mbedtls/lib" - CFLAGS="$CFLAGS -I$use_mbedtls/include" +AC_DEFUN([LIBSSH2_CHECKFOR_OPENSSL], [ + if test "$found_crypto" = "none" && test "$use_openssl" != "no"; then + AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) fi + if test "$ac_cv_libssl" = "yes"; then + AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) + LIBSREQUIRED=libssl,libcrypto - if test "$use_mbedtls" != "no"; then - AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [ - #include - ]) - fi + # Not all OpenSSL have AES-CTR functions. + save_LIBS="$LIBS" + LIBS="$LIBS $LIBSSL" + AC_CHECK_FUNCS(EVP_aes_128_ctr) + LIBS="$save_LIBS" - if test "$ac_cv_libmbedtls" = "yes"; then - AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) - LIBSREQUIRED= # mbedtls doesn't provide a .pc file - LIBS="$LIBS -lmbedtls -lmbedcrypto" - found_crypto=libmbedtls - support_clear_memory=yes - else - # restore - LDFLAGS=$old_LDFLAGS - CFLAGS=$old_CFLAGS + found_crypto="OpenSSL (AES-CTR: ${ac_cv_func_EVP_aes_128_ctr:-N/A})" fi ]) AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS - if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then - LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib" - CFLAGS="$CFLAGS -I$use_libgcrypt/include" - fi - - if test "$use_libgcrypt" != "no"; then - AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [ - #include - ]) + if test "$found_crypto" = "none" && test "$use_libgcrypt" != "no"; then + AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [#include ]) fi - if test "$ac_cv_libgcrypt" = "yes"; then AC_DEFINE(LIBSSH2_LIBGCRYPT, 1, [Use libgcrypt]) LIBSREQUIRED= # libgcrypt doesn't provide a .pc file. sad face. LIBS="$LIBS -lgcrypt" found_crypto=libgcrypt - else - # restore - LDFLAGS=$old_LDFLAGS - CFLAGS=$old_CFLAGS fi ]) - AC_DEFUN([LIBSSH2_CHECKFOR_WINCNG], [ + if test "$found_crypto" = "none" && test "$use_wincng" != "no"; then - # Look for Windows Cryptography API: Next Generation + # Look for Windows Cryptography API: Next Generation - AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ - #include - #include - ]) - AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ - #include - #include - ]) - AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ - #include - ]) - AC_CHECK_DECLS([SecureZeroMemory], [], [], [ - #include - ]) + AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ + #include + #include + ]) + AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ + #include + #include + ]) + AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ + #include + ]) + AC_CHECK_DECLS([SecureZeroMemory], [], [], [ + #include + ]) + fi if test "$ac_cv_libbcrypt" = "yes"; then AC_DEFINE(LIBSSH2_WINCNG, 1, [Use Windows CNG]) @@ -470,3 +446,16 @@ AC_DEFUN([LIBSSH2_CHECKFOR_WINCNG], [ fi fi ]) + +AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ + if test "$found_crypto" = "none" && test "$use_mbedtls" != "no"; then + AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [#include ]) + fi + if test "$ac_cv_libmbedtls" = "yes"; then + AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) + LIBSREQUIRED= # mbedtls doesn't provide a .pc file + LIBS="$LIBS -lmbedtls -lmbedcrypto" + found_crypto=mbedtls + support_clear_memory=yes + fi +]) diff --git a/configure.ac b/configure.ac index fe290ec..b8c74bb 100644 --- a/configure.ac +++ b/configure.ac @@ -86,47 +86,33 @@ AC_SYS_LARGEFILE found_crypto=none # Configure parameters -AC_ARG_WITH(openssl, + +AC_ARG_WITH([openssl], AC_HELP_STRING([--with-openssl],[Use OpenSSL for crypto]), use_openssl=$withval,use_openssl=auto) -AC_ARG_WITH(libgcrypt, + +AC_ARG_WITH([libgcrypt], AC_HELP_STRING([--with-libgcrypt],[Use libgcrypt for crypto]), - [ use_libgcrypt=$withval - LIBSSH2_CHECKFOR_GCRYPT - ], use_libgcrypt=auto) -AC_ARG_WITH(wincng, + use_libgcrypt=$withval,use_libgcrypt=auto) + +AC_ARG_WITH([wincng], AC_HELP_STRING([--with-wincng],[Use Windows CNG for crypto]), - [ use_wincng=$withval - LIBSSH2_CHECKFOR_WINCNG - ] ,use_wincng=auto) + use_wincng=$withval,use_wincng=auto) + AC_ARG_WITH([mbedtls], AC_HELP_STRING([--with-mbedtls],[Use mbedTLS for crypto]), - [ use_mbedtls=$withval - LIBSSH2_CHECKFOR_MBEDTLS - ], use_mbedtls=auto -) -AC_ARG_WITH(libz, + use_mbedtls=$withval,use_mbedtls=auto) + +AC_ARG_WITH([libz], AC_HELP_STRING([--with-libz],[Use zlib for compression]), use_libz=$withval,use_libz=auto) support_clear_memory=no -# Look for OpenSSL -if test "$found_crypto" = "none" && test "$use_openssl" != "no"; then - AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) -fi -if test "$ac_cv_libssl" = "yes"; then - AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) - LIBSREQUIRED=libssl,libcrypto - - # Not all OpenSSL have AES-CTR functions. - save_LIBS="$LIBS" - LIBS="$LIBS $LIBSSL" - AC_CHECK_FUNCS(EVP_aes_128_ctr) - LIBS="$save_LIBS" - - found_crypto="OpenSSL (AES-CTR: ${ac_cv_func_EVP_aes_128_ctr:-N/A})" -fi +LIBSSH2_CHECKFOR_OPENSSL +LIBSSH2_CHECKFOR_GCRYPT +LIBSSH2_CHECKFOR_WINCNG +LIBSSH2_CHECKFOR_MBEDTLS AM_CONDITIONAL(OPENSSL, test "$ac_cv_libssl" = "yes") AM_CONDITIONAL(WINCNG, test "$ac_cv_libbcrypt" = "yes") diff --git a/src/Makefile.am b/src/Makefile.am index c14dc7c..6ba122b 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -65,4 +65,4 @@ VERSION=-version-info 1:1:0 libssh2_la_LDFLAGS = $(VERSION) -no-undefined \ -export-symbols-regex '^libssh2_.*' \ - $(LTLIBGCRYPT) $(LTLIBSSL) $(LTLIBZ) + $(LTLIBSSL) $(LTLIBGCRYPT) $(LTLIBMBEDTLS) $(LTLIBZ) --aT9PWwzfKXlsBJM1 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --aT9PWwzfKXlsBJM1-- From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 02:18:52 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9R0In95003778; Thu, 27 Oct 2016 02:18:51 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9R0Il4L003226 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 02:18:47 +0200 Received: (qmail 1272 invoked by uid 1000); 27 Oct 2016 01:05:08 -0000 Date: Thu, 27 Oct 2016 01:05:08 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: configure.ac crypto library checks [was: 1.8.0] Message-ID: <20161027010508.GB20941@foo.stuge.se> References: <20161027003542.GY20941@foo.stuge.se> <20161027005703.GA20941@foo.stuge.se> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="6WlEvdN9Dv0WHSBl" Content-Disposition: inline In-Reply-To: <20161027005703.GA20941@foo.stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --6WlEvdN9Dv0WHSBl Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Peter Stuge wrote: > Here's my proposed patch. No here. Sorry for the confusion. Also, I would like to argue that given --with-x but no x found should be considered a fatal error by configure. Any objections to that? //Peter --6WlEvdN9Dv0WHSBl Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="cryptocheck.patch" diff --git a/acinclude.m4 b/acinclude.m4 index 734ef07..28b85c2 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -382,75 +382,56 @@ AC_DEFUN([CURL_CONFIGURE_REENTRANT], [ # ]) -AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS - if test -n "$use_mbedtls" && test "$use_mbedtls" != "no"; then - LDFLAGS="$LDFLAGS -L$use_mbedtls/lib" - CFLAGS="$CFLAGS -I$use_mbedtls/include" +AC_DEFUN([LIBSSH2_CHECKFOR_OPENSSL], [ + if test "$found_crypto" = "none" && test "$use_openssl" != "no"; then + AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) fi + if test "$ac_cv_libssl" = "yes"; then + AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) + LIBSREQUIRED=libssl,libcrypto - AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [ - #include - ]) + # Not all OpenSSL have AES-CTR functions. + save_LIBS="$LIBS" + LIBS="$LIBS $LIBSSL" + AC_CHECK_FUNCS(EVP_aes_128_ctr) + LIBS="$save_LIBS" - if test "$ac_cv_libmbedtls" = "yes"; then - AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) - LIBSREQUIRED= # mbedtls doesn't provide a .pc file - LIBS="$LIBS -lmbedtls -lmbedcrypto" - found_crypto=libmbedtls - support_clear_memory=yes - else - # restore - LDFLAGS=$old_LDFLAGS - CFLAGS=$old_CFLAGS + found_crypto="OpenSSL (AES-CTR: ${ac_cv_func_EVP_aes_128_ctr:-N/A})" fi ]) AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS - if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then - LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib" - CFLAGS="$CFLAGS -I$use_libgcrypt/include" + if test "$found_crypto" = "none" && test "$use_libgcrypt" != "no"; then + AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [#include ]) fi - AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [ - #include - ]) - if test "$ac_cv_libgcrypt" = "yes"; then AC_DEFINE(LIBSSH2_LIBGCRYPT, 1, [Use libgcrypt]) LIBSREQUIRED= # libgcrypt doesn't provide a .pc file. sad face. LIBS="$LIBS -lgcrypt" found_crypto=libgcrypt - else - # restore - LDFLAGS=$old_LDFLAGS - CFLAGS=$old_CFLAGS fi ]) - AC_DEFUN([LIBSSH2_CHECKFOR_WINCNG], [ - - # Look for Windows Cryptography API: Next Generation - - AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ - #include - #include - ]) - AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ - #include - #include - ]) - AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ - #include - ]) - AC_CHECK_DECLS([SecureZeroMemory], [], [], [ - #include - ]) + if test "$found_crypto" = "none" && test "$use_wincng" != "no"; then + + # Look for Windows Cryptography API: Next Generation + + AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ + #include + #include + ]) + AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ + #include + #include + ]) + AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ + #include + ]) + AC_CHECK_DECLS([SecureZeroMemory], [], [], [ + #include + ]) + fi if test "$ac_cv_libbcrypt" = "yes"; then AC_DEFINE(LIBSSH2_WINCNG, 1, [Use Windows CNG]) @@ -465,3 +446,16 @@ AC_DEFUN([LIBSSH2_CHECKFOR_WINCNG], [ fi fi ]) + +AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ + if test "$found_crypto" = "none" && test "$use_mbedtls" != "no"; then + AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [#include ]) + fi + if test "$ac_cv_libmbedtls" = "yes"; then + AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) + LIBSREQUIRED= # mbedtls doesn't provide a .pc file + LIBS="$LIBS -lmbedtls -lmbedcrypto" + found_crypto=mbedtls + support_clear_memory=yes + fi +]) diff --git a/configure.ac b/configure.ac index fe290ec..b8c74bb 100644 --- a/configure.ac +++ b/configure.ac @@ -86,47 +86,33 @@ AC_SYS_LARGEFILE found_crypto=none # Configure parameters -AC_ARG_WITH(openssl, + +AC_ARG_WITH([openssl], AC_HELP_STRING([--with-openssl],[Use OpenSSL for crypto]), use_openssl=$withval,use_openssl=auto) -AC_ARG_WITH(libgcrypt, + +AC_ARG_WITH([libgcrypt], AC_HELP_STRING([--with-libgcrypt],[Use libgcrypt for crypto]), - [ use_libgcrypt=$withval - LIBSSH2_CHECKFOR_GCRYPT - ], use_libgcrypt=auto) -AC_ARG_WITH(wincng, + use_libgcrypt=$withval,use_libgcrypt=auto) + +AC_ARG_WITH([wincng], AC_HELP_STRING([--with-wincng],[Use Windows CNG for crypto]), - [ use_wincng=$withval - LIBSSH2_CHECKFOR_WINCNG - ] ,use_wincng=auto) + use_wincng=$withval,use_wincng=auto) + AC_ARG_WITH([mbedtls], AC_HELP_STRING([--with-mbedtls],[Use mbedTLS for crypto]), - [ use_mbedtls=$withval - LIBSSH2_CHECKFOR_MBEDTLS - ], use_mbedtls=auto -) -AC_ARG_WITH(libz, + use_mbedtls=$withval,use_mbedtls=auto) + +AC_ARG_WITH([libz], AC_HELP_STRING([--with-libz],[Use zlib for compression]), use_libz=$withval,use_libz=auto) support_clear_memory=no -# Look for OpenSSL -if test "$found_crypto" = "none" && test "$use_openssl" != "no"; then - AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) -fi -if test "$ac_cv_libssl" = "yes"; then - AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) - LIBSREQUIRED=libssl,libcrypto - - # Not all OpenSSL have AES-CTR functions. - save_LIBS="$LIBS" - LIBS="$LIBS $LIBSSL" - AC_CHECK_FUNCS(EVP_aes_128_ctr) - LIBS="$save_LIBS" - - found_crypto="OpenSSL (AES-CTR: ${ac_cv_func_EVP_aes_128_ctr:-N/A})" -fi +LIBSSH2_CHECKFOR_OPENSSL +LIBSSH2_CHECKFOR_GCRYPT +LIBSSH2_CHECKFOR_WINCNG +LIBSSH2_CHECKFOR_MBEDTLS AM_CONDITIONAL(OPENSSL, test "$ac_cv_libssl" = "yes") AM_CONDITIONAL(WINCNG, test "$ac_cv_libbcrypt" = "yes") --6WlEvdN9Dv0WHSBl Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --6WlEvdN9Dv0WHSBl-- From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 10:12:45 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9R8CFW8026405; Thu, 27 Oct 2016 10:12:36 +0200 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9R8CDu8026366 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 10:12:14 +0200 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E407A8E67E; Thu, 27 Oct 2016 08:12:08 +0000 (UTC) Received: from kdudka-nb.localnet (unused-4-224.brq.redhat.com [10.34.4.224]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9R8C7iV007248 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2016 04:12:08 -0400 From: Kamil Dudka To: Peter Stuge Subject: Re: configure.ac crypto library checks [was: 1.8.0] Date: Thu, 27 Oct 2016 10:12:12 +0200 Message-ID: <21734096.y6rRnAzx9O@kdudka-nb> User-Agent: KMail/4.14.10 (Linux/4.7.10-gentoo; KDE/4.14.24; x86_64; ; ) In-Reply-To: <20161027010508.GB20941@foo.stuge.se> References: <20161027005703.GA20941@foo.stuge.se> <20161027010508.GB20941@foo.stuge.se> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.25]); Thu, 27 Oct 2016 08:12:08 +0000 (UTC) X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Cc: libssh2-devel@cool.haxx.se Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9R8CFW8026405 On Thursday, October 27, 2016 01:05:08 Peter Stuge wrote: > Also, I would like to argue that given --with-x but no x found should > be considered a fatal error by configure. Any objections to that? Sounds like a good idea. By fatal error, you mean to return non-zero exit status from configure script, or exit immediately and skip all the remaining checks? I would prefer the former. Kamil > //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 12:29:31 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RATE7S010514; Thu, 27 Oct 2016 12:29:27 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RATD8u010495 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 12:29:13 +0200 Received: (qmail 6720 invoked by uid 1000); 27 Oct 2016 11:15:30 -0000 Date: Thu, 27 Oct 2016 11:15:30 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: configure.ac crypto library checks [was: 1.8.0] Message-ID: <20161027111530.GD20941@foo.stuge.se> References: <20161027005703.GA20941@foo.stuge.se> <20161027010508.GB20941@foo.stuge.se> <21734096.y6rRnAzx9O@kdudka-nb> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <21734096.y6rRnAzx9O@kdudka-nb> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RATE7S010514 Kamil Dudka wrote: > On Thursday, October 27, 2016 01:05:08 Peter Stuge wrote: > > Also, I would like to argue that given --with-x but no x found should > > be considered a fatal error by configure. Any objections to that? > > Sounds like a good idea. By fatal error, you mean to return non-zero exit > status from configure script, or exit immediately and skip all the remaining > checks? > > I would prefer the former. Right, certainly exit non-zero. I was thinking exiting then and there (with a useful error message) when the requested x is not available. Why do you prefer running more checks when a failure can't be avoided anyway? Thanks //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 12:44:29 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RAiN3G002264; Thu, 27 Oct 2016 12:44:27 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RAiMID002186 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 12:44:22 +0200 Received: (qmail 7058 invoked by uid 1000); 27 Oct 2016 11:30:40 -0000 Date: Thu, 27 Oct 2016 11:30:40 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: configure.ac crypto library checks [was: 1.8.0] Message-ID: <20161027113040.GE20941@foo.stuge.se> References: <20161027005703.GA20941@foo.stuge.se> <20161027010508.GB20941@foo.stuge.se> <21734096.y6rRnAzx9O@kdudka-nb> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: <21734096.y6rRnAzx9O@kdudka-nb> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RAiN3G002264 Kamil Dudka wrote: > > Also, I would like to argue that given --with-x but no x found should > > be considered a fatal error by configure. Any objections to that? > > Sounds like a good idea. This would also mean that --with-{openssl,libgcrypt,wincng,mbedtls,axtls} become mutually exclusive, which makes a lot of sense. How about moving to --with-crypto=x ? And maybe also a single common --with-crypto-prefix= though I'm less sure there? //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 12:44:55 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RAisJj002864; Thu, 27 Oct 2016 12:44:55 +0200 Received: from mail-lf0-x235.google.com (mail-lf0-x235.google.com [IPv6:2a00:1450:4010:c07:0:0:0:235]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RAir54002800 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 27 Oct 2016 12:44:53 +0200 Received: by mail-lf0-x235.google.com with SMTP id b81so27209339lfe.1 for ; Thu, 27 Oct 2016 03:44:54 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to; bh=kRzJ6o0d0UDTxCgML9pSiKrD6EmwJNL1vP9UEJYegIM=; b=yLZC21fGqT/y27CPXzGhubCImMMo8sg1YulGstaZr7sGMKOiueqopUR7qkbaE4Mg4d 8UKDc6PHFZ/4sjWtuQ7oGFVSvQnfFuxV0C/czj/6gXWjis+B+faYNCjYyoAxE39CLHUW A664A+pGKE6cw7R1PTa1EIHa22CrQGyeK6vKX7vZkxxT0+qU2hYfOFzx8vshz8tkgeWO o9lz3SJAQfkVKGb/2jYNh9YKkC+56QM+9ORGl5iiStNnNoGlBMdxA9NacYldxQ+Bjr8Y ICuUBlu0fGOKGpGriFRqbYbx7yfxstcbCslhqXnvyoA9fZCHCefXu6XprWb/58zrvXXR I2Iw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to; bh=kRzJ6o0d0UDTxCgML9pSiKrD6EmwJNL1vP9UEJYegIM=; b=Pr5lFgDU3EMLi2ODwnTpEk3Oe8+9IWPbCJ0tsc/A+PJ0Y8hLWiRPgg/j+c7ya82U5s Gb7D95fJWb1U99qWEH7G5khWaFrXBgcfbMjaP8//M6TLvB8VuXDOBEcLFF0rQy2q+HxH CsEuvYYKkWjY9KaoFBXJQirEgYF0wAIhr+DcXjtgkdTcrA16bKikwmWE8kt7IGXhu1BS 1VoZM1sunmberqTzgYTH/BG8dHUZyavodPDadA/9gmICqbowvTAx3vexOsDJbM3KT6y0 0tz7QeU+ITddoZHuWu5omkL2TaGTP40W9nplmtIeJH6ewVylib4yTHtd2JB8epHVvKRl cisg== X-Gm-Message-State: ABUngveP7m2byb0xzVIEU2Ps6OHBB/lVxoRpaROwoTgKydojWROkaW9OFF6n1rXm1FHl9wF8AGptVd72+3WrPw== X-Received: by 10.25.137.68 with SMTP id l65mr5679637lfd.115.1477565088968; Thu, 27 Oct 2016 03:44:48 -0700 (PDT) MIME-Version: 1.0 Received: by 10.114.196.197 with HTTP; Thu, 27 Oct 2016 03:44:47 -0700 (PDT) In-Reply-To: <20161027111530.GD20941@foo.stuge.se> References: <20161027005703.GA20941@foo.stuge.se> <20161027010508.GB20941@foo.stuge.se> <21734096.y6rRnAzx9O@kdudka-nb> <20161027111530.GD20941@foo.stuge.se> From: Tor Arntsen Date: Thu, 27 Oct 2016 12:44:47 +0200 Message-ID: Subject: Re: configure.ac crypto library checks [was: 1.8.0] To: libssh2 development X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RAisJj002864 On 27 October 2016 at 13:15, Peter Stuge wrote: > Kamil Dudka wrote: >> On Thursday, October 27, 2016 01:05:08 Peter Stuge wrote: >> > Also, I would like to argue that given --with-x but no x found should >> > be considered a fatal error by configure. Any objections to that? >> >> Sounds like a good idea. By fatal error, you mean to return non-zero exit >> status from configure script, or exit immediately and skip all the remaining >> checks? >> >> I would prefer the former. > > Right, certainly exit non-zero. > > I was thinking exiting then and there (with a useful error message) > when the requested x is not available. > > Why do you prefer running more checks when a failure can't be avoided > anyway? I would prefer the latter. It's messy to work with configure scripts which just continue after detecting something missing, with tons of more output, and then have to scroll back page after page to try to spot where it failed (or where it first failed). Better to exit directly there and then, the failed check right at the end, fix (e.g. install a missing library), run configure again, repeat as necessary. Much easier. _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 14:05:03 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RC4hlg002626; Thu, 27 Oct 2016 14:04:59 +0200 