Since the changes to the DH implementations that were merged with
30faf04e92dc ("Merge branch 'multi-ke-backport'"), most implementations
don't support deriving different shared secrets for the same private key
by calling set_public_key() with another public key anymore (some prevent
it explicitly, but reusing DH private keys is not something we want to
support anyway). So we can't reuse the DH object on one side for every
round.
Ubuntu 22.04 ships OpenSSL 3, which requires debug symbols so we can
whitelist leaks because we don't deinitialize the library. And because
the shipped library is not built with `-fno-omit-frame-pointer`, the
build with AddressSanitizer can't use its fast stack unwind method.
However, the previous workaround for DTLS handling with glibc apparently
isn't necessary anymore.
In the custom OpenSSL build we drop no-stdio as that lets the configure
check for libldns fail because ERR_print_errors_fp@OPENSSL_3.0.0 is not
found.
For ccache, the default path to the cache directory has changed.
Also simplified the NM tests as there is only one build since
085daf474330 ("nm: Remove old libnm-glib compat stuff").
This avoids a conflicts as mysql80-client has a dependency on either
openldap24-client (FreeBSD 12) or openldap26-client (FreeBSD 13) so e.g.
installing openldap24-client on FreeBSD 13 causes
openldap26-client-2.6.3 conflicts with openldap24-client-2.4.59_4 on /usr/local/bin/ldapadd
Similarly, when installing openldap26-client on FreeBSD 12. So just let
the mysql80-client package decide which version is installed.
If e.g. the hmac plugin is loaded before the third-party crypto lib
plugin, we might not use the latter's HMAC implementation in some
cases (e.g. in the libtls tests).
At least for the tests where it is available and works. It conflicts
with the instrumentation used by the coverage and fuzzing (and possibly
sonarcloud) tests, the toolchain for the Windows builds doesn't seem to
support it, and on FreeBSD the test executables hang due to a
compatibility issue with FreeBSD's qsort(), which has been fixed [1],
but that has not made it into the clang version in the base system.
For the custom OpenSSL build, debug symbols are enabled so we can
suppress some leaks properly.
[1] https://github.com/llvm/llvm-project/issues/46176
In order for libtls to run with the gcrypt libraryi, additionally the
random, pem, gcm, hmac, kdf, x509, constraints, and the curve2519
plugins are needed.
The botan library additionally need the hmac (for HMAC_MD5), x509 and
constraints plugins.
The wolfssl library additionally need the pkcs1, pkcs8, x509 and constraints
plugins.
Setting -Werror in CFLAGS passed to configure is not ideal as that affects
all the checks performed by the script.
This caused an issue with newer versions of Autoconf and the AC_PROG_LEX
macro that insisted on finding a lexer library. But due to warnings from
the generated test lexer (misleading indentation) that got turned into
errors no library was found (none would have been necessary), so LEX was
not set and no lexers were built.
With this option enabled, we add -Werror to CFLAGS after all tests ran.
It also enables additional warnings via -Wextra.
The option is auto-enabled when building from the repository.
The 5.4.0 update changed the default bignum implementation to what
could explicitly be enabled via `--enable-sp-math-all`. Since this uses
fixed-sized buffers sufficient for key sizes of SP_INT_BITS, with a default
of 4096, modp6144 and modp8192 didn't work anymore (wc_DhGenerateKeyPair()
returned MP_EXPTMOD_E). So we have to adapt the feature checks for this.
To support the larger DH groups we can either increase the buffer size
via `--with-max-rsa-bits` or add `--enable-heapmath` so buffers get
(re-)allocated as needed. We go with the latter for now.
mallinfo() is deprecated because it uses `int` for the members of the
returned struct, whereas mallinfo2() uses `size_t`. It's available
since glibc 2.33.
The "openssl" alias now defaults to OpenSSL 3.0, which produces a lot of
deprecation warnings. To avoid build failures due to `-Werror`, stay with
OpenSSL 1.1 until we can get rid of these issues.
Use the same configure options etc. for both builds (no need for the cert
options as we don't use TLS or X.509 parsing) and switch to a Git commit
that includes the SHA-3 OID fix (it's actually the fix itself).
On 18.04, setuptools was apparently pulled in by python-pip but is not
by python3-pip and on Ubuntu 16.04 there is an issue with tox when
installed via pip3 (syntax error in one of the dependencies) and with
pip that dependency is not even available.
