Browse Source

[mod_mbedtls] mbedTLS option for TLS

(experimental)

mod_mbedtls supports most ssl.* config options supported by mod_openssl

thx Ward Willats for the initial discussion and attempt in the comments
  https://redmine.lighttpd.net/boards/3/topics/7029
personal/stbuehler/ci-build
Glenn Strauss 2 years ago
parent
commit
cb753ec5b5
  1. 12
      SConstruct
  2. 45
      configure.ac
  3. 5
      meson_options.txt
  4. 29
      src/CMakeLists.txt
  5. 8
      src/Makefile.am
  6. 3
      src/SConscript
  7. 23
      src/algo_sha1.h
  8. 4
      src/configfile.c
  9. 18
      src/meson.build
  10. 16
      src/mod_auth.c
  11. 32
      src/mod_authn_file.c
  12. 3478
      src/mod_mbedtls.c
  13. 34
      src/mod_secdownload.c
  14. 10
      src/network.c
  15. 67
      src/rand.c
  16. 15
      src/server.c
  17. 6
      src/sys-crypto.h

12
SConstruct

@ -252,6 +252,7 @@ vars.AddVariables(
BoolVariable('with_memcached', 'enable memcached support', 'no'),
PackageVariable('with_mysql', 'enable mysql support', 'no'),
BoolVariable('with_openssl', 'enable openssl support', 'no'),
PackageVariable('with_mbedtls', 'enable mbedTLS support', 'no'),
PackageVariable('with_wolfssl', 'enable wolfSSL support', 'no'),
BoolVariable('with_nettle', 'enable Nettle support', 'no'),
BoolVariable('with_pam', 'enable PAM auth support', 'no'),
@ -341,6 +342,7 @@ if 1:
LIBSQLITE3 = '',
LIBSSL = '',
LIBUUID = '',
LIBX509 = '',
LIBXML2 = '',
LIBZ = '',
)
@ -609,6 +611,16 @@ if 1:
LIBCRYPTO = 'wolfssl',
)
if env['with_mbedtls']:
if not autoconf.CheckLibWithHeader('mbedtls', 'mbedtls/ssl.h', 'C'):
fail("Couldn't find mbedtls")
autoconf.env.Append(
CPPFLAGS = [ '-DHAVE_LIBMBEDCRYPTO' ],
LIBSSL = 'mbedtls',
LIBX509 = 'mbedx509',
LIBCRYPTO = 'mbedcrypto',
)
if env['with_nettle']:
if not autoconf.CheckLibWithHeader('nettle', 'nettle/nettle-types.h', 'C'):
fail("Couldn't find Nettle")