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RC4fcq002607 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 14:04:42 +0200 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id E80F62B4D44; Thu, 27 Oct 2016 11:40:17 +0000 (UTC) Received: from kdudka-nb.localnet (unused-4-224.brq.redhat.com [10.34.4.224]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9RBeEen015526 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2016 07:40:15 -0400 From: Kamil Dudka To: Tor Arntsen Subject: Re: configure.ac crypto library checks [was: 1.8.0] Date: Thu, 27 Oct 2016 13:40:18 +0200 Message-ID: <2526780.CMa8EykBfj@kdudka-nb> User-Agent: KMail/4.14.10 (Linux/4.7.10-gentoo; KDE/4.14.24; x86_64; ; ) In-Reply-To: References: <20161027111530.GD20941@foo.stuge.se> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 27 Oct 2016 11:40:17 +0000 (UTC) X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Cc: libssh2-devel@cool.haxx.se Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RC4hlg002626 On Thursday, October 27, 2016 12:44:47 Tor Arntsen wrote: > On 27 October 2016 at 13:15, Peter Stuge wrote: > > Kamil Dudka wrote: > >> On Thursday, October 27, 2016 01:05:08 Peter Stuge wrote: > >> > Also, I would like to argue that given --with-x but no x found should > >> > be considered a fatal error by configure. Any objections to that? > >> > >> Sounds like a good idea. By fatal error, you mean to return non-zero > >> exit > >> status from configure script, or exit immediately and skip all the > >> remaining checks? > >> > >> I would prefer the former. > > > > Right, certainly exit non-zero. > > > > I was thinking exiting then and there (with a useful error message) > > when the requested x is not available. > > > > Why do you prefer running more checks when a failure can't be avoided > > anyway? > > I would prefer the latter. It's messy to work with configure scripts > which just continue after detecting something missing, with tons of > more output, and then have to scroll back page after page to try to > spot where it failed (or where it first failed). Better to exit > directly there and then, the failed check right at the end, fix (e.g. > install a missing library), run configure again, repeat as necessary. > Much easier. It sounds more like a reason to summarize all errors after the configure script finishes, not a reason to skip the remaining configure checks. It would make sense to skip them if the configure script ran overly long but it is fortunately not the case with libssh2. Kamil _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 14:24:55 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RCOieD019117; Thu, 27 Oct 2016 14:24:53 +0200 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RCOfeD019076 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 14:24:42 +0200 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id F18189D768; Thu, 27 Oct 2016 11:37:26 +0000 (UTC) Received: from kdudka-nb.localnet (unused-4-224.brq.redhat.com [10.34.4.224]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9RBbMSB028687 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Thu, 27 Oct 2016 07:37:26 -0400 From: Kamil Dudka To: Peter Stuge Subject: Re: configure.ac crypto library checks [was: 1.8.0] Date: Thu, 27 Oct 2016 13:37:27 +0200 Message-ID: <3671755.pNK1SGuZMD@kdudka-nb> User-Agent: KMail/4.14.10 (Linux/4.7.10-gentoo; KDE/4.14.24; x86_64; ; ) In-Reply-To: <20161027111530.GD20941@foo.stuge.se> References: <21734096.y6rRnAzx9O@kdudka-nb> <20161027111530.GD20941@foo.stuge.se> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.28]); Thu, 27 Oct 2016 11:37:27 +0000 (UTC) X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Cc: libssh2-devel@cool.haxx.se Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RCOieD019117 On Thursday, October 27, 2016 11:15:30 Peter Stuge wrote: > Kamil Dudka wrote: > > On Thursday, October 27, 2016 01:05:08 Peter Stuge wrote: > > > Also, I would like to argue that given --with-x but no x found should > > > be considered a fatal error by configure. Any objections to that? > > > > Sounds like a good idea. By fatal error, you mean to return non-zero exit > > status from configure script, or exit immediately and skip all the > > remaining checks? > > > > I would prefer the former. > > Right, certainly exit non-zero. > > I was thinking exiting then and there (with a useful error message) > when the requested x is not available. > > Why do you prefer running more checks when a failure can't be avoided > anyway? I often debug build issues remotely on distro builders, Travis CI, etc. It is better for me to know as many problems as possible from a single build attempt than discovering the problems one by one and having to wait for the results in each iteration. Kamil > Thanks > > //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 14:31:32 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RCVRu2000721; Thu, 27 Oct 2016 14:31:31 +0200 Received: from mail-lf0-x233.google.com (mail-lf0-x233.google.com [IPv6:2a00:1450:4010:c07:0:0:0:233]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RCVQtc000707 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT) for ; Thu, 27 Oct 2016 14:31:26 +0200 Received: by mail-lf0-x233.google.com with SMTP id b75so29402505lfg.3 for ; Thu, 27 Oct 2016 05:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=CJiHLgjElS1/09ryWSlo25os53ElGnDArUScRQbqWQ0=; b=W84BSw37FEVHycXrn0iZJBsw382EXMQt2i4pAmDrI6CU4SxKS9CrGENDQdKG9yBuNw 4EqZtHNoVyUatFFRCRCV0h9AwSeArGKXeu2kL7z2uUFfzNxCNk1VmgR7JEr0WPtoqBTH td4FMOg35pinGCvdyecZp11ybmvUPZfaz+JhKgWi4Y7OkLSevAmiETnsZ6+0BfB9RVaC WipIEOe2RDCYnlCVbUWZqH08IvhX7paXxZbT2BQcN7lMOw3xM+KWivrR4ocfBSt/IMMx wUPDxt3brAyt19cJ+lga3x5p/x6wqkGr7uYqyeubhjsZbo1A3Ovw40PIg8DsPkGz1ueX LAtA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=CJiHLgjElS1/09ryWSlo25os53ElGnDArUScRQbqWQ0=; b=HkWw2h8cftK1RCxqyFJIILruHU6VwaONm+8yAh6cOxh5tPagRgR9whnzJMczOzeunQ 8lEyVcq8mxis8VgfXNNKPrfOuJO6CavPjF7GeRwQ3XdfFm83jrXQgaGRPR1TBZVD0hNY 9XypVDwoRjAqrRvoT/ijDo+iSF0AvGIswNNNH3d/6AAR+QK8ygy2fAYgygVKUJZJTwOY saZn9m7R/Yb/T0LdaItugLIHuGIVJV91iJ6eS+KYXBNLIJi3/ly3rDzVn9B8VwUMcLxG DGrgF88l/e/rkg040Jg5c1xifVcqBMJ9zrp5KZGASWgWpT4/yw5OBJ9RjJ+Kkm+V7veg TQYw== X-Gm-Message-State: ABUngve9Qxwd+PModkUe6lxHwjjGNBK32mKw0eMI2bY52ykpIaHNFeTNnLVz/pRtzhUxpVL6Wud64xzEWjlWog== X-Received: by 10.25.135.130 with SMTP id j124mr5513836lfd.44.1477571481393; Thu, 27 Oct 2016 05:31:21 -0700 (PDT) MIME-Version: 1.0 Received: by 10.114.196.197 with HTTP; Thu, 27 Oct 2016 05:31:20 -0700 (PDT) In-Reply-To: <3671755.pNK1SGuZMD@kdudka-nb> References: <21734096.y6rRnAzx9O@kdudka-nb> <20161027111530.GD20941@foo.stuge.se> <3671755.pNK1SGuZMD@kdudka-nb> From: Tor Arntsen Date: Thu, 27 Oct 2016 14:31:20 +0200 Message-ID: Subject: Re: configure.ac crypto library checks [was: 1.8.0] To: libssh2 development X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Cc: Peter Stuge Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RCVRu2000721 On 27 October 2016 at 13:37, Kamil Dudka wrote: > On Thursday, October 27, 2016 11:15:30 Peter Stuge wrote: >> Why do you prefer running more checks when a failure can't be avoided >> anyway? > > I often debug build issues remotely on distro builders, Travis CI, etc. > It is better for me to know as many problems as possible from a single > build attempt than discovering the problems one by one and having to > wait for the results in each iteration. Ah, batch process vs. interactive.. well, that makes sense. Your earlier suggestion about somehow getting a summary of failures at the end would give the best of both worlds. I'm not sure if I've seen that in practice though - is it something that is reasonably easy to set up with autoconf? I still haven't acquired much understanding of autoconf, after all this years of fiddling with it. _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 17:07:48 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RF7NZB011853; Thu, 27 Oct 2016 17:07:43 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RF7MDX011679 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 17:07:22 +0200 Received: (qmail 11414 invoked by uid 1000); 27 Oct 2016 15:53:39 -0000 Date: Thu, 27 Oct 2016 15:53:39 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: configure.ac crypto library checks [was: 1.8.0] Message-ID: <20161027155339.GF20941@foo.stuge.se> References: <21734096.y6rRnAzx9O@kdudka-nb> <20161027111530.GD20941@foo.stuge.se> <3671755.pNK1SGuZMD@kdudka-nb> MIME-Version: 1.0 Content-Disposition: inline In-Reply-To: X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RF7NZB011853 Thanks Kamil for pointing out your use case. Tor Arntsen wrote: > Ah, batch process vs. interactive.. well, that makes sense. Your > earlier suggestion about somehow getting a summary of failures at the > end would give the best of both worlds. I'm not sure if I've seen that > in practice though - is it something that is reasonably easy to set up > with autoconf? Yes, I'll make it do something like that. There aren't many things which can go wrong in libssh2, really only crypto and zlib. After my patch-to-come --with-libz with no zlib found will also cause configure to fail. I will only make this change for crypto and zlib errors - everything else (like is sed and libtool found) I will leave as-is, meaning that those will work however they work in the autoconf macros. //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 22:35:13 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RKYmiM032564; Thu, 27 Oct 2016 22:35:09 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RKYk1x032468 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 22:34:46 +0200 Received: (qmail 16355 invoked from network); 27 Oct 2016 21:21:02 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 27 Oct 2016 21:21:02 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: A handful simple fixes Date: Thu, 27 Oct 2016 22:34:30 +0200 Message-Id: <1477600475-18709-1-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RKYmiM032564 