[mod_nss] NSS option for TLS (fixes #1218)

(experimental)

WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED

mod_nss supports most ssl.* config options supported by mod_openssl

x-ref:
  "alternate ssl backend"
  https://redmine.lighttpd.net/issues/1218

SConstruct

@@ -254,6 +254,7 @@ vars.AddVariables(
 	BoolVariable('with_openssl', 'enable openssl support', 'no'),
 	PackageVariable('with_gnutls', 'enable GnuTLS support', 'no'),
 	PackageVariable('with_mbedtls', 'enable mbedTLS support', 'no'),
+	PackageVariable('with_nss', 'enable NSS crypto support', 'no'),
 	PackageVariable('with_wolfssl', 'enable wolfSSL support', 'no'),
 	BoolVariable('with_nettle', 'enable Nettle support', 'no'),
 	BoolVariable('with_pam', 'enable PAM auth support', 'no'),
@@ -337,6 +338,7 @@ if 1:
 		LIBLUA = '',
 		LIBMEMCACHED = '',
 		LIBMYSQL = '',
+		LIBNSS = '',
 		LIBPAM = '',
 		LIBPCRE = '',
 		LIBPGSQL = '',
@@ -589,6 +591,12 @@ if 1:
 			fail("Couldn't find mysql")
 		autoconf.env.Append(CPPFLAGS = [ '-DHAVE_MYSQL_H', '-DHAVE_LIBMYSQL' ])
 
+	if env['with_nss']:
+		nss_config = autoconf.checkProgram('nss', 'nss-config')
+		if not autoconf.CheckParseConfigForLib('LIBNSS', nss_config + ' --cflags --libs'):
+			fail("Couldn't find NSS")
+		autoconf.env.Append(CPPFLAGS = [ '-DHAVE_NSS3_NSS_H' ])
+
 	if env['with_openssl']:
 		if not autoconf.CheckLibWithHeader('ssl', 'openssl/ssl.h', 'C'):
 			fail("Couldn't find openssl")

configure.ac

@@ -852,6 +852,38 @@ if test "x$use_gnutls" = "xyes"; then
   fi
 fi
 
+dnl Check for NSS
+AC_MSG_NOTICE([----------------------------------------])
+AC_MSG_CHECKING([for NSS])
+AC_ARG_WITH([nss],
+  AC_HELP_STRING([--with-nss@<:@=DIR@:>@],[Include NSS support. DIR points to the installation root. (default no)]),
+  [WITH_NSS=$withval],
+  [WITH_NSS=no]
+)
+
+if test "$WITH_NSS" != "no"; then
+  use_nss=yes
+else
+  use_nss=no
+fi
+AC_MSG_RESULT([$use_nss])
+AM_CONDITIONAL(BUILD_WITH_NSS, test ! $WITH_NSS = no)
+
+NSS_CFLAGS=
+NSS_LIBS=
+
+if test "x$use_nss" = "xyes"; then
+  if test "$WITH_NSS" != "yes"; then
+      NSS_CFLAGS="-I$WITH_NSS/include"
+      NSS_LIBS="-L$WITH_NSS/lib"
+  else
+      PKG_CHECK_MODULES([NSS],[nss])
+  fi
+  AC_DEFINE([HAVE_NSS3_NSS_H], [1], [nss3/nss.h])
+  AC_SUBST([NSS_CFLAGS])
+  AC_SUBST([NSS_LIBS])
+fi
+
 
 dnl pcre support
 AC_MSG_NOTICE([----------------------------------------])
@@ -1652,6 +1684,9 @@ lighty_track_feature "network-mbedtls" "mod_mbedtls" \
 lighty_track_feature "network-gnutls" "mod_gnutls" \
   'test "$WITH_GNUTLS" != no'
 
+lighty_track_feature "network-nss" "mod_nss" \
+  'test "$WITH_NSS" != no'
+
 lighty_track_feature "auth-crypt" "" \
   'test "$found_crypt" != no'
 

meson_options.txt

@@ -78,6 +78,11 @@ option('with_nettle',
 	value: false,
 	description: 'with Nettle-support [default: off]',
 )
+option('with_nss',
+	type: 'string',
+	value: 'false',
+	description: 'with NSS-crypto-support [default: off]',
+)
 option('with_openssl',
 	type: 'boolean',
 	value: false,

src/CMakeLists.txt

@@ -22,6 +22,7 @@ option(WITH_PGSQL "with postgres-support for mod_vhostdb_pgsql [default: off]")
 option(WITH_DBI "with dbi-support for mod_vhostdb_dbi [default: off]")
 option(WITH_GNUTLS "with GnuTLS-support [default: off]")
 option(WITH_MBEDTLS "with mbedTLS-support [default: off]")
+option(WITH_NSS "with NSS-crypto-support [default: off]")
 option(WITH_OPENSSL "with openssl-support [default: off]")
 option(WITH_WOLFSSL "with wolfSSL-support [default: off]")
 option(WITH_NETTLE "with Nettle-support [default: off]")
@@ -393,6 +394,28 @@ else()
 	unset(HAVE_LIBMEDX509)
 endif()
 
