libgcrypt: Remove HAVE_GCRYPT_AEAD , _CHACHA20

Libgcrypt 1.8.0 is required now, so these are always defined.

epan/dissectors/packet-http3.c

@@ -45,7 +45,6 @@ static int hf_http3_priority_update_element_id = -1;
 static int hf_http3_priority_update_field_value = -1;
 
 static expert_field ei_http3_unknown_stream_type = EI_INIT;
-static expert_field ei_http3_data_not_decoded = EI_INIT;
 
 /* Initialize the subtree pointers */
 static gint ett_http3 = -1;
@@ -134,7 +133,6 @@ typedef struct _http3_stream_info {
     guint64 broken_from_offset;     /**< Unrecognized stream starting at offset (if non-zero). */
 } http3_stream_info;
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 /**
  * Whether this is a reserved code point for Stream Type, Frame Type, Error
  * Code, etc.
@@ -144,7 +142,6 @@ http3_is_reserved_code(guint64 stream_type)
 {
     return (stream_type - 0x21) % 0x1f == 0;
 }
-#endif
 
 static gboolean
 try_get_quic_varint(tvbuff_t *tvb, int offset, guint64 *value, int *lenvar)
@@ -202,7 +199,6 @@ http3_check_frame_size(tvbuff_t *tvb, packet_info *pinfo, int offset)
     return FALSE;
 }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 /* Settings */
 static int
 dissect_http3_settings(tvbuff_t* tvb, packet_info* pinfo _U_, proto_tree* http3_tree, guint offset)
@@ -378,7 +374,6 @@ dissect_http3_uni_stream(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, in
 
     return offset;
 }
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
 static int
 dissect_http3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
@@ -387,9 +382,7 @@ dissect_http3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
     proto_item *ti;
     proto_tree *http3_tree;
     int offset = 0;
-#ifdef HAVE_LIBGCRYPT_AEAD
     http3_stream_info *h3_stream;
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
     if (!stream_info) {
         return 0;
@@ -420,7 +413,6 @@ dissect_http3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
     ti = proto_tree_add_item(tree, proto_http3, tvb, 0, -1, ENC_NA);
     http3_tree = proto_item_add_subtree(ti, ett_http3);
 
-#ifdef HAVE_LIBGCRYPT_AEAD
     h3_stream = (http3_stream_info *)quic_stream_get_proto_data(pinfo, stream_info);
     if (!h3_stream) {
         h3_stream = wmem_new0(wmem_file_scope(), http3_stream_info);
@@ -456,10 +448,6 @@ dissect_http3(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
         }
         offset = dissect_http3_frame(tvb, pinfo, http3_tree, offset);
     }
-#else
-    proto_tree_add_expert_format(http3_tree, pinfo, &ei_http3_data_not_decoded, tvb, offset, 0,
-                                 "Data not decoded, missing LIBGCRYPT AEAD support");
-#endif
 
     return tvb_captured_length(tvb);
 }
@@ -557,10 +545,6 @@ proto_register_http3(void)
           { "http3.unknown_stream_type", PI_UNDECODED, PI_WARN,
             "An unknown stream type was encountered", EXPFILL }
         },
-        { &ei_http3_data_not_decoded,
-          { "http3.data_not_decoded", PI_UNDECODED, PI_WARN,
-            "Data not decoded", EXPFILL }
-        },
     };
 
     proto_http3 = proto_register_protocol("Hypertext Transfer Protocol Version 3", "HTTP3", "http3");

epan/dissectors/packet-ipsec.c

@@ -1765,12 +1765,8 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
           esp_salt_len = 4;
           esp_encr_key_len -= esp_salt_len;
 
-#ifdef HAVE_LIBGCRYPT_AEAD
           crypt_mode_libgcrypt =
             (esp_encr_algo == IPSEC_ENCRYPT_AES_CTR) ? GCRY_CIPHER_MODE_CTR : GCRY_CIPHER_MODE_GCM;
-#else
-          crypt_mode_libgcrypt = GCRY_CIPHER_MODE_CTR;
-#endif
           switch(esp_encr_key_len * 8)
           {
           case 128:
@@ -2020,7 +2016,6 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
           }
 
 
-#ifdef HAVE_LIBGCRYPT_AEAD
           if (g_esp_enable_authentication_check && icv_type == ICV_TYPE_AEAD) {
             /* Allocate buffer for ICV  */
             esp_icv = (guint8 *)tvb_memdup(wmem_packet_scope(), tvb, esp_packet_len - esp_icv_len, esp_icv_len);
@@ -2033,7 +2028,6 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
                                    gcry_cipher_algo_name(crypt_algo_libgcrypt), crypt_mode_libgcrypt, gcry_strerror(err));
             }
           }
-#endif
 
           if (!err)
           {
@@ -2052,7 +2046,6 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
             /* Decryption has finished */
             decrypt_ok = TRUE;
 
