Browse Source

[multiple] use NSS crypto if no other crypto avail

use NSS crypto if no other crypto avail, but NSS crypto is available

"NSS crypto support" is not included in tests/LightyTest.pm:has_crypto()
due to NSS libraries (freebl3) lacking public export for HMAC funcs
master
Glenn Strauss 8 months ago
parent
commit
a46f519eb2
  1. 5
      configure.ac
  2. 2
      src/mod_nss.c
  3. 52
      src/mod_secdownload.c
  4. 25
      src/rand.c
  5. 48
      src/sys-crypto-md.h
  6. 1
      src/sys-crypto.h

5
configure.ac

@ -883,10 +883,15 @@ if test "x$use_nss" = "xyes"; then
NSS_LIBS="-L$WITH_NSS/lib"
else
PKG_CHECK_MODULES([NSS],[nss])
CPPFLAGS="$CPPFLAGS -I/usr/include/nspr4"
fi
AC_DEFINE([HAVE_NSS3_NSS_H], [1], [nss3/nss.h])
AC_SUBST([NSS_CFLAGS])
AC_SUBST([NSS_LIBS])
if test "x$CRYPTO_LIB" = "x"; then
CRYPTO_LIB="-lnss3"
AC_SUBST([CRYPTO_LIB])
fi
fi

2
src/mod_nss.c

@ -371,7 +371,7 @@ static int mod_nss_init_once_nss (void)
/*PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);*//*implicit on first use*/
if (NSS_NoDB_Init(NULL) < 0)
if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE) < 0)

52
src/mod_secdownload.c

@ -24,6 +24,8 @@
#include <gnutls/crypto.h>
#elif defined(USE_WOLFSSL_CRYPTO)
#include <wolfssl/wolfcrypt/hmac.h>
#elif defined(USE_NSS_CRYPTO)
#include <nss3/alghmac.h>
#endif
#endif
@ -267,6 +269,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
"hmac-sha1: HMAC() failed");
return 0;
}
#elif defined(USE_NSS_CRYPTO)
/*(HMAC* funcs not public export of libfreebl3.so,
* even though nss3/alghmac.h is public (WTH?!))*/
#if 0
HMACContext *hmac =
HMAC_Create(HASH_GetHashObject(HASH_AlgSHA1),
(const unsigned char *)config->secret->ptr,
buffer_string_length(config->secret), PR_FALSE);
int rc;
if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) {
HMAC_Begin(hmac);
HMAC_Update(hmac, (const unsigned char *)protected_path,
strlen(protected_path));
unsigned int len;
rc = HMAC_Finish(hmac, digest, &len, sizeof(digest));
HMAC_Destroy(hmac, PR_TRUE);
}
if (SECSuccess != rc) {
log_error(errh, __FILE__, __LINE__,
"hmac-sha1: HMAC() failed");
return 0;
}
#else
return 0;
#endif
#else
#error "unexpected; crypto lib not configured for use by mod_secdownload"
#endif
@ -332,6 +359,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
"hmac-sha256: HMAC() failed");
return 0;
}
#elif defined(USE_NSS_CRYPTO)
/*(HMAC* funcs not public export of libfreebl3.so,
* even though nss3/alghmac.h is public (WTH?!))*/
#if 0
HMACContext *hmac =
HMAC_Create(HASH_GetHashObject(HASH_AlgSHA256),
(const unsigned char *)config->secret->ptr,
buffer_string_length(config->secret), PR_FALSE);
int rc;
if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) {
HMAC_Begin(hmac);
HMAC_Update(hmac, (const unsigned char *)protected_path,
strlen(protected_path));
unsigned int len;
rc = HMAC_Finish(hmac, digest, &len, sizeof(digest));
HMAC_Destroy(hmac, PR_TRUE);
}
if (SECSuccess != rc) {
log_error(errh, __FILE__, __LINE__,
"hmac-sha256: HMAC() failed");
return 0;
}
#else
return 0;
#endif
#else
#error "unexpected; crypto lib not configured for use by mod_secdownload"
#endif