Here's a set with a few unrelated fixes. The NDEBUG one is the only one with impact; without it library binaries contain the full build path. I don't know if the patch is enough to make libssh2 build completely reproducibly, but it's a step in the right direction at least. [PATCH] docs/HACKING.CRYPTO: Fix two type typos [PATCH] src/kex.c: Cast libssh2_sha{1,256}_update data arguments [PATCH] src/crypto.h src/userauth.c: Fix conditional RSA support [PATCH] src/global.c: Fix conditional AES-CTR support [PATCH] configure.ac: Add -DNDEBUG to CPPFLAGS in non-debug builds Also available in the http://git.stuge.se/libssh2.git branch simple180 Thanks //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 22:35:14 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RKZD7n000682; Thu, 27 Oct 2016 22:35:14 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RKYmn8032480 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 22:34:48 +0200 Received: (qmail 16358 invoked from network); 27 Oct 2016 21:21:04 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 27 Oct 2016 21:21:04 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: [PATCH] docs/HACKING.CRYPTO: Fix two type typos Date: Thu, 27 Oct 2016 22:34:31 +0200 Message-Id: <1477600475-18709-2-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RKZD7n000682 --- docs/HACKING.CRYPTO | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/HACKING.CRYPTO b/docs/HACKING.CRYPTO index a8a6a06..6fdcf71 100644 --- a/docs/HACKING.CRYPTO +++ b/docs/HACKING.CRYPTO @@ -316,7 +316,7 @@ _libssh2_bn_ctx Type of multiple precision computation context. May not be empty. if not used, #define as char, for example. -libssh2_bn_ctx _libssh2_bn_ctx_new(void); +_libssh2_bn_ctx _libssh2_bn_ctx_new(void); Returns a new multiple precision computation context. void _libssh2_bn_ctx_free(_libssh2_bn_ctx ctx); @@ -339,7 +339,7 @@ allocates the number. Returns a value of type _libssh2_bn *. void _libssh2_bn_free(_libssh2_bn *bn); Destroys the multiple precision number at bn. -unsigned long _libssh2_bn_bytes(libssh2_bn *bn); +unsigned long _libssh2_bn_bytes(_libssh2_bn *bn); Get the number of bytes needed to store the bits of the multiple precision number at bn. -- _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 22:35:14 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RKZEU6000714; Thu, 27 Oct 2016 22:35:14 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RKYnjY032491 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 22:34:50 +0200 Received: (qmail 16361 invoked from network); 27 Oct 2016 21:21:06 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 27 Oct 2016 21:21:06 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: [PATCH] src/kex.c: Cast libssh2_sha{1, 256}_update data arguments properly Date: Thu, 27 Oct 2016 22:34:32 +0200 Message-Id: <1477600475-18709-3-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RKZEU6000714 The update functions take a const unsigned char * but were called with (const) char * in some places, causing unneccessary warnings. --- src/kex.c | 44 ++++++++++++++++++++++++++++---------------- 1 file changed, 28 insertions(+), 16 deletions(-) diff --git a/src/kex.c b/src/kex.c index 65b722f..95e4d91 100644 --- a/src/kex.c +++ b/src/kex.c @@ -357,7 +357,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, libssh2_sha1_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha1_update(exchange_hash_ctx, - (char *) session->local.banner, + session->local.banner, strlen((char *) session->local.banner) - 2); } else { _libssh2_htonu32(exchange_state->h_sig_comp, @@ -365,7 +365,7 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, libssh2_sha1_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha1_update(exchange_hash_ctx, - LIBSSH2_SSH_DEFAULT_BANNER, + (const unsigned char *)LIBSSH2_SSH_DEFAULT_BANNER, sizeof(LIBSSH2_SSH_DEFAULT_BANNER) - 1); } @@ -517,14 +517,16 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(iv, session->local.crypt-> - iv_len, "A"); + iv_len, + (const unsigned char *)"A"); if (!iv) { ret = -1; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(secret, session->local.crypt-> - secret_len, "C"); + secret_len, + (const unsigned char *)"C"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -564,14 +566,16 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(iv, session->remote.crypt-> - iv_len, "B"); + iv_len, + (const unsigned char *)"B"); if (!iv) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(secret, session->remote.crypt-> - secret_len, "D"); + secret_len, + (const unsigned char *)"D"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -609,7 +613,8 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(key, session->local.mac-> - key_len, "E"); + key_len, + (const unsigned char *)"E"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; @@ -635,7 +640,8 @@ static int diffie_hellman_sha1(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA1_HASH(key, session->remote.mac-> - key_len, "F"); + key_len, + (const unsigned char *)"F"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; @@ -977,7 +983,7 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, libssh2_sha256_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha256_update(exchange_hash_ctx, - (char *) session->local.banner, + session->local.banner, strlen((char *) session->local.banner) - 2); } else { _libssh2_htonu32(exchange_state->h_sig_comp, @@ -985,7 +991,7 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, libssh2_sha256_update(exchange_hash_ctx, exchange_state->h_sig_comp, 4); libssh2_sha256_update(exchange_hash_ctx, - LIBSSH2_SSH_DEFAULT_BANNER, + (const unsigned char *)LIBSSH2_SSH_DEFAULT_BANNER, sizeof(LIBSSH2_SSH_DEFAULT_BANNER) - 1); } @@ -1139,14 +1145,16 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(iv, session->local.crypt-> - iv_len, "A"); + iv_len, + (const unsigned char *)"A"); if (!iv) { ret = -1; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(secret, session->local.crypt-> - secret_len, "C"); + secret_len, + (const unsigned char *)"C"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -1186,14 +1194,16 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(iv, session->remote.crypt-> - iv_len, "B"); + iv_len, + (const unsigned char *)"B"); if (!iv) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; } LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(secret, session->remote.crypt-> - secret_len, "D"); + secret_len, + (const unsigned char *)"D"); if (!secret) { LIBSSH2_FREE(session, iv); ret = LIBSSH2_ERROR_KEX_FAILURE; @@ -1231,7 +1241,8 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(key, session->local.mac-> - key_len, "E"); + key_len, + (const unsigned char *)"E"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; @@ -1257,7 +1268,8 @@ static int diffie_hellman_sha256(LIBSSH2_SESSION *session, LIBSSH2_KEX_METHOD_DIFFIE_HELLMAN_SHA256_HASH(key, session->remote.mac-> - key_len, "F"); + key_len, + (const unsigned char *)"F"); if (!key) { ret = LIBSSH2_ERROR_KEX_FAILURE; goto clean_exit; -- _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 22:36:29 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RKaSow001843; Thu, 27 Oct 2016 22:36:29 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RKYq87032557 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 22:34:52 +0200 Received: (qmail 16364 invoked from network); 27 Oct 2016 21:21:07 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 27 Oct 2016 21:21:07 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: [PATCH] src/crypto.h src/userauth.c: Fix conditional RSA support Date: Thu, 27 Oct 2016 22:34:33 +0200 Message-Id: <1477600475-18709-4-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RKaSow001843 Most of libssh2 already has conditional support for RSA according to the LIBSSH2_RSA crypto backend #define, but crypto.h and userauth.c needed a few small fixes. --- src/crypto.h | 2 ++ src/userauth.c | 15 +++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/src/crypto.h b/src/crypto.h index aa997a3..b15a122 100644 --- a/src/crypto.h +++ b/src/crypto.h @@ -58,6 +58,7 @@ #include "mbedtls.h" #endif +#if LIBSSH2_RSA int _libssh2_rsa_new(libssh2_rsa_ctx ** rsa, const unsigned char *edata, unsigned long elen, @@ -92,6 +93,7 @@ int _libssh2_rsa_new_private_frommemory(libssh2_rsa_ctx ** rsa, LIBSSH2_SESSION * session, const char *filedata, size_t filedata_len, unsigned const char *passphrase); +#endif #if LIBSSH2_DSA int _libssh2_dsa_new(libssh2_dsa_ctx ** dsa, diff --git a/src/userauth.c b/src/userauth.c index cdfa25e..226eb8b 100644 --- a/src/userauth.c +++ b/src/userauth.c @@ -786,6 +786,11 @@ userauth_hostbased_fromfile(LIBSSH2_SESSION *session, { int rc; +#if !LIBSSH2_RSA + return _libssh2_error(session, LIBSSH2_ERROR_METHOD_NOT_SUPPORTED, + "RSA is not supported by crypto backend"); +#endif + if (session->userauth_host_state == libssh2_NB_state_idle) { const LIBSSH2_HOSTKEY_METHOD *privkeyobj; unsigned char *pubkeydata, *sig = NULL; @@ -1378,6 +1383,11 @@ userauth_publickey_frommemory(LIBSSH2_SESSION *session, void *abstract = &privkey_file; int rc; +#if !LIBSSH2_RSA + return _libssh2_error(session, LIBSSH2_ERROR_METHOD_NOT_SUPPORTED, + "RSA is not supported by crypto backend"); +#endif + privkey_file.filename = privatekeydata; privkey_file.passphrase = passphrase; @@ -1435,6 +1445,11 @@ userauth_publickey_fromfile(LIBSSH2_SESSION *session, void *abstract = &privkey_file; int rc; +#if !LIBSSH2_RSA + return _libssh2_error(session, LIBSSH2_ERROR_METHOD_NOT_SUPPORTED, + "RSA is not supported by crypto backend"); +#endif + privkey_file.filename = privatekey; privkey_file.passphrase = passphrase; -- _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 22:36:30 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RKaTwd001855; Thu, 27 Oct 2016 22:36:30 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RKYsEI032571 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 22:34:54 +0200 Received: (qmail 16367 invoked from network); 27 Oct 2016 21:21:10 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 27 Oct 2016 21:21:10 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: [PATCH] src/global.c: Fix conditional AES-CTR support Date: Thu, 27 Oct 2016 22:34:34 +0200 Message-Id: <1477600475-18709-5-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RKaTwd001855 Most of libssh2 already has conditional support for AES-CTR according to the LIBSSH2_AES_CTR crypto backend #define, but global.c needed fixing. --- src/global.