-#ifdef HAVE_LIBGCRYPT_AEAD
             if (g_esp_enable_authentication_check && icv_type == ICV_TYPE_AEAD) {
               guchar *esp_icv_computed;
               gint tag_len;
@@ -2081,7 +2074,6 @@ dissect_esp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data _U_)
                 esp_icv_expected = bytes_to_str(wmem_packet_scope(), esp_icv_computed, esp_icv_len);
               }
             }
-#endif
           }
         }
       }

epan/dissectors/packet-isakmp.c

@@ -1905,7 +1905,6 @@ static ikev2_encr_alg_spec_t ikev2_encr_algs[] = {
   {IKEV2_ENCR_AES_CTR_192, 28, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CTR, 4, 0},
   {IKEV2_ENCR_AES_CTR_256, 36, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CTR, 4, 0},
 
-#ifdef HAVE_LIBGCRYPT_AEAD
   /* GCM algorithms: key length: aes-length + 4 bytes of IV (salt), iv - 8 bytes */
   {IKEV2_ENCR_AES_GCM_128_16, 20, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_GCM, 4, 16},
   {IKEV2_ENCR_AES_GCM_192_16, 28, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_GCM, 4, 16},
@@ -1931,36 +1930,6 @@ static ikev2_encr_alg_spec_t ikev2_encr_algs[] = {
   {IKEV2_ENCR_AES_CCM_128_12, 19, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CCM, 3, 12},
   {IKEV2_ENCR_AES_CCM_192_12, 27, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CCM, 3, 12},
   {IKEV2_ENCR_AES_CCM_256_12, 35, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CCM, 3, 12},
-#else
-  /* decrypt using plain ctr mode - special handling for GCM mode of counter initial value 2 inside dis_enc()*/
-  /* GCM algorithms: key length: aes-length + 4 bytes of IV (salt), iv - 8 bytes */
-  {IKEV2_ENCR_AES_GCM_128_16, 20, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 4, 16},
-  {IKEV2_ENCR_AES_GCM_192_16, 28, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CTR, 4, 16},
-  {IKEV2_ENCR_AES_GCM_256_16, 36, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CTR, 4, 16},
-
-  {IKEV2_ENCR_AES_GCM_128_8, 20, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 4, 8},
-  {IKEV2_ENCR_AES_GCM_192_8, 28, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CTR, 4, 8},
-  {IKEV2_ENCR_AES_GCM_256_8, 36, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CTR, 4, 8},
-
-  {IKEV2_ENCR_AES_GCM_128_12, 20, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 4, 12},
-  {IKEV2_ENCR_AES_GCM_192_12, 28, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CTR, 4, 12},
-  {IKEV2_ENCR_AES_GCM_256_12, 36, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CTR, 4, 12},
-
-  /* CCM algorithms: key length: aes-length + 3 bytes of salt, iv - 8 bytes.
-   * Special handling of setting first byte of iv to length of 14 - noncelen inside dis_enc() */
-  {IKEV2_ENCR_AES_CCM_128_16, 19, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 3, 16},
-  {IKEV2_ENCR_AES_CCM_192_16, 27, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CTR, 3, 16},
-  {IKEV2_ENCR_AES_CCM_256_16, 35, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CTR, 3, 16},
-
-  {IKEV2_ENCR_AES_CCM_128_8, 19, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 3, 8},
-  {IKEV2_ENCR_AES_CCM_192_8, 27, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CTR, 3, 8},
-  {IKEV2_ENCR_AES_CCM_256_8, 35, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CTR, 3, 8},
-
-  {IKEV2_ENCR_AES_CCM_128_12, 19, 1, 8, GCRY_CIPHER_AES128, GCRY_CIPHER_MODE_CTR, 3, 12},
-  {IKEV2_ENCR_AES_CCM_192_12, 27, 1, 8, GCRY_CIPHER_AES192, GCRY_CIPHER_MODE_CTR, 3, 12},
-  {IKEV2_ENCR_AES_CCM_256_12, 35, 1, 8, GCRY_CIPHER_AES256, GCRY_CIPHER_MODE_CTR, 3, 12},
-
-#endif
 
