From 37e3dbdd8206e4f0f03fab13ff3f38aa932be065 Mon Sep 17 00:00:00 2001
From: Dimitri Staessens <Dimitri.Staessens@Quantum.Com>
Date: Wed, 28 Jan 2026 00:35:28 +0100
Subject: lib: Fix OpenSSL includes and explicit_bzero on OSX

The include headers and NIDs are different on macOS X. It also doesn't
have explicit_bzero.

The crypt.h includes are now guarded to work on OS X (trying to avoid
the includes by defining the OpenSSL mac header guard led to a whole
list of other issues).

The explicit zero'ing of buffers temporarily holding secrets has now
been abstracted in a crypt_secure_clear() function defaulting to
OpenSSL_cleanse, explicit_bzero (if present) or a best-effort option
using a volatile pointer.

Signed-off-by: Dimitri Staessens <dimitri@ouroboros.rocks>
Signed-off-by: Sander Vrijders <sander@ouroboros.rocks>
---
 cmake/dependencies.cmake                | 1 +
 cmake/dependencies/explicit_bzero.cmake | 1 +
 cmake/dependencies/openssl.cmake        | 2 +-
 3 files changed, 3 insertions(+), 1 deletion(-)
 create mode 100644 cmake/dependencies/explicit_bzero.cmake

(limited to 'cmake')

diff --git a/cmake/dependencies.cmake b/cmake/dependencies.cmake
index e9dc17a1..4c999250 100644
--- a/cmake/dependencies.cmake
+++ b/cmake/dependencies.cmake
@@ -2,6 +2,7 @@ include(FindPkgConfig)
 include(CheckSymbolExists)
 
 include(dependencies/protobufc)
+include(dependencies/explicit_bzero)
 include(dependencies/systemlibraries)
 include(dependencies/robustmutex)
 include(dependencies/fuse)
diff --git a/cmake/dependencies/explicit_bzero.cmake b/cmake/dependencies/explicit_bzero.cmake
new file mode 100644
index 00000000..54a11d21
--- /dev/null
+++ b/cmake/dependencies/explicit_bzero.cmake
@@ -0,0 +1 @@
+check_symbol_exists(explicit_bzero "string.h" HAVE_EXPLICIT_BZERO)
\ No newline at end of file
diff --git a/cmake/dependencies/openssl.cmake b/cmake/dependencies/openssl.cmake
index d679b050..b02d64b4 100644
--- a/cmake/dependencies/openssl.cmake
+++ b/cmake/dependencies/openssl.cmake
@@ -7,7 +7,7 @@ if (OPENSSL_FOUND)
   else ()
     set(DISABLE_OPENSSL FALSE CACHE BOOL "Disable OpenSSL support")
     if (NOT DISABLE_OPENSSL)
-      message(STATUS "OpenSSL support enabled")
+      message(STATUS "OpenSSL support enabled, found version ${OPENSSL_VERSION}")
       set(HAVE_OPENSSL TRUE CACHE INTERNAL "")
       set(DISABLE_PQC FALSE CACHE BOOL "Disable post-quantum cryptography support")
       if (OPENSSL_VERSION VERSION_GREATER_EQUAL "3.4.0")
-- 
cgit v1.2.3