From 0882338142c88cb7e3c1a014378f9888c59347e6 Mon Sep 17 00:00:00 2001
From: Jakub Jelen <jjelen@redhat.com>
Date: Fri, 12 Apr 2024 14:17:56 +0200
Subject: [PATCH] Detect blowfish in mbedtls and skip it if not found

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>
---
 CMakeLists.txt                    | 2 +-
 ConfigureChecks.cmake             | 6 +++++-
 config.h.cmake                    | 6 +++---
 include/libssh/crypto.h           | 4 ++--
 src/kex.c                         | 8 ++------
 src/libcrypto.c                   | 8 ++++----
 src/libgcrypt.c                   | 8 ++++----
 src/libmbedcrypto.c               | 4 ++--
 tests/client/torture_algorithms.c | 8 ++++----
 9 files changed, 27 insertions(+), 27 deletions(-)

diff --git a/CMakeLists.txt b/CMakeLists.txt
index acc1e606..fa4a2e0e 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
@@ -229,7 +229,7 @@ message(STATUS "Pcap debugging support : ${WITH_PCAP}")
 message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
 message(STATUS "Unit testing: ${UNIT_TESTING}")
 message(STATUS "Client code testing: ${CLIENT_TESTING}")
-message(STATUS "Blowfish cipher support: ${WITH_BLOWFISH_CIPHER}")
+message(STATUS "Blowfish cipher support: ${HAVE_BLOWFISH}")
 message(STATUS "PKCS #11 URI support: ${WITH_PKCS11_URI}")
 message(STATUS "With PKCS #11 provider support: ${WITH_PKCS11_PROVIDER}")
 set(_SERVER_TESTING OFF)
diff --git a/ConfigureChecks.cmake b/ConfigureChecks.cmake
index a83868ca..a24be64d 100644
--- a/ConfigureChecks.cmake
+++ b/ConfigureChecks.cmake
@@ -90,7 +90,7 @@ if (OPENSSL_FOUND)
     endif()
 
     if (WITH_BLOWFISH_CIPHER)
-        check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
+        check_include_file(openssl/blowfish.h HAVE_BLOWFISH)
     endif()
 
     check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H)
@@ -235,6 +235,10 @@ if (MBEDTLS_FOUND)
     set(CMAKE_REQUIRED_INCLUDES "${MBEDTLS_INCLUDE_DIR}/mbedtls")
     check_include_file(chacha20.h HAVE_MBEDTLS_CHACHA20_H)
     check_include_file(poly1305.h HAVE_MBEDTLS_POLY1305_H)
+    if (WITH_BLOWFISH_CIPHER)
+        check_include_file(blowfish.h HAVE_BLOWFISH)
+    endif()
+
     unset(CMAKE_REQUIRED_INCLUDES)
 
 endif (MBEDTLS_FOUND)
diff --git a/config.h.cmake b/config.h.cmake
index 391ee162..b4a44bc3 100644
--- a/config.h.cmake
+++ b/config.h.cmake
@@ -64,9 +64,6 @@
 /* Define to 1 if you have the <wspiapi.h> header file. */
 #cmakedefine HAVE_WSPIAPI_H 1
 
-/* Define to 1 if you have the <openssl/blowfish.h> header file. */
-#cmakedefine HAVE_OPENSSL_BLOWFISH_H 1
-
 /* Define to 1 if you have the <openssl/des.h> header file. */
 #cmakedefine HAVE_OPENSSL_DES_H 1
 
@@ -180,6 +177,9 @@
 /* Define to 1 if you have the `cmocka_set_test_filter' function. */
 #cmakedefine HAVE_CMOCKA_SET_TEST_FILTER 1
 
+/* Define to 1 if we have support for blowfish */
+#cmakedefine HAVE_BLOWFISH 1
+
 /*************************** LIBRARIES ***************************/
 
 /* Define to 1 if you have the `crypto' library (-lcrypto). */
diff --git a/include/libssh/crypto.h b/include/libssh/crypto.h
index 32016827..8dcf5408 100644
--- a/include/libssh/crypto.h
+++ b/include/libssh/crypto.h
@@ -86,9 +86,9 @@ enum ssh_key_exchange_e {
 
 enum ssh_cipher_e {
     SSH_NO_CIPHER=0,
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
     SSH_BLOWFISH_CBC,
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
     SSH_3DES_CBC,
     SSH_AES128_CBC,
     SSH_AES192_CBC,
diff --git a/src/kex.c b/src/kex.c
index b071d5ea..9dccb898 100644
--- a/src/kex.c
+++ b/src/kex.c
@@ -46,12 +46,8 @@
 #include "libssh/bignum.h"
 #include "libssh/token.h"
 