   {0, 0, 0, 0, 0, 0, 0, 0}
 };
@@ -5847,10 +5816,8 @@ dissect_enc(tvbuff_t *tvb,
   tvbuff_t *decr_tvb = NULL;
   gint payloads_len;
   proto_tree *decr_tree = NULL, *decr_payloads_tree = NULL;
-#ifdef HAVE_LIBGCRYPT_AEAD
   guchar *aa_data = NULL, *icv_data = NULL;
   gint aad_len = 0;
-#endif
 
   if (decr_info) {
     /* Need decryption details to know field lengths. */
@@ -5915,7 +5882,6 @@ dissect_enc(tvbuff_t *tvb,
       /*
        * Recalculate ICD value if the specified authentication algorithm allows it.
        */
-#ifdef HAVE_LIBGCRYPT_AEAD
       if (icv_len) {
         /* For GCM/CCM algorithms ICD is computed during decryption.
           Must save offset and length of authenticated additional data (whole ISAKMP header
@@ -5924,7 +5890,6 @@ dissect_enc(tvbuff_t *tvb,
         aa_data = (guchar *)tvb_memdup(pinfo->pool, tvb, 0, aad_len);
         icv_data = (guchar *)tvb_memdup(pinfo->pool, tvb, offset, icv_len);
       } else
-#endif
       if (key_info->auth_spec->gcry_alg) {
         proto_item_append_text(icd_item, " <%s>", val_to_str(key_info->auth_spec->number, vs_ikev2_auth_algs, "Unknown mac algo: %d"));
         err = gcry_md_open(&md_hd, key_info->auth_spec->gcry_alg, key_info->auth_spec->gcry_flag);
@@ -6036,7 +6001,6 @@ dissect_enc(tvbuff_t *tvb,
           key_info->encr_spec->gcry_alg, encr_iv_len, gcry_strerror(err));
       }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
       if (key_info->encr_spec->gcry_mode == GCRY_CIPHER_MODE_CCM) {
         guint64 ccm_lengths[3];
         ccm_lengths[0] = encr_data_len;
@@ -6059,7 +6023,6 @@ dissect_enc(tvbuff_t *tvb,
             key_info->encr_spec->gcry_alg, gcry_strerror(err));
         }
       }
-#endif
 
       err = gcry_cipher_decrypt(cipher_hd, decr_data, decr_data_len, encr_data, encr_data_len);
       if (err) {
@@ -6068,7 +6031,6 @@ dissect_enc(tvbuff_t *tvb,
           key_info->encr_spec->gcry_alg, gcry_strerror(err));
       }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
       if (icv_len) {
         /* gcry_cipher_checktag() doesn't work on 1.6.x version well - requires all of 16 bytes
          * of ICV, so it won't work with 12 and 8 bytes of ICV.
@@ -6113,7 +6075,6 @@ dissect_enc(tvbuff_t *tvb,
           expert_add_info(pinfo, icd_item, &ei_isakmp_ikev2_integrity_checksum);
         }
       }
-#endif
 
       gcry_cipher_close(cipher_hd);
     }

epan/dissectors/packet-quic.c

@@ -220,7 +220,6 @@ static dissector_handle_t tls13_handshake_handle;
 
 static dissector_table_t quic_proto_dissector_table;
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 /* Fields for showing reassembly results for fragments of QUIC stream data. */
 static const fragment_items quic_stream_fragment_items = {
     &ett_quic_fragment,
@@ -238,7 +237,6 @@ static const fragment_items quic_stream_fragment_items = {
     &hf_quic_reassembled_data,
     "Fragments"
 };
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
 /*
  * PROTECTED PAYLOAD DECRYPTION (done in first pass)
@@ -743,10 +741,8 @@ quic_get_long_packet_type(guint8 first_byte, guint32 version)
     }
 }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 static void
 quic_streams_add(packet_info *pinfo, quic_info_data_t *quic_info, guint64 stream_id);
-#endif
 
