Detect blowfish in mbedtls and skip it if not found

Signed-off-by: Jakub Jelen <jjelen@redhat.com>
Reviewed-by: Sahana Prasad <sahana@redhat.com>

CMakeLists.txt

@@ -229,7 +229,7 @@ message(STATUS "Pcap debugging support : ${WITH_PCAP}")
 message(STATUS "Build shared library: ${BUILD_SHARED_LIBS}")
 message(STATUS "Unit testing: ${UNIT_TESTING}")
 message(STATUS "Client code testing: ${CLIENT_TESTING}")
-message(STATUS "Blowfish cipher support: ${WITH_BLOWFISH_CIPHER}")
+message(STATUS "Blowfish cipher support: ${HAVE_BLOWFISH}")
 message(STATUS "PKCS #11 URI support: ${WITH_PKCS11_URI}")
 message(STATUS "With PKCS #11 provider support: ${WITH_PKCS11_PROVIDER}")
 set(_SERVER_TESTING OFF)

ConfigureChecks.cmake

@@ -90,7 +90,7 @@ if (OPENSSL_FOUND)
     endif()
 
     if (WITH_BLOWFISH_CIPHER)
-        check_include_file(openssl/blowfish.h HAVE_OPENSSL_BLOWFISH_H)
+        check_include_file(openssl/blowfish.h HAVE_BLOWFISH)
     endif()
 
     check_include_file(openssl/ecdh.h HAVE_OPENSSL_ECDH_H)
@@ -235,6 +235,10 @@ if (MBEDTLS_FOUND)
     set(CMAKE_REQUIRED_INCLUDES "${MBEDTLS_INCLUDE_DIR}/mbedtls")
     check_include_file(chacha20.h HAVE_MBEDTLS_CHACHA20_H)
     check_include_file(poly1305.h HAVE_MBEDTLS_POLY1305_H)
+    if (WITH_BLOWFISH_CIPHER)
+        check_include_file(blowfish.h HAVE_BLOWFISH)
+    endif()
+
     unset(CMAKE_REQUIRED_INCLUDES)
 
 endif (MBEDTLS_FOUND)

config.h.cmake

@@ -64,9 +64,6 @@
 /* Define to 1 if you have the <wspiapi.h> header file. */
 #cmakedefine HAVE_WSPIAPI_H 1
 
-/* Define to 1 if you have the <openssl/blowfish.h> header file. */
-#cmakedefine HAVE_OPENSSL_BLOWFISH_H 1
-
 /* Define to 1 if you have the <openssl/des.h> header file. */
 #cmakedefine HAVE_OPENSSL_DES_H 1
 
@@ -180,6 +177,9 @@
 /* Define to 1 if you have the `cmocka_set_test_filter' function. */
 #cmakedefine HAVE_CMOCKA_SET_TEST_FILTER 1
 
+/* Define to 1 if we have support for blowfish */
+#cmakedefine HAVE_BLOWFISH 1
+
 /*************************** LIBRARIES ***************************/
 
 /* Define to 1 if you have the `crypto' library (-lcrypto). */

include/libssh/crypto.h

@@ -86,9 +86,9 @@ enum ssh_key_exchange_e {
 
 enum ssh_cipher_e {
     SSH_NO_CIPHER=0,
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
     SSH_BLOWFISH_CBC,
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
     SSH_3DES_CBC,
     SSH_AES128_CBC,
     SSH_AES192_CBC,

src/kex.c

@@ -46,12 +46,8 @@
 #include "libssh/bignum.h"
 #include "libssh/token.h"
 
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
-# if defined(HAVE_OPENSSL_BLOWFISH_H) || defined(HAVE_LIBGCRYPT) || defined(HAVE_LIBMBEDCRYPTO)
+# define BLOWFISH ",blowfish-cbc"
-#  define BLOWFISH ",blowfish-cbc"
-# else
-#  define BLOWFISH ""
-# endif
 #else
 # define BLOWFISH ""
 #endif

src/libcrypto.c

@@ -397,12 +397,12 @@ static void evp_cipher_init(struct ssh_cipher_struct *cipher)
     case SSH_3DES_CBC:
         cipher->cipher = EVP_des_ede3_cbc();
         break;
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
     case SSH_BLOWFISH_CBC:
         cipher->cipher = EVP_bf_cbc();
         break;
         /* ciphers not using EVP */
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
     case SSH_AEAD_CHACHA20_POLY1305:
         SSH_LOG(SSH_LOG_TRACE, "The ChaCha cipher cannot be handled here");
         break;
@@ -1163,7 +1163,7 @@ none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
  * The table of supported ciphers
  */
 static struct ssh_cipher_struct ssh_ciphertab[] = {
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
   {
     .name = "blowfish-cbc",
     .blocksize = 8,
@@ -1175,7 +1175,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
     .decrypt = evp_cipher_decrypt,
     .cleanup = evp_cipher_cleanup
   },
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
 #ifdef HAS_AES
   {
     .name = "aes128-ctr",

src/libgcrypt.c

@@ -116,7 +116,7 @@ int hmac_final(HMACCTX c, unsigned char *hashmacbuf, size_t *len) {
   return 1;
 }
 
