Make Libgcrypt a mandatory dependency

Removed all guards for HAVE_LIBGCRYPT, change autotools and CMake to
error out if it is not available. Update release notes, developer
documentation and README with the new status. Clarify relation with
GnuTLS in macosx-setup.sh. Install Libgcrypt via brew script.

Motivation for this change is that many dissectors depend on Libgcrypt
and having it optional increases the maintenance burden (there have been
several compile issues in the past due to the optional status).
Furthermore, wsutil has crypto code that can be replaced by Libgcrypt.

Change-Id: Idf0021b8c4cd5db70b8766f7dcc2a8b3acbf042f
Link: https://www.wireshark.org/lists/wireshark-dev/201702/msg00011.html
Reviewed-on: https://code.wireshark.org/review/20030
Petri-Dish: Peter Wu <peter@lekensteyn.nl>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Pascal Quantin <pascal.quantin@gmail.com>
Reviewed-by: Peter Wu <peter@lekensteyn.nl>

1 files changed, 13 insertions, 102 deletions

diff --git a/epan/dissectors/packet-ssl-utils.c b/epan/dissectors/packet-ssl-utils.c
index 1f2aeef216..28b49aaa61 100644
--- a/epan/dissectors/packet-ssl-utils.c
+++ b/epan/dissectors/packet-ssl-utils.c
@@ -54,7 +54,7 @@
 #include "packet-ssl-utils.h"
 #include "packet-ssl.h"
 #include "packet-dtls.h"
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
 #include <gnutls/abstract.h>
 #endif
 #if GCRYPT_VERSION_NUMBER >= 0x010600 /* 1.6.0 */
@@ -1633,7 +1633,6 @@ ssl_data_set(StringInfo* str, const guchar* data, guint len)
     str->data_len = len;
 }
 
-#ifdef HAVE_LIBGCRYPT
 static gint
 ssl_data_realloc(StringInfo* str, guint len)
 {
@@ -1666,7 +1665,6 @@ ssl_data_copy(StringInfo* dst, StringInfo* src)
     dst->data_len = src->data_len;
     return 0;
 }
-#endif
 
 /* from_hex converts |hex_len| bytes of hex data from |in| and sets |*out| to
  * the result. |out->data| will be allocated using wmem_file_scope. Returns TRUE on
@@ -1691,8 +1689,6 @@ static gboolean from_hex(StringInfo* out, const char* in, gsize hex_len) {
 /* StringInfo structure (len + data) functions }}} */
 
 
-#ifdef HAVE_LIBGCRYPT
-
 /* libgcrypt wrappers for HMAC/message digest operations {{{ */
 /* hmac abstraction layer */
 #define SSL_HMAC gcry_md_hd_t
@@ -2019,18 +2015,6 @@ out:
 } /* }}} */
 #endif /* HAVE_LIBGNUTLS */
 
-#else /* ! HAVE_LIBGCRYPT */
-
-gint
-ssl_cipher_setiv(SSL_CIPHER_CTX *cipher _U_, guchar* iv _U_, gint iv_len _U_)
-{
-    ssl_debug_printf("ssl_cipher_setiv: impossible without gnutls.\n");
-    return 0;
-}
-#endif /* ! HAVE_LIBGCRYPT */
-
-
-#ifdef HAVE_LIBGCRYPT /* Save space if decryption is not enabled. */
 
 /* Digests, Ciphers and Cipher Suites registry {{{ */
 static const SslDigestAlgo digests[]={
@@ -2381,27 +2365,10 @@ ssl_get_cipher_export_keymat_size(int cipher_suite_num)
         return 0;
     }
 }
-#else /* ! HAVE_LIBGCRYPT */
-const SslCipherSuite *
-ssl_find_cipher(int num)
-{
-    ssl_debug_printf("ssl_find_cipher: dummy without gnutls. num %d\n",
-        num);
-    return NULL;
-}
-
-guint
-ssl_get_cipher_blocksize(const SslCipherSuite *cipher_suite _U_)
-{
-    return 0;
-}
-#endif /* ! HAVE_LIBGCRYPT */
 
 /* Digests, Ciphers and Cipher Suites registry }}} */
 
 
-#ifdef HAVE_LIBGCRYPT
-
 /* HMAC and the Pseudorandom function {{{ */
 static void
 tls_hash(StringInfo *secret, StringInfo *seed, gint md,
@@ -2760,45 +2727,6 @@ tls13_hkdf_expand_label(int md, const StringInfo *secret, const char *label, con
 }
 /* HMAC and the Pseudorandom function }}} */
 