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/src/global.c b/src/global.c index dc45e70..353ffce 100644 --- a/src/global.c +++ b/src/global.c @@ -46,7 +46,9 @@ libssh2_init(int flags) { if (_libssh2_initialized == 0 && !(flags & LIBSSH2_INIT_NO_CRYPTO)) { libssh2_crypto_init(); +#if LIBSSH2_AES_CTR _libssh2_init_aes_ctr(); +#endif } _libssh2_initialized++; -- _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Thu Oct 27 22:36:31 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9RKaU1R001936; Thu, 27 Oct 2016 22:36:31 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9RKYt1o032589 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Thu, 27 Oct 2016 22:34:56 +0200 Received: (qmail 16370 invoked from network); 27 Oct 2016 21:21:12 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 27 Oct 2016 21:21:12 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: [PATCH] configure.ac: Add -DNDEBUG to CPPFLAGS in non-debug builds Date: Thu, 27 Oct 2016 22:34:35 +0200 Message-Id: <1477600475-18709-6-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9RKaU1R001936 There are a few uses of assert() in channel.c, sftp.c and transport.c. --- configure.ac | 1 + 1 file changed, 1 insertion(+) diff --git a/configure.ac b/configure.ac index c26a52b..fe290ec 100644 --- a/configure.ac +++ b/configure.ac @@ -213,6 +213,7 @@ AC_HELP_STRING([--disable-debug],[Disable debug options]), [ case "$enable_debug" in no) AC_MSG_RESULT(no) + CPPFLAGS="$CPPFLAGS -DNDEBUG" ;; *) AC_MSG_RESULT(yes) enable_debug=yes -- _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Fri Oct 28 03:36:37 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9S1a7A4021572; Fri, 28 Oct 2016 03:36:32 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9S1a4YH019524 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Oct 2016 03:36:04 +0200 Received: (qmail 20581 invoked from network); 28 Oct 2016 02:22:19 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 28 Oct 2016 02:22:19 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: [PATCH] configure.ac src/Makefile.am: Remove dead AM_CONDITIONAL(OS400QC3) Date: Fri, 28 Oct 2016 03:36:01 +0200 Message-Id: <1477618561-32693-1-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9S1a7A4021572 According to os400/README400 this backend can not be built with configure+make, and the conditional is hard coded to false. --- configure.ac | 1 - src/Makefile.am | 3 --- 2 files changed, 4 deletions(-) diff --git a/configure.ac b/configure.ac index fe290ec..f7fe247 100644 --- a/configure.ac +++ b/configure.ac @@ -132,7 +132,6 @@ AM_CONDITIONAL(OPENSSL, test "$ac_cv_libssl" = "yes") AM_CONDITIONAL(WINCNG, test "$ac_cv_libbcrypt" = "yes") AM_CONDITIONAL(LIBGCRYPT, test "$ac_cv_libgcrypt" = "yes") AM_CONDITIONAL(MBEDTLS, test "$ac_cv_libmbedtls" = "yes") -AM_CONDITIONAL(OS400QC3, false) # Check if crypto library was found if test "$found_crypto" = "none"; then diff --git a/src/Makefile.am b/src/Makefile.am index c14dc7c..1fa0751 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -11,9 +11,6 @@ endif if WINCNG include ../Makefile.WinCNG.inc endif -if OS400QC3 -include ../Makefile.os400qc3.inc -endif if MBEDTLS include ../Makefile.mbedTLS.inc endif -- _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Fri Oct 28 04:10:09 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9S29vkL032018; Fri, 28 Oct 2016 04:10:06 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9S29uRm030800 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Oct 2016 04:09:56 +0200 Received: (qmail 20759 invoked from network); 28 Oct 2016 02:56:11 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 28 Oct 2016 02:56:11 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Reworking crypto backend selection Date: Fri, 28 Oct 2016 04:09:16 +0200 Message-Id: <1477620557-1859-1-git-send-email-peter@stuge.se> In-Reply-To: <20161027155339.GF20941@foo.stuge.se> References: <20161027155339.GF20941@foo.stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9S29vkL032018 A large-ish change, but it implements everything discussed: If libz or a crypto backend is explicitly requested on the command line but not found then configure exits at the end. It can look like so, when no crypto library is requested (or =auto) and none can be found: $ configure --without-libz ... checking for libssl... no checking for libgcrypt... no checking for libmbedtls... no checking for libbcrypt... no checking for libcrypt32... no checking for ntdef.h... no checking for ntstatus.h... no checking whether SecureZeroMemory is declared... no configure: ERROR: No openssl crypto library found! No libgcrypt crypto library found! No mbedtls crypto library found! No wincng crypto library found! Please specify --with-crypto and/or the neccessary library search prefix. Run configure --help to see all crypto library options. ... other checks ... checking non-blocking sockets style... O_NONBLOCK configure: ERROR: No openssl crypto library found! No libgcrypt crypto library found! No mbedtls crypto library found! No wincng crypto library found! Please specify --with-crypto and/or the neccessary library search prefix. Run configure --help to see all crypto library options. configure: error: Required dependencies are missing! $ When a specific backend is requested but no library found: $ configure --without-libz --with-crypto=openssl ... checking for libssl... no configure: ERROR: No openssl crypto library found! Please specify --with-crypto and/or the neccessary library search prefix. Run configure --help to see all crypto library options. ... other checks ... checking non-blocking sockets style... O_NONBLOCK configure: ERROR: No openssl crypto library found! Please specify --with-crypto and/or the neccessary library search prefix. Run configure --help to see all crypto library options. configure: error: Required dependencies are missing! $ If libz is requested but not found, and a crypto library *is* found: $ configure --with-libz --with-crypto=libgcrypt ... checking for libz... no configure: ERROR: No libz found! Try --with-libz-prefix=PATH if you know that you have it. checking for libgcrypt... yes checking how to link with libgcrypt... -lgcrypt ... other checks ... checking non-blocking sockets style... O_NONBLOCK configure: ERROR: No libz found! Try --with-libz-prefix=PATH if you know that you have it. configure: error: Required dependencies are missing! $ Or when libz is requested but not found, and mbedtls is also not found: $ configure --with-libz --with-crypto=mbedtls ... checking for libz... no configure: ERROR: No libz found! Try --with-libz-prefix=PATH if you know that you have it. checking for libmbedtls... no configure: ERROR: No mbedtls crypto library found! Please specify --with-crypto and/or the neccessary library search prefix. Run configure --help to see all crypto library options. ... other checks ... checking non-blocking sockets style... O_NONBLOCK configure: ERROR: No libz found! Try --with-libz-prefix=PATH if you know that you have it. configure: ERROR: No mbedtls crypto library found! Please specify --with-crypto and/or the neccessary library search prefix. Run configure --help to see all crypto library options. configure: error: Required dependencies are missing! $ Finally, here is a successful configure with optional libz: $ configure --with-crypto=libgcrypt ... checking for libz... no configure: Cannot find libz, disabling compression checking for libgcrypt... yes checking how to link with libgcrypt... -lgcrypt ... checking non-blocking sockets style... O_NONBLOCK configure: creating ./config.status config.status: creating Makefile config.status: creating src/Makefile config.status: creating tests/Makefile config.status: creating example/Makefile config.status: creating docs/Makefile config.status: creating libssh2.pc config.status: creating src/libssh2_config.h config.status: creating example/libssh2_config.h config.status: executing depfiles commands config.status: executing libtool commands configure: summary of build options: version: 1.8.1_DEV Host type: x86_64-unknown-linux-gnu Install prefix: /tmp/ls Compiler: gcc Compiler flags: -g -O2 Library types: Shared=yes, Static=yes Crypto library: libgcrypt Clear memory: unsupported Debug build: no Build examples: no Path to sshd: /usr/sbin/sshd (only for self-tests) zlib compression: not found $ Also available in branch withcrypto at http://git.stuge.se/libssh2.git (On top of simple180, which now includes the OS400 cleanup commit.) Please review and comment. Thanks a lot! //Peter _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Fri Oct 28 04:10:09 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9S2A9A6002311; Fri, 28 Oct 2016 04:10:09 +0200 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9S29uJX030847 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Fri, 28 Oct 2016 04:09:57 +0200 Received: (qmail 20762 invoked from network); 28 Oct 2016 02:56:11 -0000 Received: from localhost (HELO stuge.se) (127.0.0.1) by localhost with SMTP; 28 Oct 2016 02:56:11 -0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: [PATCH] configure.ac: Add single --with-crypto= instead of --with-$backend:s Date: Fri, 28 Oct 2016 04:09:17 +0200 Message-Id: <1477620557-1859-2-git-send-email-peter@stuge.se> In-Reply-To: <1477620557-1859-1-git-send-email-peter@stuge.se> References: <20161027155339.GF20941@foo.stuge.se> <1477620557-1859-1-git-send-email-peter@stuge.se> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9S2A9A6002311 