 static void
 quic_hp_cipher_reset(quic_hp_cipher *hp_cipher)
@@ -767,7 +763,6 @@ quic_ciphers_reset(quic_ciphers *ciphers)
     quic_pp_cipher_reset(&ciphers->pp_cipher);
 }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 static gboolean
 quic_is_hp_cipher_initialized(quic_hp_cipher *hp_cipher)
 {
@@ -833,7 +828,6 @@ quic_decrypt_header(tvbuff_t *tvb, guint pn_offset, quic_hp_cipher *hp_cipher, i
         }
         memcpy(mask, sample, sizeof(mask));
         break;
-#ifdef HAVE_LIBGCRYPT_CHACHA20
     case GCRY_CIPHER_CHACHA20:
         /* If Gcrypt receives a 16 byte IV, it will assume the buffer to be
          * counter || nonce (in little endian), as desired. */
@@ -845,7 +839,6 @@ quic_decrypt_header(tvbuff_t *tvb, guint pn_offset, quic_hp_cipher *hp_cipher, i
             return FALSE;
         }
         break;
-#endif /* HAVE_LIBGCRYPT_CHACHA20 */
     default:
         return FALSE;
     }
@@ -918,7 +911,6 @@ quic_set_full_packet_number(quic_info_data_t *quic_info, quic_packet_info_t *qui
     quic_packet->pkn_len = pkn_len;
     quic_packet->packet_number = pkn_full;
 }
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
 static const char *
 cid_to_string(const quic_cid_t *cid)
@@ -1167,7 +1159,6 @@ quic_connection_update_initial(quic_info_data_t *conn, const quic_cid_t *scid, c
     }
 }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 /**
  * Use the new CID as additional identifier for the specified connection and
  * remember it for connection tracking.
@@ -1192,7 +1183,6 @@ quic_connection_add_cid(quic_info_data_t *conn, const quic_cid_t *new_cid, gbool
 
     quic_cids_insert(&new_item->data, conn, from_server);
 }
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
 /** Create or update a connection. */
 static void
@@ -1270,7 +1260,6 @@ quic_connection_destroy(gpointer data, gpointer user_data _U_)
 /* QUIC Streams tracking and reassembly. {{{ */
 static reassembly_table quic_reassembly_table;
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 /** Perform sequence analysis for STREAM frames. */
 static quic_stream_state *
 quic_get_stream_state(packet_info *pinfo, quic_info_data_t *quic_info, gboolean from_server, guint64 stream_id)
@@ -2523,11 +2512,9 @@ quic_get_pn_cipher_algo(int cipher_algo, int *hp_cipher_mode)
     case GCRY_CIPHER_AES256:
         *hp_cipher_mode = GCRY_CIPHER_MODE_ECB;
         return TRUE;
-#ifdef HAVE_LIBGCRYPT_CHACHA20
     case GCRY_CIPHER_CHACHA20:
         *hp_cipher_mode = GCRY_CIPHER_MODE_STREAM;
         return TRUE;
-#endif /* HAVE_LIBGCRYPT_CHACHA20 */
     default:
         return FALSE;
     }
@@ -2660,13 +2647,7 @@ quic_create_decoders(packet_info *pinfo, quic_info_data_t *quic_info, quic_ciphe
 {
     if (!quic_info->hash_algo) {
         if (!tls_get_cipher_info(pinfo, 0, &quic_info->cipher_algo, &quic_info->cipher_mode, &quic_info->hash_algo)) {
-#ifndef HAVE_LIBGCRYPT_CHACHA20
-            /* If this stream uses the ChaCha20-Poly1305 cipher, Libgcrypt 1.7.0
-             * or newer is required. */
-            *error = "Unable to retrieve cipher information; try upgrading Libgcrypt >= 1.7.0";
-#else
             *error = "Unable to retrieve cipher information";
-#endif
             return FALSE;
         }
     }
@@ -3023,22 +3004,16 @@ quic_verify_retry_token(tvbuff_t *tvb, quic_packet_info_t *quic_packet, const qu
     }
     gcry_cipher_close(h);
 }
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
 void
 quic_add_connection(packet_info *pinfo, const quic_cid_t *cid)
 {
-#ifdef HAVE_LIBGCRYPT_AEAD
     quic_datagram *dgram_info;
 
     dgram_info = (quic_datagram *)p_get_proto_data(wmem_file_scope(), pinfo, proto_quic, 0);
     if (dgram_info && dgram_info->conn) {
         quic_connection_add_cid(dgram_info->conn, cid, dgram_info->from_server);
     }
-#else
-    (void)pinfo;
-    (void)cid;
-#endif /* HAVE_LIBGCRYPT_AEAD */
 }
 
 void
@@ -3181,7 +3156,6 @@ dissect_quic_retry_packet(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
         // Verify the Retry Integrity Tag according to
         // https://tools.ietf.org/html/draft-ietf-quic-tls-25#section-5.8
         ti = proto_tree_add_item(quic_tree, hf_quic_retry_integrity_tag, tvb, offset, 16, ENC_NA);
-#ifdef HAVE_LIBGCRYPT_AEAD
         if (!PINFO_FD_VISITED(pinfo) && odcid) {
             // Skip validation if the Initial Packet is unknown, for example due
             // to packet loss in the capture file.
@@ -3195,11 +3169,6 @@ dissect_quic_retry_packet(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
         } else {
             proto_item_append_text(ti, " [verified]");
         }
-#else
-        (void)odcid;
-        expert_add_info_format(pinfo, ti, &ei_quic_bad_retry,
-                "Libgcrypt >= 1.6.0 is required for Retry Packet verification");
-#endif /* HAVE_LIBGCRYPT_AEAD */
         offset += 16;
     }
 
