From 4e1cd261efd82cb0257a9924547084509fa1d9bc Mon Sep 17 00:00:00 2001 From: Stefan Berger Date: Thu, 30 May 2019 15:49:34 -0400 Subject: [PATCH] build-sys: Add support for --disable-use-openssl-functions OpenSSL's crypto library does not support all crypto functionality we need in all versions. Elliptic curve support via EVP seems to have been added much later than for example symmetric crypto support. So, we move the USE_OPENSSL_FUNCTIONS out of Implementation.h into configure.ac and let the build system detect what functionality is available in the crypto library. In this patch we now also rename USE_OPENSSL_FUNCTIONS to USE_OPENSSL_FUNCTIONS_SYMMETRIC to indicate that we can use the symmetric crypto functions of the crypto lib. Using the OpenSSL crypto support is enabled by default, so one has to use --disable-use-openssl-functions, which we do for Travis now. Signed-off-by: Stefan Berger --- .travis.yml | 4 +-- configure.ac | 34 ++++++++++++++++--- src/tpm2/Implementation.h | 3 -- src/tpm2/crypto/openssl/CryptSym.c | 2 +- src/tpm2/crypto/openssl/Helpers.c | 4 +-- src/tpm2/crypto/openssl/TpmToOsslDesSupport.c | 2 +- 6 files changed, 34 insertions(+), 15 deletions(-) diff --git a/.travis.yml b/.travis.yml index b2b29f7f..2153d036 100644 --- a/.travis.yml +++ b/.travis.yml @@ -58,12 +58,10 @@ matrix: uidgid="$(id -nu):$(id -ng)" && sudo chown -R ${uidgid} ./ && cpp-coveralls -b src -e tests -e swtpm --gcov-options '\-lp' - - env: CONFIG="--with-openssl --prefix=/usr --with-tpm2 --enable-test-coverage" + - env: CONFIG="--with-openssl --prefix=/usr --with-tpm2 --enable-test-coverage --disable-use-openssl-functions" TARGET="install" NPROC="nproc" dist: xenial script: - sed -i 's/.* USE_OPENSSL_FUNCTIONS .*/#define USE_OPENSSL_FUNCTIONS NO/' - src/tpm2/Implementation.h && ./autogen.sh ${CONFIG} && sudo make -j$(nproc) ${TARGET} && sudo make -j$(nproc) check && diff --git a/configure.ac b/configure.ac index 56ffb892..0108d093 100644 --- a/configure.ac +++ b/configure.ac @@ -145,6 +145,29 @@ AC_ARG_WITH([tpm2], AM_CONDITIONAL(WITH_TPM2, false) ) +use_openssl_functions_for="" +use_openssl_functions_symmetric=0 +AC_ARG_ENABLE(use-openssl-functions, + AS_HELP_STRING([--disable-use-openssl-functions], + [Use TPM 2 crypot code rather than OpenSSL crypto functions]), +) +AS_IF([test "x$enable_use_openssl_functions" != "xno"], [ + if test "x$cryptolib" != "xopenssl"; then + AC_MSG_ERROR([OpenSSL crypto function usage requires openssl as crypto library]) + fi + # Check for symmetric key crypto functions + not_found=0 + AC_CHECK_LIB([crypto], [EVP_CIPHER_CTX_new],, not_found=1) + AC_CHECK_LIB([crypto], [EVP_EncryptInit_ex],, not_found=1) + AC_CHECK_LIB([crypto], [EVP_aes_128_cbc],, not_found=1) + AC_CHECK_LIB([crypto], [EVP_des_ede3_cbc],, not_found=1) + if test "x$not_found" = "x0"; then + use_openssl_functions_symmetric=1 + use_openssl_functions_for="symmetric (AES, TDES) " + fi +]) +CFLAGS="$CFLAGS -DUSE_OPENSSL_FUNCTIONS_SYMMETRIC=$use_openssl_functions_symmetric" + AC_ARG_ENABLE([sanitizers], AS_HELP_STRING([--enable-sanitizers], [Enable address sanitizing]), [SANITIZERS="-fsanitize=address,undefined"], []) AC_ARG_ENABLE([fuzzer], AS_HELP_STRING([--enable-fuzzer], [Enable fuzzer]), @@ -236,10 +259,11 @@ echo "HARDENING_CFLAGS=$HARDENING_CFLAGS" echo "HARDENING_LDFLAGS=$HARDENING_LDFLAGS" echo "LDFLAGS=$LDFLAGS" echo -echo "Version to build : $PACKAGE_VERSION" -echo "Crypto library : $cryptolib" -echo "Debug build : $enable_debug" -echo "With TPM2 support : $with_tpm2" -echo "HAVE_VERSION_SCRIPT : $have_version_script" +echo "Version to build : $PACKAGE_VERSION" +echo "Crypto library : $cryptolib" +echo "Debug build : $enable_debug" +echo "With TPM2 support : $with_tpm2" +echo "HAVE_VERSION_SCRIPT : $have_version_script" +echo "Use openssl crypto for : $use_openssl_functions_for" echo echo diff --git a/src/tpm2/Implementation.h b/src/tpm2/Implementation.h index f6cf93fe..740ce8a4 100644 --- a/src/tpm2/Implementation.h +++ b/src/tpm2/Implementation.h @@ -1219,7 +1219,4 @@ typedef TPM2B_MAX_HASH_BLOCK TPM2B_HASH_BLOCK; # error Bad size for MAX_SYM_KEY_BITS or MAX_SYM_BLOCK_SIZE #endif -/* libtpms: Use OpenSSL's crypto functions where possible */ -#define USE_OPENSSL_FUNCTIONS YES - #endif // _IMPLEMENTATION_H_ diff --git a/src/tpm2/crypto/openssl/CryptSym.c b/src/tpm2/crypto/openssl/CryptSym.c index 947b1c37..1d33ebfb 100644 --- a/src/tpm2/crypto/openssl/CryptSym.c +++ b/src/tpm2/crypto/openssl/CryptSym.c @@ -157,7 +157,7 @@ CryptGetSymmetricBlockSize( return 0; } -#if !USE_OPENSSL_FUNCTIONS // libtpms added +#if !USE_OPENSSL_FUNCTIONS_SYMMETRIC // libtpms added /* 10.2.20.5 Symmetric Encryption */ /* This function performs symmetric encryption based on the mode. */ /* Error Returns Meaning */ diff --git a/src/tpm2/crypto/openssl/Helpers.c b/src/tpm2/crypto/openssl/Helpers.c index 7436deb6..b6889e4a 100644 --- a/src/tpm2/crypto/openssl/Helpers.c +++ b/src/tpm2/crypto/openssl/Helpers.c @@ -63,7 +63,7 @@ #include -#if USE_OPENSSL_FUNCTIONS +#if USE_OPENSSL_FUNCTIONS_SYMMETRIC evpfunc GetEVPCipher(TPM_ALG_ID algorithm, // IN UINT16 keySizeInBits, // IN @@ -178,4 +178,4 @@ evpfunc GetEVPCipher(TPM_ALG_ID algorithm, // IN return evpfn; } -#endif // USE_OPENSSL_FUNCTIONS +#endif // USE_OPENSSL_FUNCTIONS_SYMMETRIC diff --git a/src/tpm2/crypto/openssl/TpmToOsslDesSupport.c b/src/tpm2/crypto/openssl/TpmToOsslDesSupport.c index 1792f2bc..dfc5e3c6 100644 --- a/src/tpm2/crypto/openssl/TpmToOsslDesSupport.c +++ b/src/tpm2/crypto/openssl/TpmToOsslDesSupport.c @@ -101,7 +101,7 @@ void TDES_encrypt( &ks[0], &ks[1], &ks[2], DES_ENCRYPT); } -#if !USE_OPENSSL_FUNCTIONS +#if !USE_OPENSSL_FUNCTIONS_SYMMETRIC /* B.2.3.1.3.3. TDES_decrypt() */ /* As with TDES_encypt() this function bridges between the TPM single schedule model and the OpenSSL() three schedule model. */