The new option replaces the previous backend-specific options and fixes several problems while at it: * libgcrypt and mbedtls would be used if either was found, even if --without-libgcrypt or --without-mbedtls were on the command line. * If --with-$backend was on the command line, configure would not fail when the library could not be found, but would instead use the first successfully detected crypto library. * Copypasted code in configure.ac and acinclude.m4 had replicated the above bugs for multiple crypto backends. The new option requires specifying only a backend name in configure.ac. All crypto backend names are automatically displayed and recognized as valid --with-crypto= choices, and an uppercase name AM_CONDITIONAL is automatically created for each name. acinclude.m4 needs one case stanza within LIBSSH2_CRYPTO_CHECK to test availability of each library, which must set LIBS as neccessary. src/Makefile.am still needs an if-block using the AM_CONDITIONAL to include a backend-specific Makefile. --- acinclude.m4 | 150 ++++++++++++++++++++++++++++---------------------------- configure.ac | 137 ++++++++++++++++++++++++++++----------------------- src/Makefile.am | 8 +-- 3 files changed, 155 insertions(+), 140 deletions(-) diff --git a/acinclude.m4 b/acinclude.m4 index 734ef07..18a2929 100644 --- a/acinclude.m4 +++ b/acinclude.m4 @@ -382,86 +382,86 @@ AC_DEFUN([CURL_CONFIGURE_REENTRANT], [ # ]) -AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS - if test -n "$use_mbedtls" && test "$use_mbedtls" != "no"; then - LDFLAGS="$LDFLAGS -L$use_mbedtls/lib" - CFLAGS="$CFLAGS -I$use_mbedtls/include" - fi - - AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [ - #include - ]) - - if test "$ac_cv_libmbedtls" = "yes"; then - AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) - LIBSREQUIRED= # mbedtls doesn't provide a .pc file - LIBS="$LIBS -lmbedtls -lmbedcrypto" - found_crypto=libmbedtls - support_clear_memory=yes - else - # restore - LDFLAGS=$old_LDFLAGS - CFLAGS=$old_CFLAGS - fi -]) - -AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [ - - old_LDFLAGS=$LDFLAGS - old_CFLAGS=$CFLAGS - if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then - LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib" - CFLAGS="$CFLAGS -I$use_libgcrypt/include" - fi - AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [ - #include - ]) +AC_DEFUN([LIBSSH2_CHECK_CRYPTO], [ +if test "$use_crypto" = "auto" && test "$found_crypto" = "none" || test "$use_crypto" = "$1"; then + case "$1" in + openssl) + AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) + + if test "$ac_cv_libssl" = "yes"; then + AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) + LIBSREQUIRED=libssl,libcrypto + LIBS="$LIBS $LIBSSL" + + # Not all OpenSSL have AES-CTR functions. + AC_CHECK_FUNCS(EVP_aes_128_ctr) + + found_crypto="$1" + found_crypto_str="OpenSSL (AES-CTR: ${ac_cv_func_EVP_aes_128_ctr:-N/A})" + fi + ;; - if test "$ac_cv_libgcrypt" = "yes"; then - AC_DEFINE(LIBSSH2_LIBGCRYPT, 1, [Use libgcrypt]) - LIBSREQUIRED= # libgcrypt doesn't provide a .pc file. sad face. - LIBS="$LIBS -lgcrypt" - found_crypto=libgcrypt - else - # restore - LDFLAGS=$old_LDFLAGS - CFLAGS=$old_CFLAGS - fi -]) + libgcrypt) + AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [#include ]) + if test "$ac_cv_libgcrypt" = "yes"; then + AC_DEFINE(LIBSSH2_LIBGCRYPT, 1, [Use libgcrypt]) + LIBSREQUIRED= # libgcrypt doesn't provide a .pc file. sad face. + LIBS="$LIBS -lgcrypt" + found_crypto="$1" + fi + ;; -AC_DEFUN([LIBSSH2_CHECKFOR_WINCNG], [ + mbedtls) + AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [#include ]) - # Look for Windows Cryptography API: Next Generation + if test "$ac_cv_libmbedtls" = "yes"; then + AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) + LIBSREQUIRED= # mbedtls doesn't provide a .pc file + LIBS="$LIBS -lmbedtls -lmbedcrypto" + found_crypto="$1" + support_clear_memory=yes + fi + ;; - AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ - #include - #include - ]) - AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ - #include - #include - ]) - AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ - #include - ]) - AC_CHECK_DECLS([SecureZeroMemory], [], [], [ - #include - ]) + wincng) + # Look for Windows Cryptography API: Next Generation + + AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ + #include + #include + ]) + AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ + #include + #include + ]) + AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ + #include + ]) + AC_CHECK_DECLS([SecureZeroMemory], [], [], [ + #include + ]) + + if test "$ac_cv_libbcrypt" = "yes"; then + AC_DEFINE(LIBSSH2_WINCNG, 1, [Use Windows CNG]) + LIBSREQUIRED= # wincng doesn't provide a .pc file. sad face. + LIBS="$LIBS -lbcrypt" + if test "$ac_cv_libcrypt32" = "yes"; then + LIBS="$LIBS -lcrypt32" + fi + found_crypto="$1" + found_crypto_str="Windows Cryptography API: Next Generation" + if test "$ac_cv_have_decl_SecureZeroMemory" = "yes"; then + support_clear_memory=yes + fi + fi + ;; + esac - if test "$ac_cv_libbcrypt" = "yes"; then - AC_DEFINE(LIBSSH2_WINCNG, 1, [Use Windows CNG]) - LIBSREQUIRED= # wincng doesn't provide a .pc file. sad face. - LIBS="$LIBS -lbcrypt" - if test "$ac_cv_libcrypt32" = "yes"; then - LIBS="$LIBS -lcrypt32" - fi - found_crypto="Windows Cryptography API: Next Generation" - if test "$ac_cv_have_decl_SecureZeroMemory" = "yes"; then - support_clear_memory=yes - fi + if test "$found_crypto" = "none"; then + test "${crypto_errors}" != "" && crypto_errors="${crypto_errors} +" + crypto_errors="${crypto_errors}No $1 crypto library found!" fi +fi ]) diff --git a/configure.ac b/configure.ac index f7fe247..ba84ddf 100644 --- a/configure.ac +++ b/configure.ac @@ -83,81 +83,84 @@ AC_C_BIGENDIAN dnl check for how to do large files AC_SYS_LARGEFILE -found_crypto=none - # Configure parameters -AC_ARG_WITH(openssl, - AC_HELP_STRING([--with-openssl],[Use OpenSSL for crypto]), - use_openssl=$withval,use_openssl=auto) -AC_ARG_WITH(libgcrypt, - AC_HELP_STRING([--with-libgcrypt],[Use libgcrypt for crypto]), - [ use_libgcrypt=$withval - LIBSSH2_CHECKFOR_GCRYPT - ], use_libgcrypt=auto) -AC_ARG_WITH(wincng, - AC_HELP_STRING([--with-wincng],[Use Windows CNG for crypto]), - [ use_wincng=$withval - LIBSSH2_CHECKFOR_WINCNG - ] ,use_wincng=auto) -AC_ARG_WITH([mbedtls], - AC_HELP_STRING([--with-mbedtls],[Use mbedTLS for crypto]), - [ use_mbedtls=$withval - LIBSSH2_CHECKFOR_MBEDTLS - ], use_mbedtls=auto -) -AC_ARG_WITH(libz, - AC_HELP_STRING([--with-libz],[Use zlib for compression]), - use_libz=$withval,use_libz=auto) - -support_clear_memory=no -# Look for OpenSSL -if test "$found_crypto" = "none" && test "$use_openssl" != "no"; then - AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) -fi -if test "$ac_cv_libssl" = "yes"; then - AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) - LIBSREQUIRED=libssl,libcrypto - - # Not all OpenSSL have AES-CTR functions. - save_LIBS="$LIBS" - LIBS="$LIBS $LIBSSL" - AC_CHECK_FUNCS(EVP_aes_128_ctr) - LIBS="$save_LIBS" +# libz - found_crypto="OpenSSL (AES-CTR: ${ac_cv_func_EVP_aes_128_ctr:-N/A})" -fi +AC_ARG_WITH([libz], + AC_HELP_STRING([--with-libz],[Use libz for compression]), + use_libz=$withval, + use_libz=auto) -AM_CONDITIONAL(OPENSSL, test "$ac_cv_libssl" = "yes") -AM_CONDITIONAL(WINCNG, test "$ac_cv_libbcrypt" = "yes") -AM_CONDITIONAL(LIBGCRYPT, test "$ac_cv_libgcrypt" = "yes") -AM_CONDITIONAL(MBEDTLS, test "$ac_cv_libmbedtls" = "yes") - -# Check if crypto library was found -if test "$found_crypto" = "none"; then - AC_MSG_ERROR([No crypto library found! -Try --with-libssl-prefix=PATH - or --with-libgcrypt-prefix=PATH - or --with-libmbedtls-prefix=PATH - or --with-wincng on Windows\ -]) -fi +found_libz=no +libz_errors="" -# Look for Libz -if test "$use_libz" != "no"; then +if test "$use_libz" != no; then AC_LIB_HAVE_LINKFLAGS([z], [], [#include ]) if test "$ac_cv_libz" != yes; then - AC_MSG_NOTICE([Cannot find zlib, disabling compression]) - AC_MSG_NOTICE([Try --with-libz-prefix=PATH if you know you have it]) + if test "$use_libz" = auto; then + AC_MSG_NOTICE([Cannot find libz, disabling compression]) + found_libz="disabled; no libz found" + else + libz_errors="No libz found! +Try --with-libz-prefix=PATH if you know that you have it." + AS_MESSAGE([ERROR: $libz_errors]) + fi else AC_DEFINE(LIBSSH2_HAVE_ZLIB, 1, [Compile in zlib support]) if test "${LIBSREQUIRED}" != ""; then LIBSREQUIRED="${LIBSREQUIRED}," fi LIBSREQUIRED="${LIBSREQUIRED}zlib" + found_libz="yes" fi fi + +# Crypto backends + +found_crypto=none +found_crypto_str="" +support_clear_memory=no +crypto_errors="" + +m4_set_add([crypto_backends], [openssl]) +m4_set_add([crypto_backends], [libgcrypt]) +m4_set_add([crypto_backends], [mbedtls]) +m4_set_add([crypto_backends], [wincng]) + +AC_ARG_WITH([crypto], + AC_HELP_STRING([--with-crypto=auto|]m4_set_contents([crypto_backends], [|]), + [Select crypto backend (default: auto)]), + use_crypto=$withval, + use_crypto=auto +) + +case "${use_crypto}" in + auto|m4_set_contents([crypto_backends], [|])) + m4_set_map([crypto_backends], [LIBSSH2_CHECK_CRYPTO]) + ;; + *) + crypto_errors="Unknown crypto backend '${use_crypto}' specified!" + ;; +esac + +if test "$found_crypto" = "none"; then + crypto_errors="${crypto_errors} +Please specify --with-crypto and/or the neccessary library search prefix. + +Run configure --help to see all crypto library options." + AS_MESSAGE([ERROR: ${crypto_errors}]) +else + if test "$found_crypto_str" = ""; then + found_crypto_str="$found_crypto" + fi +fi + +m4_set_foreach([crypto_backends], [c_backend], + [AM_CONDITIONAL(m4_toupper(c_backend), test "$found_crypto" = "c_backend")] +) + AC_SUBST(LIBSREQUIRED) # @@ -351,6 +354,18 @@ AC_C_INLINE CURL_CHECK_NONBLOCKING_SOCKET +if test "${libz_errors}" != ""; then + AS_MESSAGE([ERROR: ${libz_errors}]) +fi + +if test "${crypto_errors}" != ""; then + AS_MESSAGE([ERROR: ${crypto_errors}]) +fi + +if test "${libz_errors}${crypto_errors}" != ""; then + AC_MSG_ERROR([Required dependencies are missing!]) +fi + AC_CONFIG_FILES([Makefile src/Makefile tests/Makefile @@ -367,10 +382,10 @@ AC_MSG_NOTICE([summary of build options: Compiler: ${CC} Compiler flags: ${CFLAGS} Library types: Shared=${enable_shared}, Static=${enable_static} - Crypto library: ${found_crypto} + Crypto library: ${found_crypto_str} Clear memory: $enable_clear_memory Debug build: $enable_debug Build examples: $build_examples Path to sshd: $ac_cv_path_SSHD (only for self-tests) - zlib compression: $ac_cv_libz + zlib compression: ${found_libz} ]) diff --git a/src/Makefile.am b/src/Makefile.am index 1fa0751..3532b81 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -8,12 +8,12 @@ endif if LIBGCRYPT include ../Makefile.libgcrypt.inc endif -if WINCNG -include ../Makefile.WinCNG.inc -endif if MBEDTLS include ../Makefile.mbedTLS.inc endif +if WINCNG +include ../Makefile.WinCNG.inc +endif # Makefile.inc provides the CSOURCES and HHEADERS defines include ../Makefile.inc @@ -62,4 +62,4 @@ VERSION=-version-info 1:1:0 libssh2_la_LDFLAGS = $(VERSION) -no-undefined \ -export-symbols-regex '^libssh2_.