tcpdump icon indicating copy to clipboard operation
tcpdump copied to clipboard

Published 20 hours ago verified publisher icon the-tcpdump-group

Configure check for MD5_Init instead of DES_cbc_encrypt

Open justsmth opened this issue 2 years ago • 3 comments

With this configure-script patch, tcpdump successfully builds and (with a few other small changes) tests pass using AWS-LC as the libcrypto.

  • Related PR for AWS-LC is here: #1351
  • AWS-LC doesn't have a DES_cbc_encrypt function, but it supports the ciphers required for ESP in the tests.
  • MD5_Init appears to be supported by other libcrypto implementations (e.g., OpenSSL and LibreSSL).

justsmth avatar Dec 08 '23 19:12 justsmth

Thank you for bringing this up. The CMake leg of the build process tests for EVP_CIPHER_CTX_new() and EVP_DecryptInit_ex(), which are what print-esp.c uses. Perhaps it would make more sense to test for the same in the Autoconf leg.

Have you tried whether CMake tcpdump build works correctly with AWS-LC? (The simplest way to test for that should be running CMAKE=yes CRYPTO=yes ./build.sh and checking for Found CRYPTO in the output.)

infrastation avatar Dec 08 '23 20:12 infrastation

Thank you for bringing this up. The CMake leg of the build process tests for EVP_CIPHER_CTX_new() and EVP_DecryptInit_ex(), which are what print-esp.c uses. Perhaps it would make more sense to test for the same in the Autoconf leg.

On line 894 (right after this) it does a check for EVP_CIPHER_CTX_new and EVP_DecryptInit_ex. So I think the DES_cbc_encrypt (or AES_cbc_encrypt) check can be removed. I'll update this PR.

Have you tried whether CMake tcpdump build works correctly with AWS-LC? (The simplest way to test for that should be running CMAKE=yes CRYPTO=yes ./build.sh and checking for Found CRYPTO in the output.)

Yeah, I was able to build/test tcpdump against AWS-LC with CMake. I first built/installed AWS-LC into a directory. Then set CMAKE_PREFIX_PATH to that directory when setting up the tcpdump build:

cmake -DCMAKE_BUILD_TYPE=Debug -DCMAKE_PREFIX_PATH=/home/justsmth/tcpdump-testing/aws-lc-install/ -S /home/justsmth/tcpdump-testing/tcpdump -B /home/justsmth/tcpdump-testing/tcpdump-build

justsmth avatar Dec 11 '23 13:12 justsmth

I checked in the code where HAVE_LIBCRYPTO is used and found that signature.c requires MD5_Init when HAVE_LIBCRYPTO is defined, this is also the case in print-tcp.c. So I switched this to checking for MD5_init.

justsmth avatar Dec 11 '23 14:12 justsmth

Resolving this in favor of a more recent/better proposal in #1174

justsmth avatar Apr 10 '24 12:04 justsmth