[mod_nss] NSS option for TLS (fixes #1218)

(experimental)

WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED

mod_nss supports most ssl.* config options supported by mod_openssl

x-ref:
  "alternate ssl backend"
  https://redmine.lighttpd.net/issues/1218
This commit is contained in:
Glenn Strauss 2020-06-28 23:43:16 -04:00
parent 8a1ddce0c2
commit e00deb5578
12 changed files with 3744 additions and 0 deletions

View File

@ -254,6 +254,7 @@ vars.AddVariables(
BoolVariable('with_openssl', 'enable openssl support', 'no'),
PackageVariable('with_gnutls', 'enable GnuTLS support', 'no'),
PackageVariable('with_mbedtls', 'enable mbedTLS support', 'no'),
PackageVariable('with_nss', 'enable NSS crypto support', 'no'),
PackageVariable('with_wolfssl', 'enable wolfSSL support', 'no'),
BoolVariable('with_nettle', 'enable Nettle support', 'no'),
BoolVariable('with_pam', 'enable PAM auth support', 'no'),
@ -337,6 +338,7 @@ if 1:
LIBLUA = '',
LIBMEMCACHED = '',
LIBMYSQL = '',
LIBNSS = '',
LIBPAM = '',
LIBPCRE = '',
LIBPGSQL = '',
@ -589,6 +591,12 @@ if 1:
fail("Couldn't find mysql")
autoconf.env.Append(CPPFLAGS = [ '-DHAVE_MYSQL_H', '-DHAVE_LIBMYSQL' ])
if env['with_nss']:
nss_config = autoconf.checkProgram('nss', 'nss-config')
if not autoconf.CheckParseConfigForLib('LIBNSS', nss_config + ' --cflags --libs'):
fail("Couldn't find NSS")
autoconf.env.Append(CPPFLAGS = [ '-DHAVE_NSS3_NSS_H' ])
if env['with_openssl']:
if not autoconf.CheckLibWithHeader('ssl', 'openssl/ssl.h', 'C'):
fail("Couldn't find openssl")

View File

@ -852,6 +852,38 @@ if test "x$use_gnutls" = "xyes"; then
fi
fi
dnl Check for NSS
AC_MSG_NOTICE([----------------------------------------])
AC_MSG_CHECKING([for NSS])
AC_ARG_WITH([nss],
AC_HELP_STRING([--with-nss@<:@=DIR@:>@],[Include NSS support. DIR points to the installation root. (default no)]),
[WITH_NSS=$withval],
[WITH_NSS=no]
)
if test "$WITH_NSS" != "no"; then
use_nss=yes
else
use_nss=no
fi
AC_MSG_RESULT([$use_nss])
AM_CONDITIONAL(BUILD_WITH_NSS, test ! $WITH_NSS = no)
NSS_CFLAGS=
NSS_LIBS=
if test "x$use_nss" = "xyes"; then
if test "$WITH_NSS" != "yes"; then
NSS_CFLAGS="-I$WITH_NSS/include"
NSS_LIBS="-L$WITH_NSS/lib"
else
PKG_CHECK_MODULES([NSS],[nss])
fi
AC_DEFINE([HAVE_NSS3_NSS_H], [1], [nss3/nss.h])
AC_SUBST([NSS_CFLAGS])
AC_SUBST([NSS_LIBS])
fi
dnl pcre support
AC_MSG_NOTICE([----------------------------------------])
@ -1652,6 +1684,9 @@ lighty_track_feature "network-mbedtls" "mod_mbedtls" \
lighty_track_feature "network-gnutls" "mod_gnutls" \
'test "$WITH_GNUTLS" != no'
lighty_track_feature "network-nss" "mod_nss" \
'test "$WITH_NSS" != no'
lighty_track_feature "auth-crypt" "" \
'test "$found_crypt" != no'