-#else /* ! HAVE_LIBGCRYPT */
-/* Stub code when decryption support is not available. {{{ */
-gboolean
-ssl_generate_pre_master_secret(SslDecryptSession *ssl_session _U_,
-        guint32 length _U_, tvbuff_t *tvb _U_, guint32 offset _U_,
-        const gchar *ssl_psk _U_, const ssl_master_key_map_t *mk_map _U_)
-{
-    ssl_debug_printf("%s: impossible without gnutls.\n", G_STRFUNC);
-    return FALSE;
-}
-int
-ssl_generate_keyring_material(SslDecryptSession*ssl)
-{
-    ssl_debug_printf("ssl_generate_keyring_material: impossible without gnutls. ssl %p\n",
-        ssl);
-    /* We cannot determine whether the cipher suite is valid. Fail such that
-     * ssl_set_master_secret bails out. */
-    return -1;
-}
-void
-ssl_change_cipher(SslDecryptSession *ssl_session, gboolean server)
-{
-    ssl_debug_printf("ssl_change_cipher %s: makes no sense without gnutls. ssl %p\n",
-        (server)?"SERVER":"CLIENT", ssl_session);
-}
-
-int
-ssl_decrypt_record(SslDecryptSession *ssl, SslDecoder *decoder, guint8 ct, guint16 record_version,
-        const guchar *in, guint16 inl, StringInfo *comp_str _U_, StringInfo *out_str, guint *outl)
-{
-    ssl_debug_printf("ssl_decrypt_record: impossible without gnutls. ssl %p"
-        "decoder %p ct %d version %d in %p inl %d out %p outl %p\n", ssl, decoder, ct,
-        record_version, in, inl, out_str, outl);
-    return 0;
-}
-/* }}} */
-#endif /* ! HAVE_LIBGCRYPT */
-
-#ifdef HAVE_LIBGCRYPT
 /* Record Decompression (after decryption) {{{ */
 #ifdef HAVE_ZLIB
 /* memory allocation functions for zlib initialization */
@@ -2893,9 +2821,7 @@ ssl_decompress_record(SslDecompress* decomp _U_, const guchar* in _U_, guint inl
 }
 #endif
 /* Record Decompression (after decryption) }}} */
-#endif /* HAVE_LIBGCRYPT */
 
-#ifdef HAVE_LIBGCRYPT
 /* Create a new structure to store decrypted chunks. {{{ */
 static SslFlow*
 ssl_create_flow(void)
@@ -4136,10 +4062,8 @@ skip_mac:
 }
 /* Record decryption glue based on security parameters }}} */
 
-#endif /* HAVE_LIBGCRYPT */
-
 
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
 /* RSA private key file processing {{{ */
 #define RSA_PARS 6
 static gcry_sexp_t
@@ -4487,12 +4411,12 @@ end:
 
 /* RSA private key file processing }}} */
 
-#else /* ! (defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)) */
+#else /* ! defined(HAVE_LIBGNUTLS) */
 void
 ssl_private_key_free(gpointer key _U_)
 {
 }
-#endif /* ! (defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)) */
+#endif /* ! defined(HAVE_LIBGNUTLS) */
 
 
 /*--- Start of dissector-related code below ---*/
@@ -4562,7 +4486,7 @@ static void ssl_reset_session(SslSession *session, SslDecryptSession *ssl, gbool
             clear_flags |= SSL_SERVER_EXTENDED_MASTER_SECRET | SSL_NEW_SESSION_TICKET;
             ssl->server_random.data_len = 0;
             ssl->pre_master_secret.data_len = 0;
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
             ssl->private_key = NULL;
 #endif
             ssl->psk.data_len = 0;
@@ -4893,7 +4817,7 @@ ssl_common_cleanup(ssl_master_key_map_t *mk_map, FILE **ssl_keylog_file,
 /* }}} */
 
 /* parse ssl related preferences (private keys and ports association strings) */
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
 /* Load a single RSA key file item from preferences. {{{ */
 void
 ssl_parse_key_list(const ssldecrypt_assoc_t *uats, GHashTable *key_hash, const char* dissector_table_name, dissector_handle_t main_handle, gboolean tcp)
@@ -4979,7 +4903,6 @@ ssl_parse_key_list(const ssldecrypt_assoc_t *uats _U_, GHashTable *key_hash _U_,
 #endif
 
 
-#ifdef HAVE_LIBGCRYPT /* useless without decryption support. */
 /* Store/load a known (pre-)master secret from/for this SSL session. {{{ */
 /** store a known (pre-)master secret into cache */
 static void
@@ -5239,7 +5162,6 @@ tls13_key_update(SslDecryptSession *ssl, gboolean is_from_server)
     wmem_free(NULL, new_secret);
     tls13_generate_keys(ssl, app_secret, is_from_server);
 }
-#endif /* HAVE_LIBGCRYPT */
 