25
src/rand.c

@ -26,6 +26,7 @@
#undef USE_WOLFSSL_CRYPTO
#undef USE_OPENSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <nettle/knuth-lfib.h>
#include <nettle/arcfour.h>
#include <nettle/yarrow.h>
@ -34,22 +35,30 @@
#undef USE_WOLFSSL_CRYPTO
#undef USE_OPENSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#endif
#ifdef USE_OPENSSL_CRYPTO
#undef USE_WOLFSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/rand.h>
#endif
#ifdef USE_WOLFSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <wolfssl/wolfcrypt/random.h>
#endif
#ifdef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <gnutls/crypto.h>
#endif
#ifdef USE_NSS_CRYPTO
#include <nss3/nss.h>
#include <nss3/pk11pub.h>
#endif
#ifdef HAVE_GETENTROPY
#include <sys/random.h>
#endif
@ -268,6 +277,11 @@ static void li_rand_init (void)
#endif
#endif
#endif
#ifdef USE_NSS_CRYPTO
if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0)
SEGFAULT();
PK11_RandomUpdate(xsubi, sizeof(xsubi));
#endif
}
void li_rand_reseed (void)
@ -344,6 +358,10 @@ int li_rand_pseudo (void)
return i;
#endif
#endif
#ifdef USE_NSS_CRYPTO
if (SECSuccess == PK11_GenerateRandom((unsigned char *)&i, sizeof(i)))
return i;
#endif
#ifdef HAVE_ARC4RANDOM_BUF
return (int)arc4random();
#elif defined(__COVERITY__)
@ -370,6 +388,9 @@ void li_rand_pseudo_bytes (unsigned char *buf, int num)
if (0 == gnutls_rnd(GNUTLS_RND_NONCE, buf, (size_t)num)) return;
#endif
if (!li_rand_inited) li_rand_init();
#ifdef USE_NSS_CRYPTO
if (SECSuccess == PK11_GenerateRandom(buf, num)) return;
#endif
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_CTR_DRBG_C
if (0 == mbedtls_ctr_drbg_random(&ctr_drbg, buf, (size_t)num)) return;
@ -389,6 +410,10 @@ int li_rand_bytes (unsigned char *buf, int num)
#ifdef USE_GNUTLS_CRYPTO /* should use GNUTLS_RND_KEY for long-term keys */
if (0 == gnutls_rnd(GNUTLS_RND_RANDOM, buf, (size_t)num)) return 1;
#endif
#ifdef USE_NSS_CRYPTO
if (!li_rand_inited) li_rand_init();
if (SECSuccess == PK11_GenerateRandom(buf, num)) return 1;
#endif
#ifdef USE_NETTLE_CRYPTO
#if 0 /* not implemented: periodic nettle_yarrow256_update() and reseed */
if (!nettle_yarrow256_is_seeded(&yarrow256_ctx)) {

48
src/sys-crypto-md.h

@ -513,6 +513,54 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
return 1;
}
#elif defined(USE_NSS_CRYPTO)
#include <nss3/sechash.h>
#define NSS_gen_hashfuncs(name, typ) \
static inline int \
name##_Init(void **ctx) \
{ \
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
return ((*ctx=hashObj->create()) != NULL) ? (hashObj->begin(*ctx),1) : 0; \
} \
static inline int \
name##_Final(unsigned char *dest, void **ctx) \
{ \
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
unsigned int retLen; \
hashObj->end(*ctx, dest, &retLen, hashObj->length); \
hashObj->destroy(*ctx, PR_TRUE); \
return 1; \
} \
static inline int \
name##_Update(void **ctx, const void *src, size_t len) \
{ \
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
hashObj->update(*ctx, src, (int)len); \
return 1; \
} \
typedef void * name##_CTX
typedef void * SHA_CTX;
#define USE_LIB_CRYPTO_MD5
/* MD5_Init()
* MD5_Update()
* MD5_Final() */
NSS_gen_hashfuncs(MD5, HASH_AlgMD5);
#define USE_LIB_CRYPTO_SHA1
/* SHA1_Init()
* SHA1_Update()
* SHA1_Final() */
NSS_gen_hashfuncs(SHA1, HASH_AlgSHA1);
#define USE_LIB_CRYPTO_SHA256
/* SHA256_Init()
* SHA256_Update()
* SHA256_Final() */
NSS_gen_hashfuncs(SHA256, HASH_AlgSHA256);
#endif
#endif /* USE_LIB_CRYPTO */

1
src/sys-crypto.h

@ -27,6 +27,7 @@
#endif
#ifdef HAVE_NSS3_NSS_H
#define USE_LIB_CRYPTO
#define USE_NSS_CRYPTO
#endif

Loading…
Cancel
Save