45
configure.ac

@ -686,7 +686,7 @@ if test "$WITH_OPENSSL" != no; then
[ -lcrypto "$DL_LIB" ]
)
AC_DEFINE([HAVE_LIBSSL], [], [Have libssl])
AC_DEFINE([HAVE_LIBSSL], [1], [Have libssl])
AC_SUBST([SSL_LIB])
AC_SUBST([CRYPTO_LIB])
fi
@ -737,6 +737,46 @@ if test "$WITH_OPENSSL" != no && test "$WITH_WOLFSSL" != no; then
AC_MSG_ERROR([lighttpd should not be built with both --with-openssl and --with-wolfssl])
fi
dnl Check for mbedTLS
AC_MSG_NOTICE([----------------------------------------])
AC_MSG_CHECKING([for mbedTLS])
AC_ARG_WITH([mbedtls],
AC_HELP_STRING([--with-mbedtls@<:@=DIR@:>@],[Include mbedTLS support. DIR points to the installation root. (default no)]),
[WITH_MBEDTLS=$withval],
[WITH_MBEDTLS=no]
)
if test "$WITH_MBEDTLS" != "no"; then
use_mbedtls=yes
if test "$WITH_MBEDTLS" != "yes"; then
CPPFLAGS="$CPPFLAGS -I$WITH_MBEDTLS/include"
LDFLAGS="$LDFLAGS -L$WITH_MBEDTLS/lib"
fi
else
use_mbedtls=no
fi
AC_MSG_RESULT([$use_mbedtls])
AM_CONDITIONAL(BUILD_WITH_MBEDTLS, test ! $WITH_MBEDTLS = no)
if test "x$use_mbedtls" = "xyes"; then
AC_CHECK_HEADERS([mbedtls/ssl.h])
OLDLIBS="$LIBS"
AC_CHECK_LIB(mbedcrypto,mbedtls_base64_encode,
[AC_CHECK_LIB(mbedx509, mbedtls_x509_get_name,
[AC_CHECK_LIB(mbedtls, mbedtls_cipher_info_from_type,
[MTLS_LIB="-lmbedtls -lmbedx509 -lmbedcrypto"
CRYPTO_LIB="-lmbedcrypto"
AC_DEFINE(HAVE_LIBMBEDTLS, [1], [Have libmbedtls library])
AC_DEFINE(HAVE_LIBMBEDX509, [1], [Have libmbedx509 library])
AC_DEFINE(HAVE_LIBMBEDCRYPTO, [1], [Have libmbedcrypto library]) ],
[],[-lmbedcrypto "$DL_LIB"])
],[],[-lmbedcrypto "$DL_LIB"])
],[],[])
LIBS="$OLDLIBS"
AC_SUBST(MTLS_LIB)
AC_SUBST(CRYPTO_LIB)
fi
dnl Check for Nettle (and overwrite CRYPTO_LIB if set by OpenSSL or wolfSSL)
AC_MSG_NOTICE([----------------------------------------])
AC_MSG_CHECKING([for Nettle])
@ -1560,6 +1600,9 @@ lighty_track_feature "pam" "mod_authn_pam" \
lighty_track_feature "network-openssl" "mod_openssl" \
'test "$WITH_OPENSSL" != no || test "$WITH_WOLFSSL" != no'
lighty_track_feature "network-mbedtls" "mod_mbedtls" \
'test "$WITH_MBEDTLS" != no'
lighty_track_feature "auth-crypt" "" \
'test "$found_crypt" != no'

5
meson_options.txt

@ -53,6 +53,11 @@ option('with_maxminddb',
value: false,
description: 'with MaxMind GeoIP2-support mod_maxminddb [default: off]',
)
option('with_mbedtls',
type: 'string',
value: 'false',
description: 'with mbedTLS-support [default: off]',
)
option('with_memcached',
type: 'boolean',
value: false,

29
src/CMakeLists.txt

@ -20,6 +20,7 @@ option(WITH_XATTR "with xattr-support for the stat-cache [default: off]")
option(WITH_MYSQL "with mysql-support for mod_vhostdb_mysql [default: off]")
option(WITH_PGSQL "with postgres-support for mod_vhostdb_pgsql [default: off]")
option(WITH_DBI "with dbi-support for mod_vhostdb_dbi [default: off]")
option(WITH_MBEDTLS "with mbedTLS-support [default: off]")
option(WITH_OPENSSL "with openssl-support [default: off]")
option(WITH_WOLFSSL "with wolfSSL-support [default: off]")
option(WITH_NETTLE "with Nettle-support [default: off]")
@ -371,6 +372,24 @@ if(WITH_OPENSSL AND WITH_WOLFSSL)
message(FATAL_ERROR "lighttpd should not be built with both --with-openssl and --with-wolfssl")
endif()
if(WITH_MBEDTLS)
check_include_files(mbedtls/ssl.h HAVE_MBEDTLS_SSL_H)
if(HAVE_MBEDTLS_SSL_H)
check_library_exists(mbedcrypto mbedtls_base64_encode "" HAVE_LIBMBEDCRYPTO)
if(HAVE_LIBMEDTLSCRYPTO)
check_library_exists(mbedtls mbedtls_cipher_info_from_type "" HAVE_LIBMBEDTLS)
if(HAVE_LIBMBEDTLS)
check_library_exists(mbedx509 mbedtls_x509_get_name "" HAVE_LIBMBEDX509)
endif()
endif()
endif()
else()
unset(HAVE_MBEDTLS_SSL_H)
unset(HAVE_LIBMBEDCRYPTO)
unset(HAVE_LIBMBEDTLS)
unset(HAVE_LIBMEDX509)
endif()
if(WITH_NETTLE)
if(APPLE)
set(CMAKE_REQUIRED_INCLUDES /opt/local/include)
@ -1070,6 +1089,16 @@ if(NOT ${CRYPTO_LIBRARY} EQUAL "")
target_link_libraries(mod_wstunnel ${CRYPTO_LIBRARY})
endif()
if(HAVE_LIBMBEDTLS AND HAVE_LIBMEDCRYPTO AND HAVE_LIBMEDX509)
target_link_libraries(lighttpd mbedtls)
target_link_libraries(lighttpd mbedcrypto)
target_link_libraries(lighttpd mbedx509)
add_and_install_library(mod_mbedtls "mod_mbedtls.c")
set(L_MOD_MBEDTLS ${L_MOD_MBEDTLS} mbedtls mbedcrypto mbedx509)
target_link_libraries(mod_mbedtls ${L_MOD_MBEDTLS})
# not doing "cross module" linkage yet (e.g. mod_authn, secdownload)
endif()
if(WITH_LIBEV)
target_link_libraries(lighttpd ${LIBEV_LDFLAGS})
add_target_properties(lighttpd COMPILE_FLAGS ${LIBEV_CFLAGS})

