[multiple] use NSS crypto if no other crypto avail
use NSS crypto if no other crypto avail, but NSS crypto is available "NSS crypto support" is not included in tests/LightyTest.pm:has_crypto() due to NSS libraries (freebl3) lacking public export for HMAC funcs
This commit is contained in:
parent
bdb5fb26a8
commit
a46f519eb2
|
@ -883,10 +883,15 @@ if test "x$use_nss" = "xyes"; then
|
|||
NSS_LIBS="-L$WITH_NSS/lib"
|
||||
else
|
||||
PKG_CHECK_MODULES([NSS],[nss])
|
||||
CPPFLAGS="$CPPFLAGS -I/usr/include/nspr4"
|
||||
fi
|
||||
AC_DEFINE([HAVE_NSS3_NSS_H], [1], [nss3/nss.h])
|
||||
AC_SUBST([NSS_CFLAGS])
|
||||
AC_SUBST([NSS_LIBS])
|
||||
if test "x$CRYPTO_LIB" = "x"; then
|
||||
CRYPTO_LIB="-lnss3"
|
||||
AC_SUBST([CRYPTO_LIB])
|
||||
fi
|
||||
fi
|
||||
|
||||
|
||||
|
|
|
@ -371,7 +371,7 @@ static int mod_nss_init_once_nss (void)
|
|||
|
||||
/*PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);*//*implicit on first use*/
|
||||
|
||||
if (NSS_NoDB_Init(NULL) < 0)
|
||||
if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0)
|
||||
return 0;
|
||||
|
||||
if (SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE) < 0)
|
||||
|
|
|
@ -24,6 +24,8 @@
|
|||
#include <gnutls/crypto.h>
|
||||
#elif defined(USE_WOLFSSL_CRYPTO)
|
||||
#include <wolfssl/wolfcrypt/hmac.h>
|
||||
#elif defined(USE_NSS_CRYPTO)
|
||||
#include <nss3/alghmac.h>
|
||||
#endif
|
||||
#endif
|
||||
|
||||
|
@ -267,6 +269,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
|
|||
"hmac-sha1: HMAC() failed");
|
||||
return 0;
|
||||
}
|
||||
#elif defined(USE_NSS_CRYPTO)
|
||||
/*(HMAC* funcs not public export of libfreebl3.so,
|
||||
* even though nss3/alghmac.h is public (WTH?!))*/
|
||||
#if 0
|
||||
HMACContext *hmac =
|
||||
HMAC_Create(HASH_GetHashObject(HASH_AlgSHA1),
|
||||
(const unsigned char *)config->secret->ptr,
|
||||
buffer_string_length(config->secret), PR_FALSE);
|
||||
int rc;
|
||||
if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) {
|
||||
HMAC_Begin(hmac);
|
||||
HMAC_Update(hmac, (const unsigned char *)protected_path,
|
||||
strlen(protected_path));
|
||||
unsigned int len;
|
||||
rc = HMAC_Finish(hmac, digest, &len, sizeof(digest));
|
||||
HMAC_Destroy(hmac, PR_TRUE);
|
||||
}
|
||||
if (SECSuccess != rc) {
|
||||
log_error(errh, __FILE__, __LINE__,
|
||||
"hmac-sha1: HMAC() failed");
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
#else
|
||||
#error "unexpected; crypto lib not configured for use by mod_secdownload"
|
||||
#endif
|
||||
|
@ -332,6 +359,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
|
|||
"hmac-sha256: HMAC() failed");
|
||||
return 0;
|
||||
}
|
||||
#elif defined(USE_NSS_CRYPTO)
|
||||
/*(HMAC* funcs not public export of libfreebl3.so,
|
||||
* even though nss3/alghmac.h is public (WTH?!))*/
|
||||
