lighttpd
/
lighttpd1.4
2
0
Fork 0
Code Issues Releases Wiki Activity
Browse Source

[multiple] use NSS crypto if no other crypto avail 

use NSS crypto if no other crypto avail, but NSS crypto is available

"NSS crypto support" is not included in tests/LightyTest.pm:has_crypto()
due to NSS libraries (freebl3) lacking public export for HMAC funcs
master
Glenn Strauss 1 year ago
parent
bdb5fb26a8
commit
a46f519eb2
6 changed files with 132 additions and 1 deletions
Whitespace
Show all changes Ignore whitespace when comparing lines Ignore changes in amount of whitespace Ignore changes in whitespace at EOL
Split View
Diff Options
Show Stats Download Patch File Download Diff File
  1. 5
      configure.ac
  2. 2
      src/mod_nss.c
  3. 52
      src/mod_secdownload.c
  4. 25
      src/rand.c
  5. 48
      src/sys-crypto-md.h
  6. 1
      src/sys-crypto.h

5
configure.ac
View File

@ -883,10 +883,15 @@ if test "x$use_nss" = "xyes"; then
NSS_LIBS="-L$WITH_NSS/lib"
else
PKG_CHECK_MODULES([NSS],[nss])
CPPFLAGS="$CPPFLAGS -I/usr/include/nspr4"
fi
AC_DEFINE([HAVE_NSS3_NSS_H], [1], [nss3/nss.h])
AC_SUBST([NSS_CFLAGS])
AC_SUBST([NSS_LIBS])
if test "x$CRYPTO_LIB" = "x"; then
CRYPTO_LIB="-lnss3"
AC_SUBST([CRYPTO_LIB])
fi
fi

2
src/mod_nss.c
View File

@ -371,7 +371,7 @@ static int mod_nss_init_once_nss (void)
/*PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);*//*implicit on first use*/
if (NSS_NoDB_Init(NULL) < 0)
if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0)
return 0;
if (SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE) < 0)

52
src/mod_secdownload.c
View File

@ -24,6 +24,8 @@
#include <gnutls/crypto.h>
#elif defined(USE_WOLFSSL_CRYPTO)
#include <wolfssl/wolfcrypt/hmac.h>
#elif defined(USE_NSS_CRYPTO)
#include <nss3/alghmac.h>
#endif
#endif
@ -267,6 +269,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
"hmac-sha1: HMAC() failed");
return 0;
}
#elif defined(USE_NSS_CRYPTO)
/*(HMAC* funcs not public export of libfreebl3.so,
* even though nss3/alghmac.h is public (WTH?!))*/
#if 0
HMACContext *hmac =
HMAC_Create(HASH_GetHashObject(HASH_AlgSHA1),
(const unsigned char *)config->secret->ptr,
buffer_string_length(config->secret), PR_FALSE);
int rc;
if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) {
HMAC_Begin(hmac);
HMAC_Update(hmac, (const unsigned char *)protected_path,
strlen(protected_path));
unsigned int len;
rc = HMAC_Finish(hmac, digest, &len, sizeof(digest));
HMAC_Destroy(hmac, PR_TRUE);
}
if (SECSuccess != rc) {
log_error(errh, __FILE__, __LINE__,
"hmac-sha1: HMAC() failed");
return 0;
}
#else
return 0;
#endif
#else
#error "unexpected; crypto lib not configured for use by mod_secdownload"
#endif
@ -332,6 +359,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
"hmac-sha256: HMAC() failed");
return 0;
}
#elif defined(USE_NSS_CRYPTO)
/*(HMAC* funcs not public export of libfreebl3.so,
* even though nss3/alghmac.h is public (WTH?!))*/
#if 0
HMACContext *hmac =
HMAC_Create(HASH_GetHashObject(HASH_AlgSHA256),
(const unsigned char *)config->secret->ptr,
buffer_string_length(config->secret), PR_FALSE);
int rc;
if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) {
HMAC_Begin(hmac);
HMAC_Update(hmac, (const unsigned char *)protected_path,
strlen(protected_path));
unsigned int len;
rc = HMAC_Finish(hmac, digest, &len, sizeof(digest));
HMAC_Destroy(hmac, PR_TRUE);
}
if (SECSuccess != rc) {
log_error(errh, __FILE__, __LINE__,
"hmac-sha256: HMAC() failed");
return 0;
}
#else
return 0;
#endif
#else
#error "unexpected; crypto lib not configured for use by mod_secdownload"
#endif