8
src/Makefile.am

@ -391,6 +391,14 @@ mod_openssl_la_LDFLAGS = $(common_module_ldflags)
mod_openssl_la_LIBADD = $(SSL_LIB) $(common_libadd)
endif
if BUILD_WITH_MBEDTLS
lib_LTLIBRARIES += mod_mbedtls.la
mod_mbedtls_la_SOURCES = mod_mbedtls.c
mod_mbedtls_la_LDFLAGS = $(common_module_ldflags)
mod_mbedtls_la_LIBADD = $(MTLS_LIB) $(common_libadd)
endif
lib_LTLIBRARIES += mod_rewrite.la
mod_rewrite_la_SOURCES = mod_rewrite.c
mod_rewrite_la_LDFLAGS = $(common_module_ldflags)

3
src/SConscript

@ -179,6 +179,9 @@ if env['with_openssl']:
if env['with_wolfssl']:
modules['mod_openssl'] = { 'src' : [ 'mod_openssl.c' ], 'lib' : [ env['LIBCRYPTO'], 'm' ] }
if env['with_mbedtls']:
modules['mod_mbedtls'] = { 'src' : [ 'mod_mbedtls.c' ], 'lib' : [ env['LIBSSL'], env['LIBX509'], env['LIBCRYPTO'] ] }
staticenv = env.Clone(CPPFLAGS=[ env['CPPFLAGS'], '-DLIGHTTPD_STATIC' ])
## all the core-sources + the modules

23
src/algo_sha1.h

@ -4,6 +4,12 @@
#include "sys-crypto.h" /* USE_LIB_CRYPTO */
#ifdef USE_LIB_CRYPTO
#if (!defined(USE_MBEDTLS_CRYPTO) || defined(MBEDTLS_SHA1_C))
#define USE_LIB_CRYPTO_SHA1
#endif
#endif
#ifdef USE_LIB_CRYPTO_SHA1
#ifdef USE_NETTLE_CRYPTO
#include <nettle/sha.h>
@ -21,6 +27,23 @@ SHA1_Update(SHA_CTX *ctx, const void *data, size_t length)
sha1_update(ctx, length, data);
}
#elif defined(USE_MBEDTLS_CRYPTO) && defined(MBEDTLS_SHA1_C)
#include <mbedtls/sha1.h>
#ifndef SHA_DIGEST_LENGTH
#define SHA_DIGEST_LENGTH 20
#endif
typedef struct mbedtls_sha1_context SHA_CTX;
#define SHA1_Init(ctx) \
(mbedtls_sha1_init(ctx), mbedtls_sha1_starts_ret(ctx))
#define SHA1_Final(digest, ctx) \
(mbedtls_sha1_finish_ret((ctx),(digest)), mbedtls_sha1_free(ctx))
static void
SHA1_Update(SHA_CTX *ctx, const void *data, size_t length)
{
mbedtls_sha1_update_ret(ctx, data, length);
}
#elif defined(USE_OPENSSL_CRYPTO)
#include <openssl/sha.h>