*' \ - $(LTLIBGCRYPT) $(LTLIBSSL) $(LTLIBZ) + $(LIBS) $(LTLIBZ) -- _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Mon Oct 31 13:11:44 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9VCBIds009876; Mon, 31 Oct 2016 13:11:39 +0100 Received: from mx1.redhat.com (mx1.redhat.com [209.132.183.28]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9VCBFdO009835 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 31 Oct 2016 13:11:16 +0100 Received: from int-mx13.intmail.prod.int.phx2.redhat.com (int-mx13.intmail.prod.int.phx2.redhat.com [10.5.11.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 4AA9DC04B957; Mon, 31 Oct 2016 12:11:11 +0000 (UTC) Received: from kdudka-nb.localnet (unused-4-224.brq.redhat.com [10.34.4.224]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u9VCB9qZ000886 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Mon, 31 Oct 2016 08:11:10 -0400 From: Kamil Dudka To: Peter Stuge Subject: Re: [PATCH] configure.ac: Add single --with-crypto= instead of --with-$backend:s Date: Mon, 31 Oct 2016 13:11:15 +0100 Message-ID: <1973197.XhHmMWpa8C@kdudka-nb> User-Agent: KMail/4.14.10 (Linux/4.7.10-gentoo; KDE/4.14.24; x86_64; ; ) In-Reply-To: <1477620557-1859-2-git-send-email-peter@stuge.se> References: <20161027155339.GF20941@foo.stuge.se> <1477620557-1859-1-git-send-email-peter@stuge.se> <1477620557-1859-2-git-send-email-peter@stuge.se> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 2.68 on 10.5.11.26 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.31]); Mon, 31 Oct 2016 12:11:11 +0000 (UTC) X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Cc: libssh2-devel@cool.haxx.se Content-Type: text/plain; charset="utf-8" Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" Content-Transfer-Encoding: 8bit X-MIME-Autoconverted: from base64 to 8bit by giant.haxx.se id u9VCBIds009876 On Friday, October 28, 2016 04:09:17 Peter Stuge wrote: > The new option replaces the previous backend-specific options and > fixes several problems while at it: > > * libgcrypt and mbedtls would be used if either was found, even if > --without-libgcrypt or --without-mbedtls were on the command line. > > * If --with-$backend was on the command line, configure would not > fail when the library could not be found, but would instead use > the first successfully detected crypto library. > > * Copypasted code in configure.ac and acinclude.m4 had replicated > the above bugs for multiple crypto backends. > > The new option requires specifying only a backend name in configure.ac. > > All crypto backend names are automatically displayed and recognized > as valid --with-crypto= choices, and an uppercase name AM_CONDITIONAL > is automatically created for each name. > > acinclude.m4 needs one case stanza within LIBSSH2_CRYPTO_CHECK to > test availability of each library, which must set LIBS as neccessary. > > src/Makefile.am still needs an if-block using the AM_CONDITIONAL to > include a backend-specific Makefile. The patch does not apply on the current upstream master branch, so I tested the withcrypto branch at http://git.stuge.se/libssh2.git (68b330d2). Basic crypto backend selection seems to work. --with-crypto=auto works fine for OpenSSL but does not work for libgcrypt: $ ./configure --with-crypto=auto [...] configure: ERROR: No openssl crypto library found! configure: error: Required dependencies are missing! $ ./configure --with-crypto=libgcrypt [...] Crypto library: libgcrypt [...] As a side note, the --with-libssl-prefix option did not take any effect but it seems unrelated to your patch. Kamil > --- > acinclude.m4 | 150 > ++++++++++++++++++++++++++++---------------------------- configure.ac | > 137 ++++++++++++++++++++++++++++----------------------- src/Makefile.am | > 8 +-- > 3 files changed, 155 insertions(+), 140 deletions(-) > > diff --git a/acinclude.m4 b/acinclude.m4 > index 734ef07..18a2929 100644 > --- a/acinclude.m4 > +++ b/acinclude.m4 > @@ -382,86 +382,86 @@ AC_DEFUN([CURL_CONFIGURE_REENTRANT], [ > # > ]) > > -AC_DEFUN([LIBSSH2_CHECKFOR_MBEDTLS], [ > - > - old_LDFLAGS=$LDFLAGS > - old_CFLAGS=$CFLAGS > - if test -n "$use_mbedtls" && test "$use_mbedtls" != "no"; then > - LDFLAGS="$LDFLAGS -L$use_mbedtls/lib" > - CFLAGS="$CFLAGS -I$use_mbedtls/include" > - fi > - > - AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [ > - #include > - ]) > - > - if test "$ac_cv_libmbedtls" = "yes"; then > - AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) > - LIBSREQUIRED= # mbedtls doesn't provide a .pc file > - LIBS="$LIBS -lmbedtls -lmbedcrypto" > - found_crypto=libmbedtls > - support_clear_memory=yes > - else > - # restore > - LDFLAGS=$old_LDFLAGS > - CFLAGS=$old_CFLAGS > - fi > -]) > - > -AC_DEFUN([LIBSSH2_CHECKFOR_GCRYPT], [ > - > - old_LDFLAGS=$LDFLAGS > - old_CFLAGS=$CFLAGS > - if test -n "$use_libgcrypt" && test "$use_libgcrypt" != "no"; then > - LDFLAGS="$LDFLAGS -L$use_libgcrypt/lib" > - CFLAGS="$CFLAGS -I$use_libgcrypt/include" > - fi > - AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [ > - #include > - ]) > +AC_DEFUN([LIBSSH2_CHECK_CRYPTO], [ > +if test "$use_crypto" = "auto" && test "$found_crypto" = "none" || test > "$use_crypto" = "$1"; then + case "$1" in > + openssl) > + AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) > + > + if test "$ac_cv_libssl" = "yes"; then > + AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) > + LIBSREQUIRED=libssl,libcrypto > + LIBS="$LIBS $LIBSSL" > + > + # Not all OpenSSL have AES-CTR functions. > + AC_CHECK_FUNCS(EVP_aes_128_ctr) > + > + found_crypto="$1" > + found_crypto_str="OpenSSL (AES-CTR: > ${ac_cv_func_EVP_aes_128_ctr:-N/A})" + fi > + ;; > > - if test "$ac_cv_libgcrypt" = "yes"; then > - AC_DEFINE(LIBSSH2_LIBGCRYPT, 1, [Use libgcrypt]) > - LIBSREQUIRED= # libgcrypt doesn't provide a .pc file. sad face. > - LIBS="$LIBS -lgcrypt" > - found_crypto=libgcrypt > - else > - # restore > - LDFLAGS=$old_LDFLAGS > - CFLAGS=$old_CFLAGS > - fi > -]) > + libgcrypt) > + AC_LIB_HAVE_LINKFLAGS([gcrypt], [], [#include ]) > > + if test "$ac_cv_libgcrypt" = "yes"; then > + AC_DEFINE(LIBSSH2_LIBGCRYPT, 1, [Use libgcrypt]) > + LIBSREQUIRED= # libgcrypt doesn't provide a .pc file. sad face. > + LIBS="$LIBS -lgcrypt" > + found_crypto="$1" > + fi > + ;; > > -AC_DEFUN([LIBSSH2_CHECKFOR_WINCNG], [ > + mbedtls) > + AC_LIB_HAVE_LINKFLAGS([mbedtls], [], [#include ]) > > - # Look for Windows Cryptography API: Next Generation > + if test "$ac_cv_libmbedtls" = "yes"; then > + AC_DEFINE(LIBSSH2_MBEDTLS, 1, [Use mbedtls]) > + LIBSREQUIRED= # mbedtls doesn't provide a .pc file > + LIBS="$LIBS -lmbedtls -lmbedcrypto" > + found_crypto="$1" > + support_clear_memory=yes > + fi > + ;; > > - AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ > - #include > - #include > - ]) > - AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ > - #include > - #include > - ]) > - AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ > - #include > - ]) > - AC_CHECK_DECLS([SecureZeroMemory], [], [], [ > - #include > - ]) > + wincng) > + # Look for Windows Cryptography API: Next Generation > + > + AC_LIB_HAVE_LINKFLAGS([bcrypt], [], [ > + #include > + #include > + ]) > + AC_LIB_HAVE_LINKFLAGS([crypt32], [], [ > + #include > + #include > + ]) > + AC_CHECK_HEADERS([ntdef.h ntstatus.h], [], [], [ > + #include > + ]) > + AC_CHECK_DECLS([SecureZeroMemory], [], [], [ > + #include > + ]) > + > + if test "$ac_cv_libbcrypt" = "yes"; then > + AC_DEFINE(LIBSSH2_WINCNG, 1, [Use Windows CNG]) > + LIBSREQUIRED= # wincng doesn't provide a .pc file. sad face. > + LIBS="$LIBS -lbcrypt" > + if test "$ac_cv_libcrypt32" = "yes"; then > + LIBS="$LIBS -lcrypt32" > + fi > + found_crypto="$1" > + found_crypto_str="Windows Cryptography API: Next Generation" > + if test "$ac_cv_have_decl_SecureZeroMemory" = "yes"; then > + support_clear_memory=yes > + fi > + fi > + ;; > + esac > > - if test "$ac_cv_libbcrypt" = "yes"; then > - AC_DEFINE(LIBSSH2_WINCNG, 1, [Use Windows CNG]) > - LIBSREQUIRED= # wincng doesn't provide a .pc file. sad face. > - LIBS="$LIBS -lbcrypt" > - if test "$ac_cv_libcrypt32" = "yes"; then > - LIBS="$LIBS -lcrypt32" > - fi > - found_crypto="Windows Cryptography API: Next Generation" > - if test "$ac_cv_have_decl_SecureZeroMemory" = "yes"; then > - support_clear_memory=yes > - fi > + if test "$found_crypto" = "none"; then > + test "${crypto_errors}" != "" && crypto_errors="${crypto_errors} > +" > + crypto_errors="${crypto_errors}No $1 crypto library found!" > fi > +fi > ]) > diff --git a/configure.ac b/configure.ac > index f7fe247..ba84ddf 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -83,81 +83,84 @@ AC_C_BIGENDIAN > dnl check for how to do large files > AC_SYS_LARGEFILE > > -found_crypto=none > - > # Configure parameters > -AC_ARG_WITH(openssl, > - AC_HELP_STRING([--with-openssl],[Use OpenSSL for crypto]), > - use_openssl=$withval,use_openssl=auto) > -AC_ARG_WITH(libgcrypt, > - AC_HELP_STRING([--with-libgcrypt],[Use