Commit Graph

31 Commits

Author SHA1 Message Date
Glenn Strauss 6fb63fa8d6 [multiple] include mbedtls/config.h after select
include mbedtls/config.h crypto lib config
after selecting crypto lib to use
2020-10-29 16:41:27 -04:00
Glenn Strauss 441c95c697 [multiple] consistent order for crypto lib select 2020-10-29 16:39:56 -04:00
Glenn Strauss babfb43873 [build] WITHOUT_LIB_CRYPTO option in code
(not (yet?) an end-user option in the build system)
(If extended to build system, build system should also unset CRYPTO_LIB)

If WITHOUT_LIB_CRYPTO is defined in sys-crypto.h, then non-TLS modules
will have access to MD5() and SHA1() built with lighttpd (algo_md5.[ch]
and algo_sha1.[ch]), but not to other message digest algorithms.

As of this commit, this affects only mod_secdownload with SHA256 digest
and mod_auth* modules using HTTP Digest Auth with digest=SHA-256, which
is not currently well-supported by client browers (besides Opera)
2020-10-27 16:47:33 -04:00
Glenn Strauss 033209393e [multiple] test for nss includes
some distro packages deploy NSS includes under nss/, others nss3/
(and similar for nspr/ vs nspr4/)
2020-10-22 00:48:40 -04:00
Glenn Strauss 9868d3b348 [core] add missing declaration for NSS rand
(bug on master branch; never released)
2020-10-21 17:05:24 -04:00
Glenn Strauss a46f519eb2 [multiple] use NSS crypto if no other crypto avail
use NSS crypto if no other crypto avail, but NSS crypto is available

"NSS crypto support" is not included in tests/
due to NSS libraries (freebl3) lacking public export for HMAC funcs
2020-10-19 21:40:14 -04:00
Glenn Strauss bd8edb51d0 [core] allow symlinks under /dev for rand devices
(fix code to match comment)
2020-10-11 12:19:27 -04:00
Glenn Strauss c3a85c9bf5 [mod_wolfssl] standalone module
standalone module forked from mod_openssl
2020-10-11 12:19:26 -04:00
Glenn Strauss 2781a3be6d [multiple] address coverity warnings 2020-07-10 21:34:28 -04:00
Glenn Strauss 98a224a4a2 [mod_openssl] prefer some WolfSSL native APIs
Prefer some WolfSSL native APIs when building with WolfSSL.

However, some functionality in WolfSSL is available only through the
WolfSSL compatibility layer for OpenSSL, so the effort to create a
native mod_wolfssl halted here.
2020-07-08 22:51:32 -04:00
Glenn Strauss c18f442a63 [multiple] add summaries to top of some modules 2020-07-08 22:51:31 -04:00
Glenn Strauss bf4054f8ec [mod_gnutls] GnuTLS option for TLS (fixes #109)

mod_gnutls supports most ssl.* config options supported by mod_openssl

  "GnuTLS support for the mod_ssl"
2020-07-08 22:51:31 -04:00
Glenn Strauss cb753ec5b5 [mod_mbedtls] mbedTLS option for TLS

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments
2020-07-08 22:51:31 -04:00
Glenn Strauss 7de51cc77b [core] add seed before openssl RAND_pseudo_bytes() 2020-07-08 19:54:30 -04:00
Glenn Strauss b28a3714c4 [multiple] ./configure --with-nettle to use Nettle
./configure --with-nettle to use Nettle crypto lib for algorithms,
instead of OpenSSL or wolfSSL.  Note: Nettle does not provide TLS.

  "How to use SHA-256 without OpenSSL?"
2020-07-08 19:54:30 -04:00
Glenn Strauss 2c18090216 [core] remove include base.h where unused 2020-07-08 19:54:29 -04:00
Glenn Strauss 37bd124ae4 [core] pass conf.follow_symlink in more places 2019-03-10 23:22:58 -04:00
Rosen Penev bc91bbd0c6 [core] Don't call RAND_cleanup with OpenSSL 1.1.x
RAND_cleanup is deprecated and does nothing with 1.1.x.

It also breaks with OpenSSL compiled with no deprecated APIs.

github: closes #93
2018-11-12 21:56:05 -05:00
Glenn Strauss 368630d925 [TLS] sys-crypto.h abstraction 2018-09-26 01:08:24 -04:00
Glenn Strauss 6e171bd4b9 [core] adjust li_rand_pseudo* interfaces 2017-09-20 22:48:35 -04:00
Glenn Strauss 26dce93086 [core] attempt to quiet compiler warning in LEDE 2017-09-10 15:27:28 -04:00
Glenn Strauss 6f88c28c44 [core] fix compiler warnings on Mac OS X
(thx wardw)
2017-06-13 08:56:13 -04:00
Glenn Strauss a53f662a30 [core] remove some unused header includes
remove exposure of stdio.h in buffer.h for print_backtrace(), now static
2017-03-28 02:17:33 -04:00
Glenn Strauss 5b81201be9 [TLS] include <openssl/opensslv.h> in rand.c
include <openssl/opensslv.h> in rand.c for OPENSSL_VERSION_NUMBER

(openssl 1.1.0 deprecates RAND_pseudo_bytes())
2017-01-31 14:36:16 -05:00
Glenn Strauss a801ef55a0 [TLS] mark code that uses -lcrypto but not -lssl
mark code that uses openssl -lcrypto with USE_OPENSSL_CRYPTO
to note that it does not depend on openssl -lssl (USE_OPENSSL)
2017-01-14 01:06:16 -05:00
Glenn Strauss 28c8fec42b [core] defer li_rand_init() until first use
defer li_rand_init() until first use of li_rand_pseudo_bytes()

li_rand_init() is now deferred until first use so that installations
that do not use modules which use these routines do need to potentially
block at startup.  Current use by core lighttpd modules is in mod_auth
HTTP Digest auth and in mod_usertrack.  Deferring collection of random
data until first use may allow sufficient entropy to be collected by
kernel before first use, helping reduce or avoid situations in
low-entropy-generating embedded devices which might otherwise block
lighttpd for minutes at device startup.  Further discussion in
2016-12-09 02:17:52 -05:00
Glenn Strauss c64c2173ce [core] rename li_rand() to li_rand_pseudo_bytes()
to be more explicit that the result is pseudo-random data
and not cryptographically random.
2016-12-05 14:22:25 -05:00
Glenn Strauss 64a7b64c2b RAND_pseudo_bytes() is deprecated in openssl 1.1.0 2016-12-05 02:40:12 -05:00
Glenn Strauss df61f19daf [core] compile fix for Mac OS X 10.6 (old) (fixes #2773)
Mac OS X 10.7 Lion introduces arc4random_buf()

(thx ryandesign)

  "Mac OS X build issue Undefined symbols"
2016-11-28 12:39:11 -05:00
Glenn Strauss 032772ab6c add random() to list of rand() fallbacks
(but prefer better mechanisms)
2016-10-16 05:11:38 -04:00
Glenn Strauss 7f4e156e5f [core] rand.[ch] to use better RNGs when available
prefer RAND_pseudo_bytes() (openssl), arc4random() or jrand48(),
if available, over rand()

These are not necessarily cryptographically secure, but should be better
than rand()
2016-10-15 23:28:09 -04:00