@@ -3220,14 +3189,11 @@ dissect_quic_long_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tre
     guint64 payload_length;
     guint8  first_byte = 0;
     quic_info_data_t *conn = dgram_info->conn;
-#ifdef HAVE_LIBGCRYPT_AEAD
     const gboolean from_server = dgram_info->from_server;
     quic_ciphers *ciphers = NULL;
     proto_item *ti;
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
     quic_extract_header(tvb, &long_packet_type, &version, &dcid, &scid);
-#ifdef HAVE_LIBGCRYPT_AEAD
     if (conn) {
         if (long_packet_type == QUIC_LPT_INITIAL) {
             ciphers = !from_server ? &conn->client_initial_ciphers : &conn->server_initial_ciphers;
@@ -3306,7 +3272,6 @@ dissect_quic_long_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tre
     } else if (conn && quic_packet->pkn_len) {
         first_byte = quic_packet->first_byte;
     }
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
     proto_tree_add_item(quic_tree, hf_quic_fixed_bit, tvb, offset, 1, ENC_NA);
     if (is_quic_v2(version)) {
@@ -3343,12 +3308,8 @@ dissect_quic_long_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tre
         return offset;
     }
     if (!conn || quic_packet->pkn_len == 0) {
-#ifndef HAVE_LIBGCRYPT_AEAD
-        expert_add_info_format(pinfo, quic_tree, &ei_quic_decryption_failed, "Libgcrypt >= 1.6.0 is required for QUIC decryption");
-#else
         // if not part of a connection, the full PKN cannot be reconstructed.
         expert_add_info_format(pinfo, quic_tree, &ei_quic_decryption_failed, "Failed to decrypt packet number");
-#endif /* HAVE_LIBGCRYPT_AEAD */
         return offset;
     }
 
@@ -3357,13 +3318,8 @@ dissect_quic_long_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tre
     col_append_fstr(pinfo->cinfo, COL_INFO, ", PKN: %" PRIu64, quic_packet->packet_number);
 
     /* Payload */
-#ifdef HAVE_LIBGCRYPT_AEAD
     ti = proto_tree_add_item(quic_tree, hf_quic_payload, tvb, offset, -1, ENC_NA);
-#else
-    proto_tree_add_item(quic_tree, hf_quic_payload, tvb, offset, -1, ENC_NA);
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
-#ifdef HAVE_LIBGCRYPT_AEAD
     if (conn) {
         quic_process_payload(tvb, pinfo, quic_tree, ti, offset,
                              conn, quic_packet, from_server, &ciphers->pp_cipher, first_byte, quic_packet->pkn_len);
@@ -3372,7 +3328,6 @@ dissect_quic_long_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tre
         // Packet number is verified to be valid, remember it.
         *quic_max_packet_number(conn, from_server, first_byte) = quic_packet->packet_number;
     }
-#endif /* HAVE_LIBGCRYPT_AEAD */
     offset += tvb_reported_length_remaining(tvb, offset);
 
     return offset;
@@ -3397,10 +3352,8 @@ dissect_quic_short_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
     quic_cid_t dcid = {.len=0};
     guint8  first_byte = 0;
     gboolean    key_phase = FALSE;
-#ifdef HAVE_LIBGCRYPT_AEAD
     proto_item *ti;
     quic_pp_cipher *pp_cipher = NULL;
-#endif /* HAVE_LIBGCRYPT_AEAD */
     quic_info_data_t *conn = dgram_info->conn;
     const gboolean from_server = dgram_info->from_server;
     gboolean loss_bits_negotiated = FALSE;
@@ -3413,7 +3366,6 @@ dissect_quic_short_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
        dcid.len = from_server ? conn->client_cids.data.len : conn->server_cids.data.len;
        loss_bits_negotiated = quic_loss_bits_negotiated(conn, from_server);
     }
-#ifdef HAVE_LIBGCRYPT_AEAD
     if (!PINFO_FD_VISITED(pinfo) && conn) {
         const gchar *error = NULL;
         guint32 pkn32 = 0;
@@ -3428,7 +3380,6 @@ dissect_quic_short_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
     } else if (conn && quic_packet->pkn_len) {
         first_byte = quic_packet->first_byte;
     }
-#endif /* HAVE_LIBGCRYPT_AEAD */
     proto_tree_add_item(hdr_tree, hf_quic_fixed_bit, tvb, offset, 1, ENC_NA);
     proto_tree_add_item(hdr_tree, hf_quic_spin_bit, tvb, offset, 1, ENC_NA);
     /* Q and L bits are not protected by HP cipher */
@@ -3460,11 +3411,9 @@ dissect_quic_short_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
         proto_item_append_text(pi, " DCID=%s", dcid_str);
     }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
     if (!PINFO_FD_VISITED(pinfo) && conn) {
         pp_cipher = quic_get_pp_cipher(key_phase, conn, from_server);
     }
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
     if (quic_packet->decryption.error) {
         expert_add_info_format(pinfo, quic_tree, &ei_quic_decryption_failed,
@@ -3482,13 +3431,8 @@ dissect_quic_short_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
     proto_item_append_text(pi, " PKN=%" PRIu64, quic_packet->packet_number);
 