#if 0
|
||||
HMACContext *hmac =
|
||||
HMAC_Create(HASH_GetHashObject(HASH_AlgSHA256),
|
||||
(const unsigned char *)config->secret->ptr,
|
||||
buffer_string_length(config->secret), PR_FALSE);
|
||||
int rc;
|
||||
if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) {
|
||||
HMAC_Begin(hmac);
|
||||
HMAC_Update(hmac, (const unsigned char *)protected_path,
|
||||
strlen(protected_path));
|
||||
unsigned int len;
|
||||
rc = HMAC_Finish(hmac, digest, &len, sizeof(digest));
|
||||
HMAC_Destroy(hmac, PR_TRUE);
|
||||
}
|
||||
if (SECSuccess != rc) {
|
||||
log_error(errh, __FILE__, __LINE__,
|
||||
"hmac-sha256: HMAC() failed");
|
||||
return 0;
|
||||
}
|
||||
#else
|
||||
return 0;
|
||||
#endif
|
||||
#else
|
||||
#error "unexpected; crypto lib not configured for use by mod_secdownload"
|
||||
#endif
|
||||
|
|
25
src/rand.c
25
src/rand.c
|
@ -26,6 +26,7 @@
|
|||
#undef USE_WOLFSSL_CRYPTO
|
||||
#undef USE_OPENSSL_CRYPTO
|
||||
#undef USE_GNUTLS_CRYPTO
|
||||
#undef USE_NSS_CRYPTO
|
||||
#include <nettle/knuth-lfib.h>
|
||||
#include <nettle/arcfour.h>
|
||||
#include <nettle/yarrow.h>
|
||||
|
@ -34,22 +35,30 @@
|
|||
#undef USE_WOLFSSL_CRYPTO
|
||||
#undef USE_OPENSSL_CRYPTO
|
||||
#undef USE_GNUTLS_CRYPTO
|
||||
#undef USE_NSS_CRYPTO
|
||||
#include <mbedtls/ctr_drbg.h>
|
||||
#include <mbedtls/entropy.h>
|
||||
#endif
|
||||
#ifdef USE_OPENSSL_CRYPTO
|
||||
#undef USE_WOLFSSL_CRYPTO
|
||||
#undef USE_GNUTLS_CRYPTO
|
||||
#undef USE_NSS_CRYPTO
|
||||
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
|
||||
#include <openssl/rand.h>
|
||||
#endif
|
||||
#ifdef USE_WOLFSSL_CRYPTO
|
||||
#undef USE_GNUTLS_CRYPTO
|
||||
#undef USE_NSS_CRYPTO
|
||||
#include <wolfssl/wolfcrypt/random.h>
|
||||
#endif
|
||||
#ifdef USE_GNUTLS_CRYPTO
|
||||
#undef USE_NSS_CRYPTO
|
||||
#include <gnutls/crypto.h>
|
||||
#endif
|
||||
#ifdef USE_NSS_CRYPTO
|
||||
#include <nss3/nss.h>
|
||||
#include <nss3/pk11pub.h>
|
||||
#endif
|
||||
#ifdef HAVE_GETENTROPY
|
||||
#include <sys/random.h>
|
||||
#endif
|
||||
|
@ -268,6 +277,11 @@ static void li_rand_init (void)
|
|||
#endif
|
||||
#endif
|
||||
#endif
|
||||
#ifdef USE_NSS_CRYPTO
|
||||
if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0)
|
||||
SEGFAULT();
|
||||
PK11_RandomUpdate(xsubi, sizeof(xsubi));
|
||||
#endif
|
||||
}
|
||||
|
||||
void li_rand_reseed (void)
|
||||
|
@ -344,6 +358,10 @@ int li_rand_pseudo (void)
|
|||
return i;
|
||||
#endif
|
||||
#endif
|
||||
#ifdef USE_NSS_CRYPTO
|
||||
if (SECSuccess == PK11_GenerateRandom((unsigned char *)&i, sizeof(i)))
|
||||
return i;
|
||||
#endif
|
||||
#ifdef HAVE_ARC4RANDOM_BUF
|
||||
return (int)arc4random();
|
||||
#elif defined(__COVERITY__)
|
||||
|
@ -370,6 +388,9 @@ void li_rand_pseudo_bytes (unsigned char *buf, int num)
|
|||