View File

@ -78,6 +78,11 @@ option('with_nettle',
value: false,
description: 'with Nettle-support [default: off]',
)
option('with_nss',
type: 'string',
value: 'false',
description: 'with NSS-crypto-support [default: off]',
)
option('with_openssl',
type: 'boolean',
value: false,

View File

@ -22,6 +22,7 @@ option(WITH_PGSQL "with postgres-support for mod_vhostdb_pgsql [default: off]")
option(WITH_DBI "with dbi-support for mod_vhostdb_dbi [default: off]")
option(WITH_GNUTLS "with GnuTLS-support [default: off]")
option(WITH_MBEDTLS "with mbedTLS-support [default: off]")
option(WITH_NSS "with NSS-crypto-support [default: off]")
option(WITH_OPENSSL "with openssl-support [default: off]")
option(WITH_WOLFSSL "with wolfSSL-support [default: off]")
option(WITH_NETTLE "with Nettle-support [default: off]")
@ -393,6 +394,28 @@ else()
unset(HAVE_LIBMEDX509)
endif()
if(WITH_NSS)
check_include_files(nss3/nss.h HAVE_NSS3_NSS_H)
if(HAVE_NSS3_NSS_H)
check_library_exists(ssl3 NSSSSL_GetVersion "" HAVE_LIBSSL3)
if(HAVE_LIBSSL3)
check_library_exists(smime3 NSSSMIME_GetVersion "" HAVE_LIBSMIME3)
if(HAVE_LIBSMIME3)
check_library_exists(nss3 NSS_GetVersion "" HAVE_LIBNSS3)
if(HAVE_LIBNSS3)
check_library_exists(nssutil3 NSSUTIL_GetVersion "" HAVE_LIBNSSUTIL3)
endif()
endif()
endif()
endif()
else()
unset(HAVE_NSS3_NSS_H)
unset(HAVE_LIBSSL3)
unset(HAVE_LIBSMIME3)
unset(HAVE_LIBNSS3)
unset(HAVE_LIBNSSUTIL3)
endif()
if(WITH_NETTLE)
if(APPLE)
set(CMAKE_REQUIRED_INCLUDES /opt/local/include)
@ -1116,6 +1139,12 @@ if(HAVE_LIBMBEDTLS AND HAVE_LIBMEDCRYPTO AND HAVE_LIBMEDX509)
# not doing "cross module" linkage yet (e.g. mod_authn, secdownload)
endif()
if(HAVE_LIBSSL3 AND HAVE_LIBSMIME3 AND HAVE_LIBNSS3 AND HAVE_LIBNSSUTIL3)
add_and_install_library(mod_nss "mod_nss.c")
set(L_MOD_NSS ${L_MOD_NSS} ssl3 smime3 nss3 nssutil3)
target_link_libraries(mod_nss ${L_MOD_NSS})
endif()
if(WITH_LIBEV)
target_link_libraries(lighttpd ${LIBEV_LDFLAGS})
add_target_properties(lighttpd COMPILE_FLAGS ${LIBEV_CFLAGS})

View File

@ -406,6 +406,14 @@ mod_gnutls_la_LIBADD = $(GNUTLS_LIBS) $(common_libadd)
mod_gnutls_la_CPPFLAGS = $(GNUTLS_CFLAGS)
endif
if BUILD_WITH_NSS
lib_LTLIBRARIES += mod_nss.la
mod_nss_la_SOURCES = mod_nss.c
mod_nss_la_LDFLAGS = $(common_module_ldflags)
mod_nss_la_LIBADD = $(NSS_LIBS) $(common_libadd)
mod_nss_la_CPPFLAGS = $(NSS_CFLAGS)
endif
lib_LTLIBRARIES += mod_rewrite.la
mod_rewrite_la_SOURCES = mod_rewrite.c