     /* Protected Payload */
-#ifdef HAVE_LIBGCRYPT_AEAD
     ti = proto_tree_add_item(hdr_tree, hf_quic_protected_payload, tvb, offset, -1, ENC_NA);
-#else
-    proto_tree_add_item(hdr_tree, hf_quic_protected_payload, tvb, offset, -1, ENC_NA);
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
-#ifdef HAVE_LIBGCRYPT_AEAD
     if (conn) {
         quic_process_payload(tvb, pinfo, quic_tree, ti, offset,
                              conn, quic_packet, from_server, pp_cipher, first_byte, quic_packet->pkn_len);
@@ -3497,7 +3441,6 @@ dissect_quic_short_header(tvbuff_t *tvb, packet_info *pinfo, proto_tree *quic_tr
             *quic_max_packet_number(conn, from_server, first_byte) = quic_packet->packet_number;
         }
     }
-#endif /* HAVE_LIBGCRYPT_AEAD */
     offset += tvb_reported_length_remaining(tvb, offset);
 
     return offset;
@@ -3910,7 +3853,6 @@ quic_cleanup(void)
 }
 
 /* Follow QUIC Stream functionality {{{ */
-#ifdef HAVE_LIBGCRYPT_AEAD
 static void
 quic_streams_add(packet_info *pinfo, quic_info_data_t *quic_info, guint64 stream_id)
 {
@@ -3936,7 +3878,6 @@ quic_streams_add(packet_info *pinfo, quic_info_data_t *quic_info, guint64 stream
         wmem_map_insert(quic_info->streams_map, GUINT_TO_POINTER(stream->num), stream);
     }
 }
-#endif
 
 static quic_info_data_t *
 get_conn_by_number(guint conn_number)

epan/dissectors/packet-quic.h

@@ -12,7 +12,7 @@
 
 #include "ws_symbol_export.h"
 
-#include <wsutil/wsgcrypt.h>	/* needed to define HAVE_LIBGCRYPT_AEAD */
+#include <wsutil/wsgcrypt.h>
 
 #ifdef __cplusplus
 extern "C" {
@@ -53,10 +53,8 @@ typedef struct quic_cid {
 
 /** Set/Get protocol-specific data for the QUIC STREAM. */
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 void    quic_stream_add_proto_data(struct _packet_info *pinfo, quic_stream_info *stream_info, void *proto_data);
 void   *quic_stream_get_proto_data(struct _packet_info *pinfo, quic_stream_info *stream_info);
-#endif /* HAVE_LIBGCRYPT_AEAD */
 
 /** Returns the number of items for quic.connection.number. */
 WS_DLL_PUBLIC guint32 get_quic_connections_count(void);

epan/dissectors/packet-tls-utils.c

@@ -2883,20 +2883,10 @@ ssl_cipher_init(gcry_cipher_hd_t *cipher, gint algo, guchar* sk,
     gint gcry_modes[] = {
         GCRY_CIPHER_MODE_STREAM,
         GCRY_CIPHER_MODE_CBC,
-#ifdef HAVE_LIBGCRYPT_AEAD
         GCRY_CIPHER_MODE_GCM,
         GCRY_CIPHER_MODE_CCM,
         GCRY_CIPHER_MODE_CCM,
-#else
-        GCRY_CIPHER_MODE_CTR,
-        GCRY_CIPHER_MODE_CTR,
-        GCRY_CIPHER_MODE_CTR,
-#endif
-#ifdef HAVE_LIBGCRYPT_CHACHA20_POLY1305
         GCRY_CIPHER_MODE_POLY1305,
-#else
-        -1,                         /* AEAD_CHACHA20_POLY1305 is unsupported. */
-#endif
     };
     gint err;
     if (algo == -1) {
@@ -4778,22 +4768,10 @@ dtls_check_mac(SslDecoder*decoder, gint ct,int ver, guint8* data,
 