4
src/configfile.c

@ -307,6 +307,8 @@ static void config_compat_module_load (server *srv) {
append_mod_staticfile = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_dirlisting")))
append_mod_dirlisting = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_mbedtls")))
append_mod_openssl = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_openssl")))
append_mod_openssl = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_authn_file")))
@ -702,7 +704,7 @@ static int config_insert_srvconf(server *srv) {
break;
case 30:/* ssl.engine */
ssl_enabled = (0 != cpv->v.u);
#ifndef USE_OPENSSL_CRYPTO
#if !defined(USE_OPENSSL_CRYPTO) && !defined(USE_MBEDTLS_CRYPTO)
if (ssl_enabled) {
log_error(srv->errh, __FILE__, __LINE__,
"ssl support is missing; "

18
src/meson.build

@ -395,6 +395,7 @@ if get_option('with_mysql')
endif
libssl = []
libx509 = []
libcrypto = []
if get_option('with_openssl')
# manual search:
@ -420,6 +421,17 @@ if get_option('with_wolfssl') != 'false'
libcrypto += libwolfssl_includes_dep
conf_data.set('HAVE_WOLFSSL_SSL_H', true)
endif
if get_option('with_mbedtls')
# manual search:
# header: mbedtls/ssl.h
# function: mbedtls_cipher_info_from_type (-lmbedtls)
# function: mbedtls_x509_get_name (-lmbedx509)
# function: mbedtls_base64_encode (-lmbedcrypto)
libssl = [ dependency('libmbedtls') ]
libx509 = [ dependency('libmbedx509') ]
libcrypto = [ dependency('libmbedcrypto') ]
conf_data.set('HAVE_LIBMBEDCRYPTO', true)
endif
if get_option('with_nettle') != 'false'
# manual search:
# header: nettle/nettle-types.h
@ -973,6 +985,12 @@ if get_option('with_wolfssl') != 'false'
]
endif
if get_option('with_mbedtls') != 'false'
modules += [
[ 'mod_mbedtls', [ 'mod_mbedtls.c' ], libssl + libx509 + libcrypto ],
]
endif
if get_option('with_pam')
modules += [
[ 'mod_authn_pam', [ 'mod_authn_pam.c' ], libpam ],

16
src/mod_auth.c

@ -37,6 +37,22 @@ SHA512_256_Update(SHA512_CTX *ctx, const void *data, size_t length)
sha512_256_update(ctx, length, data);
}
#elif defined(USE_MBEDTLS_CRYPTO)
#include <mbedtls/sha256.h>
#ifdef MBEDTLS_SHA256_C
typedef struct mbedtls_sha256_context SHA256_CTX;
#define SHA256_Init(ctx) \
(mbedtls_sha256_init(ctx), mbedtls_sha256_starts_ret((ctx),0))
#define SHA256_Final(digest, ctx) \
(mbedtls_sha256_finish_ret((ctx),(digest)), mbedtls_sha256_free(ctx))
static void
SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
{
mbedtls_sha256_update_ret(ctx, data, length);
}
#endif
#elif defined(USE_OPENSSL_CRYPTO)
#include <openssl/sha.h>