libgcrypt for crypto]), > - [ use_libgcrypt=$withval > - LIBSSH2_CHECKFOR_GCRYPT > - ], use_libgcrypt=auto) > -AC_ARG_WITH(wincng, > - AC_HELP_STRING([--with-wincng],[Use Windows CNG for crypto]), > - [ use_wincng=$withval > - LIBSSH2_CHECKFOR_WINCNG > - ] ,use_wincng=auto) > -AC_ARG_WITH([mbedtls], > - AC_HELP_STRING([--with-mbedtls],[Use mbedTLS for crypto]), > - [ use_mbedtls=$withval > - LIBSSH2_CHECKFOR_MBEDTLS > - ], use_mbedtls=auto > -) > -AC_ARG_WITH(libz, > - AC_HELP_STRING([--with-libz],[Use zlib for compression]), > - use_libz=$withval,use_libz=auto) > - > -support_clear_memory=no > > -# Look for OpenSSL > -if test "$found_crypto" = "none" && test "$use_openssl" != "no"; then > - AC_LIB_HAVE_LINKFLAGS([ssl], [crypto], [#include ]) > -fi > -if test "$ac_cv_libssl" = "yes"; then > - AC_DEFINE(LIBSSH2_OPENSSL, 1, [Use OpenSSL]) > - LIBSREQUIRED=libssl,libcrypto > - > - # Not all OpenSSL have AES-CTR functions. > - save_LIBS="$LIBS" > - LIBS="$LIBS $LIBSSL" > - AC_CHECK_FUNCS(EVP_aes_128_ctr) > - LIBS="$save_LIBS" > +# libz > > - found_crypto="OpenSSL (AES-CTR: ${ac_cv_func_EVP_aes_128_ctr:-N/A})" > -fi > +AC_ARG_WITH([libz], > + AC_HELP_STRING([--with-libz],[Use libz for compression]), > + use_libz=$withval, > + use_libz=auto) > > -AM_CONDITIONAL(OPENSSL, test "$ac_cv_libssl" = "yes") > -AM_CONDITIONAL(WINCNG, test "$ac_cv_libbcrypt" = "yes") > -AM_CONDITIONAL(LIBGCRYPT, test "$ac_cv_libgcrypt" = "yes") > -AM_CONDITIONAL(MBEDTLS, test "$ac_cv_libmbedtls" = "yes") > - > -# Check if crypto library was found > -if test "$found_crypto" = "none"; then > - AC_MSG_ERROR([No crypto library found! > -Try --with-libssl-prefix=PATH > - or --with-libgcrypt-prefix=PATH > - or --with-libmbedtls-prefix=PATH > - or --with-wincng on Windows\ > -]) > -fi > +found_libz=no > +libz_errors="" > > -# Look for Libz > -if test "$use_libz" != "no"; then > +if test "$use_libz" != no; then > AC_LIB_HAVE_LINKFLAGS([z], [], [#include ]) > if test "$ac_cv_libz" != yes; then > - AC_MSG_NOTICE([Cannot find zlib, disabling compression]) > - AC_MSG_NOTICE([Try --with-libz-prefix=PATH if you know you have it]) > + if test "$use_libz" = auto; then > + AC_MSG_NOTICE([Cannot find libz, disabling compression]) > + found_libz="disabled; no libz found" > + else > + libz_errors="No libz found! > +Try --with-libz-prefix=PATH if you know that you have it." > + AS_MESSAGE([ERROR: $libz_errors]) > + fi > else > AC_DEFINE(LIBSSH2_HAVE_ZLIB, 1, [Compile in zlib support]) > if test "${LIBSREQUIRED}" != ""; then > LIBSREQUIRED="${LIBSREQUIRED}," > fi > LIBSREQUIRED="${LIBSREQUIRED}zlib" > + found_libz="yes" > fi > fi > > + > +# Crypto backends > + > +found_crypto=none > +found_crypto_str="" > +support_clear_memory=no > +crypto_errors="" > + > +m4_set_add([crypto_backends], [openssl]) > +m4_set_add([crypto_backends], [libgcrypt]) > +m4_set_add([crypto_backends], [mbedtls]) > +m4_set_add([crypto_backends], [wincng]) > + > +AC_ARG_WITH([crypto], > + AC_HELP_STRING([--with-crypto=auto|]m4_set_contents([crypto_backends], > [|]), + [Select crypto backend (default: auto)]), > + use_crypto=$withval, > + use_crypto=auto > +) > + > +case "${use_crypto}" in > + auto|m4_set_contents([crypto_backends], [|])) > + m4_set_map([crypto_backends], [LIBSSH2_CHECK_CRYPTO]) > + ;; > + *) > + crypto_errors="Unknown crypto backend '${use_crypto}' specified!" > + ;; > +esac > + > +if test "$found_crypto" = "none"; then > + crypto_errors="${crypto_errors} > +Please specify --with-crypto and/or the neccessary library search prefix. > + > +Run configure --help to see all crypto library options." > + AS_MESSAGE([ERROR: ${crypto_errors}]) > +else > + if test "$found_crypto_str" = ""; then > + found_crypto_str="$found_crypto" > + fi > +fi > + > +m4_set_foreach([crypto_backends], [c_backend], > + [AM_CONDITIONAL(m4_toupper(c_backend), test "$found_crypto" = > "c_backend")] +) > + > AC_SUBST(LIBSREQUIRED) > > # > @@ -351,6 +354,18 @@ AC_C_INLINE > > CURL_CHECK_NONBLOCKING_SOCKET > > +if test "${libz_errors}" != ""; then > + AS_MESSAGE([ERROR: ${libz_errors}]) > +fi > + > +if test "${crypto_errors}" != ""; then > + AS_MESSAGE([ERROR: ${crypto_errors}]) > +fi > + > +if test "${libz_errors}${crypto_errors}" != ""; then > + AC_MSG_ERROR([Required dependencies are missing!]) > +fi > + > AC_CONFIG_FILES([Makefile > src/Makefile > tests/Makefile > @@ -367,10 +382,10 @@ AC_MSG_NOTICE([summary of build options: > Compiler: ${CC} > Compiler flags: ${CFLAGS} > Library types: Shared=${enable_shared}, Static=${enable_static} > - Crypto library: ${found_crypto} > + Crypto library: ${found_crypto_str} > Clear memory: $enable_clear_memory > Debug build: $enable_debug > Build examples: $build_examples > Path to sshd: $ac_cv_path_SSHD (only for self-tests) > - zlib compression: $ac_cv_libz > + zlib compression: ${found_libz} > ]) > diff --git a/src/Makefile.am b/src/Makefile.am > index 1fa0751..3532b81 100644 > --- a/src/Makefile.am > +++ b/src/Makefile.am > @@ -8,12 +8,12 @@ endif > if LIBGCRYPT > include ../Makefile.libgcrypt.inc > endif > -if WINCNG > -include ../Makefile.WinCNG.inc > -endif > if MBEDTLS > include ../Makefile.mbedTLS.inc > endif > +if WINCNG > +include ../Makefile.WinCNG.inc > +endif > > # Makefile.inc provides the CSOURCES and HHEADERS defines > include ../Makefile.inc > @@ -62,4 +62,4 @@ VERSION=-version-info 1:1:0 > > libssh2_la_LDFLAGS = $(VERSION) -no-undefined \ > -export-symbols-regex '^libssh2_.*' \ > - $(LTLIBGCRYPT) $(LTLIBSSL) $(LTLIBZ) > + $(LIBS) $(LTLIBZ) _______________________________________________ libssh2-devel https://cool.haxx.se/cgi-bin/mailman/listinfo/libssh2-devel From libssh2-devel-bounces@cool.haxx.se Mon Oct 31 13:37:48 2016 Return-Path: Received: from www.haxx.se (localhost.localdomain [127.0.0.1]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTP id u9VCbgI4001648; Mon, 31 Oct 2016 13:37:46 +0100 Received: from foo.stuge.se (foo.stuge.se [212.116.89.98]) by giant.haxx.se (8.15.2/8.15.2/Debian-4) with ESMTPS id u9VCbeb0001598 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=NOT) for ; Mon, 31 Oct 2016 13:37:41 +0100 Received: (qmail 9187 invoked by uid 1000); 31 Oct 2016 13:23:42 -0000 Date: Mon, 31 Oct 2016 13:23:42 +0000 From: Peter Stuge To: libssh2-devel@cool.haxx.se Subject: Re: [PATCH] configure.ac: Add single --with-crypto= instead of --with-$backend:s Message-ID: <20161031132342.GA31660@foo.stuge.se> References: <20161027155339.GF20941@foo.stuge.se> <1477620557-1859-1-git-send-email-peter@stuge.se> <1477620557-1859-2-git-send-email-peter@stuge.se> <1973197.XhHmMWpa8C@kdudka-nb> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="VbJkn9YxBvnuCH5J" Content-Disposition: inline In-Reply-To: <1973197.XhHmMWpa8C@kdudka-nb> X-BeenThere: libssh2-devel@cool.haxx.se X-Mailman-Version: 2.1.22 Precedence: list List-Id: libssh2 development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: libssh2 development Errors-To: libssh2-devel-bounces@cool.haxx.se Sender: "libssh2-devel" --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset=utf-8 Content-Disposition: inline Hi Kamil, Thanks a lot for testing this! Kamil Dudka wrote: > The patch does not apply on the current upstream master branch, so I tested > the withcrypto branch at http://git.stuge.se/libssh2.git (68b330d2). Yes - it applies on top of the handful simple fixes in my simple180 branch, which I posted before. Sorry, should have made that more clear. > Basic crypto backend selection seems to work. > > --with-crypto=auto works fine for OpenSSL but does not work for libgcrypt: > > $ ./configure --with-crypto=auto > [...] > configure: ERROR: No openssl crypto library found! > configure: error: Required dependencies are missing! Good find - I believe libgcrypt was actually successfully detected by the tests, but the end logic needs a little fixing. Patch attached. > As a side note, the --with-libssl-prefix option did not take any > effect but it seems unrelated to your patch. Oh! How did you notice that it does not take effect, and how did you deal with that instead, if you need it? The --with-x-prefix options are a bit unrelated; they are created and supposed to be handled by AC_LIB_HAVE_LINKFLAGS, but they are related because they deal with library finding, so I'd like to know more about the problem you found. If you have config.log from a problem run maybe you can send it to me. (Maybe off-list if it's large.) Thanks again //Peter --VbJkn9YxBvnuCH5J Content-Type: text/x-diff; charset=utf-8 Content-Disposition: attachment; filename="0001-configure.ac-Exit-with-error-only-if-autodetect-find.patch" Content-Transfer-Encoding: quoted-printable =46rom ac495b31531bdcdcbc5c09b84f12f1ff6f4ffe5f Mon Sep 17 00:00:00 2001 =46rom: Peter Stuge Date: Mon, 31 Oct 2016 13:28:33 +0100 Subject: [PATCH] configure.ac: Exit with error only if autodetect finds no crypto Previously, configure would exit with an error if either crypto library was not found. This is a fixup of commit 68b330d28caee0c12a927a809eb5ffb33a3b5aa6. --- configure.ac | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/configure.ac b/configure.ac index ba84ddf..61698f8 100644 --- a/configure.ac +++ b/configure.ac @@ -354,15 +354,19 @@ AC_C_INLINE =20 CURL_CHECK_NONBLOCKING_SOCKET =20 +missing_deps=3D0 + if test "${libz_errors}" !=3D ""; then AS_MESSAGE([ERROR: ${libz_errors}]) + missing_deps=3D1 fi =20 -if test "${crypto_errors}" !=3D ""; then +if test "$found_crypto" =3D "none"; then AS_MESSAGE([ERROR: ${crypto_errors}]) + missing_deps=3D1 fi =20 -if test "${libz_errors}${crypto_errors}" !=3D ""; then +if test $missing_deps =3D 1; then AC_MSG_ERROR([Required dependencies are missing!]) fi =20 --=20 --VbJkn9YxBvnuCH5J Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: base64 Content-Disposition: inline X19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX19fX18KbGlic3NoMi1k ZXZlbCBodHRwczovL2Nvb2wuaGF4eC5zZS9jZ2ktYmluL21haWxtYW4vbGlzdGluZm8vbGlic3No Mi1kZXZlbAo= --VbJkn9YxBvnuCH5J--