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
 /* the wrapper functions for blowfish */
 static int blowfish_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV){
   if (cipher->key == NULL) {
@@ -153,7 +153,7 @@ static void blowfish_decrypt(struct ssh_cipher_struct *cipher, void *in,
     void *out, size_t len) {
   gcry_cipher_decrypt(cipher->key[0], out, len, in, len);
 }
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
 
 static int aes_set_key(struct ssh_cipher_struct *cipher, void *key, void *IV) {
   int mode=GCRY_CIPHER_MODE_CBC;
@@ -732,7 +732,7 @@ none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
 
 /* the table of supported ciphers */
 static struct ssh_cipher_struct ssh_ciphertab[] = {
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
   {
     .name            = "blowfish-cbc",
     .blocksize       = 8,
@@ -744,7 +744,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
     .encrypt     = blowfish_encrypt,
     .decrypt     = blowfish_decrypt
   },
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
   {
     .name            = "aes128-ctr",
     .blocksize       = 16,

src/libmbedcrypto.c

@@ -898,7 +898,7 @@ none_crypt(UNUSED_PARAM(struct ssh_cipher_struct *cipher),
 #endif /* WITH_INSECURE_NONE */
 
 static struct ssh_cipher_struct ssh_ciphertab[] = {
-#ifdef WITH_BLOWFISH_CIPHER
+#ifdef HAVE_BLOWFISH
     {
         .name = "blowfish-cbc",
         .blocksize = 8,
@@ -910,7 +910,7 @@ static struct ssh_cipher_struct ssh_ciphertab[] = {
         .decrypt = cipher_decrypt_cbc,
         .cleanup = cipher_cleanup
     },
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH */
     {
         .name = "aes128-ctr",
         .blocksize = 16,

tests/client/torture_algorithms.c

@@ -496,7 +496,7 @@ static void torture_algorithms_3des_cbc_hmac_sha2_512_etm(void **state) {
     test_algorithm(s->ssh.session, NULL/*kex*/, "3des-cbc", "hmac-sha2-512-etm@openssh.com");
 }
 
-#if defined(WITH_BLOWFISH_CIPHER) && defined(OPENSSH_BLOWFISH_CBC)
+#if defined(HAVE_BLOWFISH) && defined(OPENSSH_BLOWFISH_CBC)
 static void torture_algorithms_blowfish_cbc_hmac_sha1(void **state) {
     struct torture_state *s = *state;
 
@@ -556,7 +556,7 @@ static void torture_algorithms_blowfish_cbc_hmac_sha2_512_etm(void **state) {
 
     test_algorithm(s->ssh.session, NULL/*kex*/, "blowfish-cbc", "hmac-sha2-512-etm@openssh.com");
 }
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH && defined(OPENSSH_BLOWFISH_CBC) */
 
 #ifdef OPENSSH_CHACHA20_POLY1305_OPENSSH_COM
 static void torture_algorithms_chacha20_poly1305(void **state)
@@ -921,7 +921,7 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_algorithms_3des_cbc_hmac_sha2_512_etm,
                                         session_setup,
                                         session_teardown),
-#if defined(WITH_BLOWFISH_CIPHER) && defined(OPENSSH_BLOWFISH_CBC)
+#if defined(HAVE_BLOWFISH) && defined(OPENSSH_BLOWFISH_CBC)
         cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha1,
                                         session_setup,
                                         session_teardown),
@@ -940,7 +940,7 @@ int torture_run_tests(void) {
         cmocka_unit_test_setup_teardown(torture_algorithms_blowfish_cbc_hmac_sha2_512_etm,
                                         session_setup,
                                         session_teardown),
-#endif /* WITH_BLOWFISH_CIPHER */
+#endif /* HAVE_BLOWFISH_CIPHER && defined(OPENSSH_BLOWFISH_CBC) */
 #ifdef OPENSSH_CHACHA20_POLY1305_OPENSSH_COM
         cmocka_unit_test_setup_teardown(torture_algorithms_chacha20_poly1305,
                                         session_setup,