-#ifdef WITH_BLOWFISH_CIPHER
-# if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO)
-#  define BLOWFISH ",blowfish-cbc"
-# else
-#  define BLOWFISH ""
-# endif
+#ifdef HAVE_BLOWFISH
+# define BLOWFISH ",blowfish-cbc"
 #else
 # define BLOWFISH ""
 #endif
diff --git a/src/libcrypto.c b/src/libcrypto.c
index 33834dbd..e69f3194 100644
--- a/src/libcrypto.c
+++ b/src/libcrypto.c
@@ -397,12 +397,12 @@ static void evp_cipher_init(struct ssh_cipher_struct *cipher)
     case SSH_3DES_CBC:
         cipher->cipher = EVP_des_ede3_cbc();
         break;
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
     case SSH_BLOWFISH_CBC:
         cipher->cipher = EVP_bf_cbc();
         break;
         /* ciphers not using EVP */
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
     case SSH_AEAD_CHACHA20_POLY1305:
         SSH_LOG(SSH_LOG_TRACE, "The ChaCha cipher cannot be handled here");
         break;
@@ -1163,7 +1163,7 @@ none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
  * The table of supported ciphers
  */
 static struct ssh_cipher_struct ssh_ciphertab[] = {
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
   {
     .name = "blowfish-cbc",
     .blocksize = 8,
@@ -1175,7 +1175,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
     .decrypt = evp_cipher_decrypt,
     .cleanup = evp_cipher_cleanup
   },
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
 #ifdef HAS_AES
   {
     .name = "aes128-ctr",
diff --git a/src/libgcrypt.c b/src/libgcrypt.c
index 4feda00c..195bb755 100644
--- a/src/libgcrypt.c
+++ b/src/libgcrypt.c
@@ -116,7 +116,7 @@ int hmac_final(HMACCTX c, unsigned char *hashmacbuf, size_t *len) {
   return 1;
 }
 
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
 /* the wrapper functions for blowfish */
 static int blowfish_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV){
   if (cipher->key == NULL) {
@@ -153,7 +153,7 @@ static void blowfish_decrypt(struct ssh_cipher_struct *cipher, void *in,
     void *out, size_t len) {
   gcry_cipher_decrypt(cipher->key[0], out, len, in, len);
 }
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
 
 static int aes_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) {
   int mode=GCRY_CIPHER_MODE_CBC;
@@ -732,7 +732,7 @@ none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
 
 /* the table of supported ciphers */
 static struct ssh_cipher_struct ssh_ciphertab[] = {
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
   {
     .name            = "blowfish-cbc",
     .blocksize       = 8,
@@ -744,7 +744,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
     .encrypt     = blowfish_encrypt,
     .decrypt     = blowfish_decrypt
   },
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
   {
     .name            = "aes128-ctr",
     .blocksize       = 16,
diff --git a/src/libmbedcrypto.c b/src/libmbedcrypto.c
index 8fb36e53..c05f5b28 100644
--- a/src/libmbedcrypto.c
+++ b/src/libmbedcrypto.c
@@ -898,7 +898,7 @@ none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
 #endif /* WITH_INSECURE_NONE */
 
 static struct ssh_cipher_struct ssh_ciphertab[] = {
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
     {
         .name = "blowfish-cbc",
         .blocksize = 8,
@@ -910,7 +910,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
         .decrypt = cipher_decrypt_cbc,
         .cleanup = cipher_cleanup
     },
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
     {
         .name = "aes128-ctr",
         .blocksize = 16,
diff --git a/tests/client/torture_algorithms.c b/tests/client/torture_algorithms.c
index 60354f9b..d1190605 100644
--- a/tests/client/torture_algorithms.c
+++ b/tests/client/torture_algorithms.c
@@ -496,7 +496,7 @@ static void torture_algorithms_3des_cbc_hmac_sha2_512_etm(void **state) {
     test_algorithm(s->ssh.session, NULL/*kex*/, "3des-cbc", "hmac-sha2-512-etm@openssh.com");
 }
 
-#if defined(WITH_BLOWFISH_CIPHER) && defined(OPENSSH_BLOWFISH_CBC)
+#if defined(HAVE_BLOWFISH) && defined(OPENSSH_BLOWFISH_CBC)
 static void torture_algorithms_blowfish_cbc_hmac_sha1(void **state) {
     struct torture_state *s = *state;
 
@@ -556,7 +556,7 @@ static void torture_algorithms_blowfish_cbc_hmac_sha2_512_etm(void **state) {
 
     test_algorithm(s->ssh.session, NULL/*kex*/, "blowfish-cbc", "hmac-sha2-512-etm@openssh.com");
 }
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH && defined(OPENSSH_BLOWFISH_CBC) */
 
 #ifdef OPENSSH_CHACHA20_POLY1305_OPENSSH_COM
 static void torture_algorithms_chacha20_poly1305(void **state)
@@ -921,7 +921,7 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_algorithms_3des_cbc_hmac_sha2_512_etm,
                                         session_setup,
                                         session_teardown),
-#if defined(WITH_BLOWFISH_CIPHER) && defined(OPENSSH_BLOWFISH_CBC)
+#if defined(HAVE_BLOWFISH) && defined(OPENSSH_BLOWFISH_CBC)
         cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha1,
                                         session_setup,
                                         session_teardown),
@@ -940,7 +940,7 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha2_512_etm,
                                         session_setup,
                                         session_teardown),
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH_CIPHER && defined(OPENSSH_BLOWFISH_CBC) */
 #ifdef OPENSSH_CHACHA20_POLY1305_OPENSSH_COM
         cmocka_unit_test_setup_teardown(torture_algorithms_chacha20_poly1305,
                                         session_setup,