 /** SSL keylog file handling. {{{ */
 
@@ -5502,9 +5424,7 @@ ssl_set_debug(const gchar* name)
 #ifdef HAVE_LIBGNUTLS
     ssl_debug_printf("GnuTLS version:    %s\n", gnutls_check_version(NULL));
 #endif
-#ifdef HAVE_LIBGCRYPT
     ssl_debug_printf("Libgcrypt version: %s\n", gcry_check_version(NULL));
-#endif
     ssl_debug_printf("\n");
 }
 
@@ -5617,7 +5537,7 @@ ssldecrypt_uat_fld_fileopen_chk_cb(void* r _U_, const char* p, guint len _U_, co
 gboolean
 ssldecrypt_uat_fld_password_chk_cb(void *r _U_, const char *p _U_, guint len _U_, const void *u1 _U_, const void *u2 _U_, char **err)
 {
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
     ssldecrypt_assoc_t*  f  = (ssldecrypt_assoc_t *)r;
     FILE                *fp = NULL;
 
@@ -6965,8 +6885,8 @@ ssl_dissect_hnd_srv_hello(ssl_common_dissect_t *hf, tvbuff_t *tvb,
 void
 ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_info *pinfo,
                                proto_tree *tree, guint32 offset, guint32 offset_end,
-                               const SslSession *session, SslDecryptSession *ssl _U_,
-                               GHashTable *session_hash _U_)
+                               const SslSession *session, SslDecryptSession *ssl,
+                               GHashTable *session_hash)
 {
     /* https://tools.ietf.org/html/rfc5077#section-3.3 (TLS >= 1.0):
      *  struct {
@@ -7013,7 +6933,6 @@ ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_i
     proto_tree_add_item(subtree, hf->hf.hs_session_ticket,
                         tvb, offset, ticket_len, ENC_NA);
     /* save the session ticket to cache for ssl_finalize_decryption */
-#ifdef HAVE_LIBGCRYPT
     if (ssl && !is_tls13) {
         tvb_ensure_bytes_exist(tvb, offset, ticket_len);
         ssl->session_ticket.data = (guchar*)wmem_realloc(wmem_file_scope(),
@@ -7029,7 +6948,6 @@ ssl_dissect_hnd_new_ses_ticket(ssl_common_dissect_t *hf, tvbuff_t *tvb, packet_i
                             &ssl->session_ticket, &ssl->master_secret);
         ssl->state |= SSL_NEW_SESSION_TICKET;
     }
-#endif
     offset += ticket_len;
 
     if (is_tls13) {
@@ -7116,7 +7034,7 @@ ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
      */
     enum { CERT_X509, CERT_RPK } cert_type;
     asn1_ctx_t  asn1_ctx;
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
     gnutls_datum_t subjectPublicKeyInfo = { NULL, 0 };
 #endif
     guint32 next_offset;
@@ -7130,7 +7048,7 @@ ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
         cert_type = CERT_X509;
     }
 
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
     /* Ask the pkcs1 dissector to return the public key details */
     if (ssl)
         asn1_ctx.private_data = &subjectPublicKeyInfo;
@@ -7201,7 +7119,7 @@ ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
                     offset += 3;
 
                     dissect_x509af_Certificate(FALSE, tvb, offset, &asn1_ctx, subtree, hf->hf.hs_certificate);
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
                     /* Only attempt to get the RSA modulus for the first cert. */
                     asn1_ctx.private_data = NULL;
 #endif
@@ -7227,7 +7145,7 @@ ssl_dissect_hnd_cert(ssl_common_dissect_t *hf, tvbuff_t *tvb, proto_tree *tree,
         }
     }
 
-#if defined(HAVE_LIBGNUTLS) && defined(HAVE_LIBGCRYPT)
+#if defined(HAVE_LIBGNUTLS)
     if (is_from_server && ssl)
         ssl_find_private_key_by_pubkey(ssl, key_hash, &subjectPublicKeyInfo);
 #endif
@@ -8142,7 +8060,6 @@ tls13_dissect_hnd_key_update(ssl_common_dissect_t *hf, tvbuff_t *tvb,
     proto_tree_add_item(tree, hf->hf.hs_key_update_request_update, tvb, offset, 1, ENC_NA);
 }
 
-#ifdef HAVE_LIBGCRYPT
 void
 ssl_common_register_options(module_t *module, ssl_common_options_t *options)
 {
@@ -8169,12 +8086,6 @@ ssl_common_register_options(module_t *module, ssl_common_options_t *options)
              "(All fields are in hex notation)",
              &(options->keylog_filename));
 }
-#else
-void
-ssl_common_register_options(module_t *module _U_, ssl_common_options_t *options _U_)
-{
-}
-#endif
 
 void
 ssl_calculate_handshake_hash(SslDecryptSession *ssl_session, tvbuff_t *tvb, guint32 offset, guint32 length)