View File

@ -182,6 +182,9 @@ if env['with_wolfssl']:
if env['with_mbedtls']:
modules['mod_mbedtls'] = { 'src' : [ 'mod_mbedtls.c' ], 'lib' : [ env['LIBSSL'], env['LIBX509'], env['LIBCRYPTO'] ] }
if env['with_nss']:
modules['mod_nss'] = { 'src' : [ 'mod_nss.c' ], 'lib' : [ env['LIBNSS'] ] }
if env['with_gnutls']:
modules['mod_gnutls'] = { 'src' : [ 'mod_gnutls.c' ], 'lib' : [ env['LIBGNUTLS'] ] }

View File

@ -311,6 +311,8 @@ static void config_compat_module_load (server *srv) {
append_mod_openssl = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_mbedtls")))
append_mod_openssl = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_nss")))
append_mod_openssl = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_openssl")))
append_mod_openssl = 0;
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_authn_file")))
@ -708,6 +710,7 @@ static int config_insert_srvconf(server *srv) {
ssl_enabled = (0 != cpv->v.u);
#if !defined(USE_OPENSSL_CRYPTO) \
&& !defined(USE_MBEDTLS_CRYPTO) \
&& !defined(USE_NSS_CRYPTO) \
&& !defined(USE_GNUTLS_CRYPTO)
if (ssl_enabled) {
log_error(srv->errh, __FILE__, __LINE__,

View File

@ -450,6 +450,19 @@ if get_option('with_gnutls')
libcrypto = [ dependency('libgnutls') ]
endif
endif
if get_option('with_nss')
# manual search:
# header: nss3/nss.h
# function: NSSSSL_GetVersion (-lssl3)
# function: NSSSMIME_GetVersion (-lsmime3)
# function: NSS_GetVersion (-lnss3)
# function: NSSUTIL_GetVersion (-lnssutil3)
libssl3 = [ dependency('libssl3') ]
libsmime3 = [ dependency('libsmime3') ]
libnss3 = [ dependency('libnss3') ]
libnssutil3 = [ dependency('libnssutil3') ]
conf_data.set('HAVE_NSS3_NSS_H', true)
endif
libpcre = []
if get_option('with_pcre')
@ -1013,6 +1026,12 @@ if get_option('with_mbedtls') != 'false'
]
endif
if get_option('with_nss') != 'false'
modules += [
[ 'mod_nss', [ 'mod_nss.c' ], libssl3 + libsmime3 + libnss3 + libnssutil3 ],
]
endif
if get_option('with_gnutls') != 'false'
modules += [
[ 'mod_gnutls', [ 'mod_gnutls.c' ], libgnutls ],

View File

@ -428,6 +428,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
data_string *ds = (data_string *)srv->srvconf.modules->data[i];
if (buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_openssl"))
|| buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_mbedtls"))
|| buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_nss"))
|| buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_gnutls"))) {
log_error(srv->errh, __FILE__, __LINE__,
"mod_extforward must be loaded after %s in "

3623
src/mod_nss.c Normal file

File diff suppressed because it is too large Load Diff

View File

@ -73,6 +73,7 @@ static const buffer default_server_tag = { CONST_STR_LEN(PACKAGE_DESC), 0 };
#include "sys-crypto.h"
#if defined(USE_OPENSSL_CRYPTO) \
|| defined(USE_MBEDTLS_CRYPTO) \
|| defined(USE_NSS_CRYPTO) \
|| defined(USE_GNUTLS_CRYPTO)
#define TEXT_SSL " (ssl)"
#else
@ -441,6 +442,11 @@ static void show_features (void) {
#else
"\t- mbedTLS support\n"
#endif
#ifdef USE_NSS_CRYPTO
"\t+ NSS crypto support\n"
#else
"\t- NSS crypto support\n"
#endif
#ifdef USE_GNUTLS_CRYPTO
"\t+ GnuTLS support\n"
#else

View File

@ -24,6 +24,10 @@
#include <mbedtls/config.h>
#endif
#ifdef HAVE_NSS3_NSS_H
#define USE_NSS_CRYPTO
#endif
#ifdef HAVE_NETTLE_NETTLE_TYPES_H
#define USE_LIB_CRYPTO
#define USE_NETTLE_CRYPTO