if (0 == gnutls_rnd(GNUTLS_RND_NONCE, buf, (size_t)num)) return;
|
||||
#endif
|
||||
if (!li_rand_inited) li_rand_init();
|
||||
#ifdef USE_NSS_CRYPTO
|
||||
if (SECSuccess == PK11_GenerateRandom(buf, num)) return;
|
||||
#endif
|
||||
#ifdef USE_MBEDTLS_CRYPTO
|
||||
#ifdef MBEDTLS_CTR_DRBG_C
|
||||
if (0 == mbedtls_ctr_drbg_random(&ctr_drbg, buf, (size_t)num)) return;
|
||||
|
@ -389,6 +410,10 @@ int li_rand_bytes (unsigned char *buf, int num)
|
|||
#ifdef USE_GNUTLS_CRYPTO /* should use GNUTLS_RND_KEY for long-term keys */
|
||||
if (0 == gnutls_rnd(GNUTLS_RND_RANDOM, buf, (size_t)num)) return 1;
|
||||
#endif
|
||||
#ifdef USE_NSS_CRYPTO
|
||||
if (!li_rand_inited) li_rand_init();
|
||||
if (SECSuccess == PK11_GenerateRandom(buf, num)) return 1;
|
||||
#endif
|
||||
#ifdef USE_NETTLE_CRYPTO
|
||||
#if 0 /* not implemented: periodic nettle_yarrow256_update() and reseed */
|
||||
if (!nettle_yarrow256_is_seeded(&yarrow256_ctx)) {
|
||||
|
|
|
@ -513,6 +513,54 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
|
|||
return 1;
|
||||
}
|
||||
|
||||
#elif defined(USE_NSS_CRYPTO)
|
||||
|
||||
#include <nss3/sechash.h>
|
||||
|
||||
#define NSS_gen_hashfuncs(name, typ) \
|
||||
static inline int \
|
||||
name##_Init(void **ctx) \
|
||||
{ \
|
||||
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
|
||||
return ((*ctx=hashObj->create()) != NULL) ? (hashObj->begin(*ctx),1) : 0; \
|
||||
} \
|
||||
static inline int \
|
||||
name##_Final(unsigned char *dest, void **ctx) \
|
||||
{ \
|
||||
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
|
||||
unsigned int retLen; \
|
||||
hashObj->end(*ctx, dest, &retLen, hashObj->length); \
|
||||
hashObj->destroy(*ctx, PR_TRUE); \
|
||||
return 1; \
|
||||
} \
|
||||
static inline int \
|
||||
name##_Update(void **ctx, const void *src, size_t len) \
|
||||
{ \
|
||||
const SECHashObject * const hashObj = HASH_GetHashObject(typ); \
|
||||
hashObj->update(*ctx, src, (int)len); \
|
||||
return 1; \
|
||||
} \
|
||||
typedef void * name##_CTX
|
||||
typedef void * SHA_CTX;
|
||||
|
||||
#define USE_LIB_CRYPTO_MD5
|
||||
/* MD5_Init()
|
||||
* MD5_Update()
|
||||
* MD5_Final() */
|
||||
NSS_gen_hashfuncs(MD5, HASH_AlgMD5);
|
||||
|
||||
#define USE_LIB_CRYPTO_SHA1
|
||||
/* SHA1_Init()
|
||||
* SHA1_Update()
|
||||
* SHA1_Final() */
|
||||
NSS_gen_hashfuncs(SHA1, HASH_AlgSHA1);
|
||||
|
||||
#define USE_LIB_CRYPTO_SHA256
|
||||
/* SHA256_Init()
|
||||
* SHA256_Update()
|
||||
* SHA256_Final() */
|
||||
NSS_gen_hashfuncs(SHA256, HASH_AlgSHA256);
|
||||
|
||||
#endif
|
||||
|
||||
#endif /* USE_LIB_CRYPTO */
|
||||
|
|
|
@ -27,6 +27,7 @@
|
|||
#endif
|
||||
|
||||
#ifdef HAVE_NSS3_NSS_H
|
||||
#define USE_LIB_CRYPTO
|
||||
#define USE_NSS_CRYPTO
|
||||
#endif
|
||||
|
||||
|
|
Loading…
Reference in New Issue