32
src/mod_authn_file.c

@ -58,6 +58,38 @@ SHA512_256_Update(SHA512_CTX *ctx, const void *data, size_t length)
sha512_256_update(ctx, length, data);
}
#elif defined(USE_MBEDTLS_CRYPTO)
#include <mbedtls/md4.h>
#ifdef MBEDTLS_MD4_C
typedef struct mbedtls_md4_context MD4_CTX;
#define MD4_Init(ctx) \
(mbedtls_md4_init(ctx), mbedtls_md4_starts_ret(ctx))
#define MD4_Final(digest, ctx) \
(mbedtls_md4_finish_ret((ctx),(digest)), mbedtls_md4_free(ctx))
static void
MD4_Update(MD4_CTX *ctx, const void *data, size_t length)
{
mbedtls_md4_update_ret(ctx, data, length);
}
#else /*(mbedTLS built without MD4)*/
#define NO_MD4
#endif
#include <mbedtls/sha256.h>
#ifdef MBEDTLS_SHA256_C
typedef struct mbedtls_sha256_context SHA256_CTX;
#define SHA256_Init(ctx) \
(mbedtls_sha256_init(ctx), mbedtls_sha256_starts_ret((ctx),0))
#define SHA256_Final(digest, ctx) \
(mbedtls_sha256_finish_ret((ctx),(digest)), mbedtls_sha256_free(ctx))
static void
SHA256_Update(SHA256_CTX *ctx, const void *data, size_t length)
{
mbedtls_sha256_update_ret(ctx, data, length);
}
#endif
#elif defined(USE_OPENSSL_CRYPTO)
#include <openssl/md4.h>

3478
src/mod_mbedtls.c

File diff suppressed because it is too large

34
src/mod_secdownload.c

@ -15,6 +15,8 @@
#ifdef USE_LIB_CRYPTO
#if defined(USE_NETTLE_CRYPTO)
#include <nettle/hmac.h>
#elif defined(USE_MBEDTLS_CRYPTO)
#include <mbedtls/md.h>
#elif defined(USE_OPENSSL_CRYPTO)
#include <openssl/evp.h>
#include <openssl/hmac.h>
@ -180,8 +182,8 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
return const_time_memeq((char *)HA1, (char *)md5bin, sizeof(md5bin));
}
#ifdef USE_LIB_CRYPTO
case SECDL_HMAC_SHA1:
#ifdef USE_LIB_CRYPTO
{
unsigned char digest[20];
char base64_digest[27];
@ -191,6 +193,18 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
hmac_sha1_set_key(&ctx, buffer_string_length(config->secret), (const uint8_t *)config->secret->ptr);
hmac_sha1_update(&ctx, strlen(protected_path), (const uint8_t *)protected_path);
hmac_sha1_digest(&ctx, sizeof(digest), (uint8_t *)digest);
#elif defined(USE_MBEDTLS_CRYPTO) && defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA1_C)
int rc =
mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA1),
(const unsigned char *)config->secret->ptr,
buffer_string_length(config->secret),
(const unsigned char *)protected_path,
strlen(protected_path), digest);
if (0 != rc) {
log_error(errh, __FILE__, __LINE__,
"hmac-sha1: HMAC() failed");
return 0;
}
#elif defined(USE_OPENSSL_CRYPTO)
if (NULL == HMAC(
EVP_sha1(),
@ -209,10 +223,8 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
return (27 == maclen) && const_time_memeq(mac, base64_digest, 27);
}
#endif
break;
case SECDL_HMAC_SHA256:
#ifdef USE_LIB_CRYPTO
{
unsigned char digest[32];
char base64_digest[43];
@ -222,6 +234,18 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
hmac_sha256_set_key(&ctx, buffer_string_length(config->secret), (const uint8_t *)config->secret->ptr);
hmac_sha256_update(&ctx, strlen(protected_path), (const uint8_t *)protected_path);
hmac_sha256_digest(&ctx, sizeof(digest), (uint8_t *)digest);
#elif defined(USE_MBEDTLS_CRYPTO) && defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C)
int rc =
mbedtls_md_hmac(mbedtls_md_info_from_type(MBEDTLS_MD_SHA256),
(const unsigned char *)config->secret->ptr,
buffer_string_length(config->secret),
(const unsigned char *)protected_path,
strlen(protected_path), digest);
if (0 != rc) {
log_error(errh, __FILE__, __LINE__,
"hmac-sha256: HMAC() failed");
return 0;
}
#elif defined(USE_OPENSSL_CRYPTO)
if (NULL == HMAC(
EVP_sha256(),
@ -240,7 +264,9 @@ static int secdl_verify_mac(plugin_config *config, const char* protected_path, c
return (43 == maclen) && const_time_memeq(mac, base64_digest, 43);
}
#endif
break;
#endif
default:
break;
}