 static gboolean
 tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
-#ifdef HAVE_LIBGCRYPT_AEAD
         guint8 ct, guint16 record_version,
-#else
+        gboolean ignore_mac_failed,
-        guint8 ct _U_, guint16 record_version _U_,
-#endif
-        gboolean ignore_mac_failed
-#ifndef HAVE_LIBGCRYPT_AEAD
-        _U_
-#endif
-        ,
         const guchar *in, guint16 inl,
-#ifdef HAVE_LIBGCRYPT_AEAD
         const guchar *cid, guint8 cidl,
-#else
-        const guchar *cid _U_, guint8 cidl _U_,
-#endif
         StringInfo *out_str, guint *outl)
 {
     /* RFC 5246 (TLS 1.2) 6.2.3.3 defines the TLSCipherText.fragment as:
@@ -4809,16 +4787,12 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
     guint           ciphertext_len, auth_tag_len;
     guchar          nonce[12];
     const ssl_cipher_mode_t cipher_mode = decoder->cipher_suite->mode;
-#ifdef HAVE_LIBGCRYPT_AEAD
     const gboolean  is_cid = ct == SSL_ID_TLS12_CID && version == DTLSV1DOT2_VERSION;
     const guint8    draft_version = ssl->session.tls13_draft_version;
     const guchar   *auth_tag_wire;
     guchar          auth_tag_calc[16];
     guchar         *aad = NULL;
     guint           aad_len = 0;
-#else
-    guchar          nonce_with_counter[16] = { 0 };
-#endif
 
     switch (cipher_mode) {
     case MODE_GCM:
@@ -4855,9 +4829,7 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
         ssl_debug_printf("%s Unexpected TLS version %#x\n", G_STRFUNC, version);
         return FALSE;
     }
-#ifdef HAVE_LIBGCRYPT_AEAD
     auth_tag_wire = ciphertext + ciphertext_len;
-#endif
 
     /*
      * Nonce construction is version-specific. Note that AEAD_CHACHA20_POLY1305
@@ -4869,25 +4841,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
         memcpy(nonce, decoder->write_iv.data, IMPLICIT_NONCE_LEN);
         memcpy(nonce + IMPLICIT_NONCE_LEN, explicit_nonce, EXPLICIT_NONCE_LEN);
 
-#ifndef HAVE_LIBGCRYPT_AEAD
-        if (cipher_mode == MODE_GCM) {
-            /* NIST SP 800-38D, sect. 7.2 says that the 32-bit counter part starts
-             * at 1, and gets incremented before passing to the block cipher. */
-            memcpy(nonce_with_counter, nonce, IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN);
-            nonce_with_counter[IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN + 3] = 2;
-        } else if (cipher_mode == MODE_CCM || cipher_mode == MODE_CCM_8) {
-            /* The nonce for CCM and GCM are the same, but the nonce is used as input
-             * in the CCM algorithm described in RFC 3610. The nonce generated here is
-             * the one from RFC 3610 sect 2.3. Encryption. */
-            /* Flags: (L-1) ; L = 16 - 1 - nonceSize */
-            nonce_with_counter[0] = 3 - 1;
-            memcpy(nonce_with_counter + 1, nonce, IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN);
-            /* struct { opaque salt[4]; opaque nonce_explicit[8] } CCMNonce (RFC 6655) */
-            nonce_with_counter[IMPLICIT_NONCE_LEN + EXPLICIT_NONCE_LEN + 3] = 1;
-        } else {
-            ws_assert_not_reached();
-        }
-#endif
     } else if (version == TLSV1DOT3_VERSION || cipher_mode == MODE_POLY1305) {
         /*
          * Technically the nonce length must be at least 8 bytes, but for
@@ -4902,7 +4855,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
     }
 
     /* Set nonce and additional authentication data */
-#ifdef HAVE_LIBGCRYPT_AEAD
     gcry_cipher_reset(decoder->evp);
     ssl_print_data("nonce", nonce, 12);
     err = gcry_cipher_setiv(decoder->evp, nonce, 12);
@@ -4975,13 +4927,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
             return FALSE;
         }
     }
-#else
-    err = gcry_cipher_setctr(decoder->evp, nonce_with_counter, 16);
-    if (err) {
-        ssl_debug_printf("%s failed: failed to set CTR: %s\n", G_STRFUNC, gcry_strerror(err));
-        return FALSE;
-    }
-#endif
 
