From a46f519eb2e8355221eeeede1b36b7aff0e4a4eb Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 13 Oct 2020 08:26:05 -0400 Subject: [PATCH] [multiple] use NSS crypto if no other crypto avail use NSS crypto if no other crypto avail, but NSS crypto is available "NSS crypto support" is not included in tests/LightyTest.pm:has_crypto() due to NSS libraries (freebl3) lacking public export for HMAC funcs --- configure.ac | 5 +++++ src/mod_nss.c | 2 +- src/mod_secdownload.c | 52 +++++++++++++++++++++++++++++++++++++++++++ src/rand.c | 25 +++++++++++++++++++++ src/sys-crypto-md.h | 48 +++++++++++++++++++++++++++++++++++++++ src/sys-crypto.h | 1 + 6 files changed, 132 insertions(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index 81e5ffd4..095a745d 100644 --- a/configure.ac +++ b/configure.ac @@ -883,10 +883,15 @@ if test "x$use_nss" = "xyes"; then NSS_LIBS="-L$WITH_NSS/lib" else PKG_CHECK_MODULES([NSS],[nss]) + CPPFLAGS="$CPPFLAGS -I/usr/include/nspr4" fi AC_DEFINE([HAVE_NSS3_NSS_H], [1], [nss3/nss.h]) AC_SUBST([NSS_CFLAGS]) AC_SUBST([NSS_LIBS]) + if test "x$CRYPTO_LIB" = "x"; then + CRYPTO_LIB="-lnss3" + AC_SUBST([CRYPTO_LIB]) + fi fi diff --git a/src/mod_nss.c b/src/mod_nss.c index f2ff95b2..11d6396f 100644 --- a/src/mod_nss.c +++ b/src/mod_nss.c @@ -371,7 +371,7 @@ static int mod_nss_init_once_nss (void) /*PR_Init(PR_USER_THREAD, PR_PRIORITY_NORMAL, 0);*//*implicit on first use*/ - if (NSS_NoDB_Init(NULL) < 0) + if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0) return 0; if (SSL_OptionSetDefault(SSL_ENABLE_SSL2, PR_FALSE) < 0) diff --git a/src/mod_secdownload.c b/src/mod_secdownload.c index df2db6c2..ddd1661a 100644 --- a/src/mod_secdownload.c +++ b/src/mod_secdownload.c @@ -24,6 +24,8 @@ #include #elif defined(USE_WOLFSSL_CRYPTO) #include +#elif defined(USE_NSS_CRYPTO) +#include #endif #endif @@ -267,6 +269,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c "hmac-sha1: HMAC() failed"); return 0; } + #elif defined(USE_NSS_CRYPTO) + /*(HMAC* funcs not public export of libfreebl3.so, + * even though nss3/alghmac.h is public (WTH?!))*/ + #if 0 + HMACContext *hmac = + HMAC_Create(HASH_GetHashObject(HASH_AlgSHA1), + (const unsigned char *)config->secret->ptr, + buffer_string_length(config->secret), PR_FALSE); + int rc; + if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) { + HMAC_Begin(hmac); + HMAC_Update(hmac, (const unsigned char *)protected_path, + strlen(protected_path)); + unsigned int len; + rc = HMAC_Finish(hmac, digest, &len, sizeof(digest)); + HMAC_Destroy(hmac, PR_TRUE); + } + if (SECSuccess != rc) { + log_error(errh, __FILE__, __LINE__, + "hmac-sha1: HMAC() failed"); + return 0; + } + #else + return 0; + #endif #else #error "unexpected; crypto lib not configured for use by mod_secdownload" #endif @@ -332,6 +359,31 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c "hmac-sha256: HMAC() failed"); return 0; } + #elif defined(USE_NSS_CRYPTO) + /*(HMAC* funcs not public export of libfreebl3.so, + * even though nss3/alghmac.h is public (WTH?!))*/ + #if 0 + HMACContext *hmac = + HMAC_Create(HASH_GetHashObject(HASH_AlgSHA256), + (const unsigned char *)config->secret->ptr, + buffer_string_length(config->secret), PR_FALSE); + int rc; + if ((rc = (NULL != hmac) ? SECSuccess : SECFailure)) { + HMAC_Begin(hmac); + HMAC_Update(hmac, (const unsigned char *)protected_path, + strlen(protected_path)); + unsigned int len; + rc = HMAC_Finish(hmac, digest, &len, sizeof(digest)); + HMAC_Destroy(hmac, PR_TRUE); + } + if (SECSuccess != rc) { + log_error(errh, __FILE__, __LINE__, + "hmac-sha256: HMAC() failed"); + return 0; + } + #else + return 0; + #endif #else #error "unexpected; crypto lib not configured for use by mod_secdownload" #endif diff --git a/src/rand.c b/src/rand.c index a15a8e8d..4f656dc3 100644 --- a/src/rand.c +++ b/src/rand.c @@ -26,6 +26,7 @@ #undef USE_WOLFSSL_CRYPTO #undef USE_OPENSSL_CRYPTO #undef USE_GNUTLS_CRYPTO +#undef USE_NSS_CRYPTO #include #include #include @@ -34,22 +35,30 @@ #undef USE_WOLFSSL_CRYPTO #undef USE_OPENSSL_CRYPTO #undef USE_GNUTLS_CRYPTO +#undef USE_NSS_CRYPTO #include #include #endif #ifdef USE_OPENSSL_CRYPTO #undef USE_WOLFSSL_CRYPTO #undef USE_GNUTLS_CRYPTO +#undef USE_NSS_CRYPTO #include /* OPENSSL_VERSION_NUMBER */ #include #endif #ifdef USE_WOLFSSL_CRYPTO #undef USE_GNUTLS_CRYPTO +#undef USE_NSS_CRYPTO #include #endif #ifdef USE_GNUTLS_CRYPTO +#undef USE_NSS_CRYPTO #include #endif +#ifdef USE_NSS_CRYPTO +#include +#include +#endif #ifdef HAVE_GETENTROPY #include #endif @@ -268,6 +277,11 @@ static void li_rand_init (void) #endif #endif #endif + #ifdef USE_NSS_CRYPTO + if (!NSS_IsInitialized() && NSS_NoDB_Init(NULL) < 0) + SEGFAULT(); + PK11_RandomUpdate(xsubi, sizeof(xsubi)); + #endif } void li_rand_reseed (void) @@ -344,6 +358,10 @@ int li_rand_pseudo (void) return i; #endif #endif + #ifdef USE_NSS_CRYPTO + if (SECSuccess == PK11_GenerateRandom((unsigned char *)&i, sizeof(i))) + return i; + #endif #ifdef HAVE_ARC4RANDOM_BUF return (int)arc4random(); #elif defined(__COVERITY__) @@ -370,6 +388,9 @@ void li_rand_pseudo_bytes (unsigned char *buf, int num) if (0 == gnutls_rnd(GNUTLS_RND_NONCE, buf, (size_t)num)) return; #endif if (!li_rand_inited) li_rand_init(); + #ifdef USE_NSS_CRYPTO + if (SECSuccess == PK11_GenerateRandom(buf, num)) return; + #endif #ifdef USE_MBEDTLS_CRYPTO #ifdef MBEDTLS_CTR_DRBG_C if (0 == mbedtls_ctr_drbg_random(&ctr_drbg, buf, (size_t)num)) return; @@ -389,6 +410,10 @@ int li_rand_bytes (unsigned char *buf, int num) #ifdef USE_GNUTLS_CRYPTO /* should use GNUTLS_RND_KEY for long-term keys */ if (0 == gnutls_rnd(GNUTLS_RND_RANDOM, buf, (size_t)num)) return 1; #endif + #ifdef USE_NSS_CRYPTO + if (!li_rand_inited) li_rand_init(); + if (SECSuccess == PK11_GenerateRandom(buf, num)) return 1; + #endif #ifdef USE_NETTLE_CRYPTO #if 0 /* not implemented: periodic nettle_yarrow256_update() and reseed */ if (!nettle_yarrow256_is_seeded(&yarrow256_ctx)) { diff --git a/src/sys-crypto-md.h b/src/sys-crypto-md.h index 52054b4a..00a90215 100644 --- a/src/sys-crypto-md.h +++ b/src/sys-crypto-md.h @@ -513,6 +513,54 @@ SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length) return 1; } +#elif defined(USE_NSS_CRYPTO) + +#include + +#define NSS_gen_hashfuncs(name, typ) \ +static inline int \ +name##_Init(void **ctx) \ +{ \ + const SECHashObject * const hashObj = HASH_GetHashObject(typ); \ + return ((*ctx=hashObj->create()) != NULL) ? (hashObj->begin(*ctx),1) : 0; \ +} \ +static inline int \ +name##_Final(unsigned char *dest, void **ctx) \ +{ \ + const SECHashObject * const hashObj = HASH_GetHashObject(typ); \ + unsigned int retLen; \ + hashObj->end(*ctx, dest, &retLen, hashObj->length); \ + hashObj->destroy(*ctx, PR_TRUE); \ + return 1; \ +} \ +static inline int \ +name##_Update(void **ctx, const void *src, size_t len) \ +{ \ + const SECHashObject * const hashObj = HASH_GetHashObject(typ); \ + hashObj->update(*ctx, src, (int)len); \ + return 1; \ +} \ +typedef void * name##_CTX +typedef void * SHA_CTX; + +#define USE_LIB_CRYPTO_MD5 +/* MD5_Init() + * MD5_Update() + * MD5_Final() */ +NSS_gen_hashfuncs(MD5, HASH_AlgMD5); + +#define USE_LIB_CRYPTO_SHA1 +/* SHA1_Init() + * SHA1_Update() + * SHA1_Final() */ +NSS_gen_hashfuncs(SHA1, HASH_AlgSHA1); + +#define USE_LIB_CRYPTO_SHA256 +/* SHA256_Init() + * SHA256_Update() + * SHA256_Final() */ +NSS_gen_hashfuncs(SHA256, HASH_AlgSHA256); + #endif #endif /* USE_LIB_CRYPTO */ diff --git a/src/sys-crypto.h b/src/sys-crypto.h index 4175ee55..81ab28fb 100644 --- a/src/sys-crypto.h +++ b/src/sys-crypto.h @@ -27,6 +27,7 @@ #endif #ifdef HAVE_NSS3_NSS_H +#define USE_LIB_CRYPTO #define USE_NSS_CRYPTO #endif