10
src/network.c

@ -142,6 +142,7 @@ typedef struct {
/* global or per-socket config; not patched per connection */
int listen_backlog;
unsigned char ssl_enabled;
unsigned char mbedtls_enabled; /* TODO: more integration needed ... */
unsigned char use_ipv6;
unsigned char set_v6only; /* set_v6only is only a temporary option */
unsigned char defer_accept;
@ -264,7 +265,7 @@ static int network_server_init(server *srv, network_socket_config *s, buffer *ho
memcpy(&srv_socket->addr, &addr, addr_len);
srv_socket->fd = -1;
srv_socket->sidx = sidx;
srv_socket->is_ssl = s->ssl_enabled;
srv_socket->is_ssl = (s->ssl_enabled || s->mbedtls_enabled);
srv_socket->srv = srv;
srv_socket->srv_token = buffer_init_buffer(host_token);
@ -383,7 +384,7 @@ static int network_server_init(server *srv, network_socket_config *s, buffer *ho
return -1;
}
if (s->ssl_enabled) {
if (s->ssl_enabled || s->mbedtls_enabled) {
#ifdef TCP_DEFER_ACCEPT
} else if (s->defer_accept) {
int v = s->defer_accept;
@ -514,6 +515,11 @@ int network_init(server *srv, int stdin_fd) {
,{ CONST_STR_LEN("server.set-v6only"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
#if 0 /* TODO: more integration needed ... */
,{ CONST_STR_LEN("mbedtls.engine"),
T_CONFIG_BOOL,
T_CONFIG_SCOPE_CONNECTION }
#endif
,{ NULL, 0,
T_CONFIG_UNSET,
T_CONFIG_SCOPE_UNSET }