     /* Decrypt now that nonce and AAD are set. */
     err = gcry_cipher_decrypt(decoder->evp, out_str->data, out_str->data_len, ciphertext, ciphertext_len);
@@ -4991,7 +4936,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
     }
 
     /* Check authentication tag for authenticity (replaces MAC) */
-#ifdef HAVE_LIBGCRYPT_AEAD
     err = gcry_cipher_gettag(decoder->evp, auth_tag_calc, auth_tag_len);
     if (err == 0 && !memcmp(auth_tag_calc, auth_tag_wire, auth_tag_len)) {
         ssl_print_data("auth_tag(OK)", auth_tag_calc, auth_tag_len);
@@ -5009,9 +4953,6 @@ tls_decrypt_aead_record(SslDecryptSession *ssl, SslDecoder *decoder,
             return FALSE;
         }
     }
-#else
-    ssl_debug_printf("Libgcrypt is older than 1.6, unable to verify auth tag!\n");
-#endif
 
     /*
      * Increment the (implicit) sequence number for TLS 1.2/1.3. This is done

epan/dissectors/packet-tls.c

@@ -1097,7 +1097,6 @@ decrypt_ssl3_record(tvbuff_t *tvb, packet_info *pinfo, guint32 offset, SslDecryp
     return success;
 }
 
-#ifdef HAVE_LIBGCRYPT_AEAD
 /**
  * Try to guess the early data cipher using trial decryption.
  * Requires Libgcrypt 1.6 or newer for verifying that decryption is successful.
@@ -1172,7 +1171,6 @@ decrypt_tls13_early_data(tvbuff_t *tvb, packet_info *pinfo, guint32 offset,
     }
     return success;
 }
-#endif
 
 static void
 process_ssl_payload(tvbuff_t *tvb, int offset, packet_info *pinfo,
@@ -1940,9 +1938,7 @@ dissect_ssl3_record(tvbuff_t *tvb, packet_info *pinfo,
         /* Try to decrypt TLS 1.3 early data first */
         if (session->version == TLSV1DOT3_VERSION && content_type == SSL_ID_APP_DATA &&
             ssl->has_early_data && !ssl_packet_from_server(session, ssl_associations, pinfo)) {
-#ifdef HAVE_LIBGCRYPT_AEAD
             decrypt_ok = decrypt_tls13_early_data(tvb, pinfo, offset, record_length, ssl, curr_layer_num_ssl);
-#endif
             if (!decrypt_ok) {
                 /* Either trial decryption failed (e.g. missing key) or end of
                  * early data is reached. Switch to HS secrets if available. */
@@ -3783,20 +3779,10 @@ tls_get_cipher_info(packet_info *pinfo, guint16 cipher_suite, int *cipher_algo,
     static const gint gcry_modes[] = {
         GCRY_CIPHER_MODE_STREAM,
         GCRY_CIPHER_MODE_CBC,
-#ifdef HAVE_LIBGCRYPT_AEAD
         GCRY_CIPHER_MODE_GCM,
         GCRY_CIPHER_MODE_CCM,
         GCRY_CIPHER_MODE_CCM,
-#else
-        -1,                         /* Do not bother with fallback support. */
-        -1,
-        -1,
-#endif
-#ifdef HAVE_LIBGCRYPT_CHACHA20_POLY1305
         GCRY_CIPHER_MODE_POLY1305,
-#else
-        -1,                         /* AEAD_CHACHA20_POLY1305 is unsupported. */
-#endif
     };
     static const int gcry_mds[] = {
         GCRY_MD_MD5,

wsutil/wsgcrypt.h

@@ -17,27 +17,15 @@
 
 #include <wireshark.h>
 
+/* XXX: Turning off warnings here may not be necessary now that libgcrypt
+ * 1.8.0 is the minimum version.
+ */
 DIAG_OFF(deprecated-declarations)
 
 #include <gcrypt.h>
 
 DIAG_ON(deprecated-declarations)
 
-/*
- * Define HAVE_LIBGCRYPT_AEAD here, because it's used in several source
- * files.
- */
-/* Whether to provide support for authentication in addition to decryption. */
-#define HAVE_LIBGCRYPT_AEAD
-
-/*
- * Define some other "do we have?" items as well.
- */
-/* Whether ChaCh20 PNE can be supported. */
-#define HAVE_LIBGCRYPT_CHACHA20
-/* Whether AEAD_CHACHA20_POLY1305 can be supported. */
-#define HAVE_LIBGCRYPT_CHACHA20_POLY1305
-
 #define HASH_MD5_LENGTH      16
 #define HASH_SHA1_LENGTH     20
 #define HASH_SHA2_224_LENGTH 28