25
src/rand.c
View File

@ -26,6 +26,7 @@
#undef USE_WOLFSSL_CRYPTO
#undef USE_OPENSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <nettle/knuth-lfib.h>
#include <nettle/arcfour.h>
#include <nettle/yarrow.h>
@ -34,22 +35,30 @@
#undef USE_WOLFSSL_CRYPTO
#undef USE_OPENSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#endif
#ifdef USE_OPENSSL_CRYPTO
#undef USE_WOLFSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/rand.h>
#endif
#ifdef USE_WOLFSSL_CRYPTO
#undef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <wolfssl/wolfcrypt/random.h>
#endif
#ifdef USE_GNUTLS_CRYPTO
#undef USE_NSS_CRYPTO
#include <gnutls/crypto.h>
#endif
#ifdef USE_NSS_CRYPTO
#include <nss3/nss.h>
#include <nss3/pk11pub.h>
#endif
#ifdef HAVE_GETENTROPY
#include <sys/random.h>
#endif
@ -268,6 +277,11 @@ static void li_rand_init (void)
#endif
#endif
#endif
#ifdef USE_NSS_CRYPTO
if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0)
SEGFAULT();
PK11_RandomUpdate(xsubi, sizeof(xsubi));
#endif
}
void li_rand_reseed (void)
@ -344,6 +358,10 @@ int li_rand_pseudo (void)
return i;
#endif
#endif
#ifdef USE_NSS_CRYPTO
if (SECSuccess == PK11_GenerateRandom((unsigned char *)&i, sizeof(i)))
return i;
#endif
#ifdef HAVE_ARC4RANDOM_BUF
return (int)arc4random();
#elif defined(__COVERITY__)
@ -370,6 +388,9 @@ void li_rand_pseudo_bytes (unsigned char *buf, int num)
if (0 == gnutls_rnd(GNUTLS_RND_NONCE, buf, (size_t)num)) return;
#endif
if (!li_rand_inited) li_rand_init();
#ifdef USE_NSS_CRYPTO
if (SECSuccess == PK11_GenerateRandom(buf, num)) return;
#endif
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_CTR_DRBG_C
if (0 == mbedtls_ctr_drbg_random(&ctr_drbg, buf, (size_t)num)) return;
@ -389,6 +410,10 @@ int li_rand_bytes (unsigned char *buf, int num)
#ifdef USE_GNUTLS_CRYPTO /* should use GNUTLS_RND_KEY for long-term keys */
if (0 == gnutls_rnd(GNUTLS_RND_RANDOM, buf, (size_t)num)) return 1;
#endif
#ifdef USE_NSS_CRYPTO
if (!li_rand_inited) li_rand_init();
if (SECSuccess == PK11_GenerateRandom(buf, num)) return 1;
#endif
#ifdef USE_NETTLE_CRYPTO
#if 0 /* not implemented: periodic nettle_yarrow256_update() and reseed */
if (!nettle_yarrow256_is_seeded(&yarrow256_ctx)) {

48
src/sys-crypto-md.h
View File

@ -513,6 +513,54 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
return 1;
}
#elif defined(USE_NSS_CRYPTO)
#include <nss3/sechash.h>
#define NSS_gen_hashfuncs(name, typ) \
static inline int \
name##_Init(void **ctx) \
{ \
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
return ((*ctx=hashObj->create()) != NULL) ? (hashObj->begin(*ctx),1) : 0; \
} \
static inline int \
name##_Final(unsigned char *dest, void **ctx) \
{ \
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
unsigned int retLen; \
hashObj->end(*ctx, dest, &retLen, hashObj->length); \
hashObj->destroy(*ctx, PR_TRUE); \
return 1; \
} \
static inline int \
name##_Update(void **ctx, const void *src, size_t len) \
{ \
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
hashObj->update(*ctx, src, (int)len); \
return 1; \
} \
typedef void * name##_CTX
typedef void * SHA_CTX;
#define USE_LIB_CRYPTO_MD5
/* MD5_Init()
* MD5_Update()
* MD5_Final() */
NSS_gen_hashfuncs(MD5, HASH_AlgMD5);
#define USE_LIB_CRYPTO_SHA1
/* SHA1_Init()
* SHA1_Update()
* SHA1_Final() */
NSS_gen_hashfuncs(SHA1, HASH_AlgSHA1);
#define USE_LIB_CRYPTO_SHA256
/* SHA256_Init()
* SHA256_Update()
* SHA256_Final() */
NSS_gen_hashfuncs(SHA256, HASH_AlgSHA256);
#endif
#endif /* USE_LIB_CRYPTO */

1
src/sys-crypto.h
View File

@ -27,6 +27,7 @@
#endif
#ifdef HAVE_NSS3_NSS_H
#define USE_LIB_CRYPTO
#define USE_NSS_CRYPTO
#endif

Write Preview
Loading…
Cancel
Save