67
src/rand.c

@ -1,6 +1,7 @@
#include "first.h"
#include "rand.h"
#include "buffer.h"
#include "fdevent.h"
#include "safe_memclear.h"
@ -15,11 +16,17 @@
#include "sys-crypto.h" /* USE_LIB_CRYPTO */
#ifdef USE_NETTLE_CRYPTO
#undef USE_MBEDTLS_CRYPTO
#undef USE_OPENSSL_CRYPTO
#include <nettle/knuth-lfib.h>
#include <nettle/arcfour.h>
#include <nettle/yarrow.h>
#endif
#ifdef USE_MBEDTLS_CRYPTO
#undef USE_OPENSSL_CRYPTO
#include <mbedtls/ctr_drbg.h>
#include <mbedtls/entropy.h>
#endif
#ifdef USE_OPENSSL_CRYPTO
#include <openssl/opensslv.h> /* OPENSSL_VERSION_NUMBER */
#include <openssl/rand.h>
@ -132,6 +139,14 @@ static int li_rand_device_bytes (unsigned char *buf, int num)
static int li_rand_inited;
static unsigned short xsubi[3];
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_ENTROPY_C
static mbedtls_entropy_context entropy;
#ifdef MBEDTLS_CTR_DRBG_C
static mbedtls_ctr_drbg_context ctr_drbg;
#endif
#endif
#endif
#ifdef USE_NETTLE_CRYPTO
static struct knuth_lfib_ctx knuth_lfib_ctx;
static struct arcfour_ctx arcfour_ctx;
@ -206,10 +221,33 @@ static void li_rand_init (void)
RAND_poll();
RAND_seed(xsubi, (int)sizeof(xsubi));
#endif
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_ENTROPY_C
mbedtls_entropy_init(&entropy);
#ifdef MBEDTLS_CTR_DRBG_C
mbedtls_ctr_drbg_init(&ctr_drbg);
int rc =
mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
(unsigned char *)xsubi, sizeof(xsubi));
if (0 != rc) /*(not expecting built-in entropy function to fail)*/
log_failed_assert(__FILE__, __LINE__, "mbedtls_ctr_drbg_seed() failed");
#endif
#endif
#endif
}
void li_rand_reseed (void)
{
#ifdef USE_MBEDTLS_CRYPTO
if (li_rand_inited) {
#ifdef MBEDTLS_ENTROPY_C
#ifdef MBEDTLS_CTR_DRBG_C
mbedtls_ctr_drbg_free(&ctr_drbg);
#endif
mbedtls_entropy_free(&entropy);
#endif
}
#endif
if (li_rand_inited) li_rand_init();
}
@ -229,6 +267,13 @@ int li_rand_pseudo (void)
nettle_arcfour_crypt(&arcfour_ctx, sizeof(i), (uint8_t *)&i, (uint8_t *)&i);
if (i) return i; /*(cond to avoid compiler warning for code after return)*/
#endif
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_CTR_DRBG_C
int i;
if (0 == mbedtls_ctr_drbg_random(&ctr_drbg, (unsigned char *)&i, sizeof(i)))
return i;
#endif
#endif
#ifdef HAVE_ARC4RANDOM_BUF
return (int)arc4random();
#elif defined(HAVE_SRANDOM)
@ -246,6 +291,11 @@ int li_rand_pseudo (void)
void li_rand_pseudo_bytes (unsigned char *buf, int num)
{
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_CTR_DRBG_C
if (0 == mbedtls_ctr_drbg_random(&ctr_drbg, buf, (size_t)num)) return;
#endif
#endif
for (int i = 0; i < num; ++i)
buf[i] = li_rand_pseudo() & 0xFF;
}
@ -272,6 +322,15 @@ int li_rand_bytes (unsigned char *buf, int num)
if (-1 != rc) {
return rc;
}
#endif
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_ENTROPY_C
/*(each call <= MBEDTLS_ENTROPY_BLOCK_SIZE; could implement loop here)*/
if (num <= MBEDTLS_ENTROPY_BLOCK_SIZE
&& 0 == mbedtls_entropy_func(&entropy, buf, (size_t)num)) {
return 1;
}
#endif
#endif
if (1 == li_rand_device_bytes(buf, num)) {
return 1;
@ -290,6 +349,14 @@ void li_rand_cleanup (void)
#if OPENSSL_VERSION_NUMBER < 0x10100000L
RAND_cleanup();
#endif
#endif
#ifdef USE_MBEDTLS_CRYPTO
#ifdef MBEDTLS_ENTROPY_C
#ifdef MBEDTLS_CTR_DRBG_C
mbedtls_ctr_drbg_free(&ctr_drbg);
#endif
mbedtls_entropy_free(&entropy);
#endif
#endif
safe_memclear(xsubi, sizeof(xsubi));
}

15
src/server.c

@ -71,8 +71,8 @@ static const buffer default_server_tag = { CONST_STR_LEN(PACKAGE_DESC), 0 };
#endif
#include "sys-crypto.h"
#ifdef USE_OPENSSL_CRYPTO
#define USE_SSL
#if defined(USE_OPENSSL_CRYPTO) \
|| defined(USE_MBEDTLS_CRYPTO)
#define TEXT_SSL " (ssl)"
#else
#define TEXT_SSL
@ -430,10 +430,15 @@ static void show_features (void) {
#else
"\t- crypt support\n"
#endif
#ifdef USE_SSL
"\t+ SSL support\n"
#ifdef USE_OPENSSL_CRYPTO
"\t+ OpenSSL support\n"
#else
"\t- OpenSSL support\n"
#endif
#ifdef USE_MBEDTLS_CRYPTO
"\t+ mbedTLS support\n"
#else
"\t- SSL support\n"
"\t- mbedTLS support\n"
#endif
#ifdef HAVE_LIBPCRE
"\t+ PCRE support\n"

6
src/sys-crypto.h

@ -18,6 +18,12 @@
#include <wolfssl/options.h>
#endif
#ifdef HAVE_LIBMBEDCRYPTO
#define USE_LIB_CRYPTO
#define USE_MBEDTLS_CRYPTO
#include <mbedtls/config.h>
#endif
#ifdef HAVE_NETTLE_NETTLE_TYPES_H
#define USE_LIB_CRYPTO
#define USE_NETTLE_CRYPTO

Loading…
Cancel
Save