+if(WITH_NSS)
+	check_include_files(nss3/nss.h HAVE_NSS3_NSS_H)
+	if(HAVE_NSS3_NSS_H)
+		check_library_exists(ssl3 NSSSSL_GetVersion "" HAVE_LIBSSL3)
+		if(HAVE_LIBSSL3)
+		    check_library_exists(smime3 NSSSMIME_GetVersion "" HAVE_LIBSMIME3)
+			if(HAVE_LIBSMIME3)
+			    check_library_exists(nss3 NSS_GetVersion "" HAVE_LIBNSS3)
+			    if(HAVE_LIBNSS3)
+				check_library_exists(nssutil3 NSSUTIL_GetVersion "" HAVE_LIBNSSUTIL3)
+			    endif()
+			endif()
+		endif()
+	endif()
+else()
+	unset(HAVE_NSS3_NSS_H)
+	unset(HAVE_LIBSSL3)
+	unset(HAVE_LIBSMIME3)
+	unset(HAVE_LIBNSS3)
+	unset(HAVE_LIBNSSUTIL3)
+endif()
+
 if(WITH_NETTLE)
 	if(APPLE)
 		set(CMAKE_REQUIRED_INCLUDES /opt/local/include)
@@ -1116,6 +1139,12 @@ if(HAVE_LIBMBEDTLS AND HAVE_LIBMEDCRYPTO AND HAVE_LIBMEDX509)
 	# not doing "cross module" linkage yet (e.g. mod_authn, secdownload)
 endif()
 
+if(HAVE_LIBSSL3 AND HAVE_LIBSMIME3 AND HAVE_LIBNSS3 AND HAVE_LIBNSSUTIL3)
+	add_and_install_library(mod_nss "mod_nss.c")
+	set(L_MOD_NSS ${L_MOD_NSS} ssl3 smime3 nss3 nssutil3)
+	target_link_libraries(mod_nss ${L_MOD_NSS})
+endif()
+
 if(WITH_LIBEV)
 	target_link_libraries(lighttpd ${LIBEV_LDFLAGS})
 	add_target_properties(lighttpd COMPILE_FLAGS ${LIBEV_CFLAGS})

src/Makefile.am

@@ -406,6 +406,14 @@ mod_gnutls_la_LIBADD = $(GNUTLS_LIBS) $(common_libadd)
 mod_gnutls_la_CPPFLAGS = $(GNUTLS_CFLAGS)
 endif
 
+if BUILD_WITH_NSS
+lib_LTLIBRARIES += mod_nss.la
+mod_nss_la_SOURCES = mod_nss.c
+mod_nss_la_LDFLAGS = $(common_module_ldflags)
+mod_nss_la_LIBADD = $(NSS_LIBS) $(common_libadd)
+mod_nss_la_CPPFLAGS = $(NSS_CFLAGS)
+endif
+
 
 lib_LTLIBRARIES += mod_rewrite.la
 mod_rewrite_la_SOURCES = mod_rewrite.c

src/SConscript

@@ -182,6 +182,9 @@ if env['with_wolfssl']:
 if env['with_mbedtls']:
 	modules['mod_mbedtls'] = { 'src' : [ 'mod_mbedtls.c' ], 'lib' : [ env['LIBSSL'], env['LIBX509'], env['LIBCRYPTO'] ] }
 
+if env['with_nss']:
+	modules['mod_nss'] = { 'src' : [ 'mod_nss.c' ], 'lib' : [ env['LIBNSS'] ] }
+
 if env['with_gnutls']:
 	modules['mod_gnutls'] = { 'src' : [ 'mod_gnutls.c' ], 'lib' : [ env['LIBGNUTLS'] ] }
 

src/configfile.c

@@ -311,6 +311,8 @@ static void config_compat_module_load (server *srv) {
             append_mod_openssl = 0;
         else if (buffer_eq_slen(m, CONST_STR_LEN("mod_mbedtls")))
             append_mod_openssl = 0;
+        else if (buffer_eq_slen(m, CONST_STR_LEN("mod_nss")))
+            append_mod_openssl = 0;
         else if (buffer_eq_slen(m, CONST_STR_LEN("mod_openssl")))
             append_mod_openssl = 0;
         else if (buffer_eq_slen(m, CONST_STR_LEN("mod_authn_file")))
@@ -708,6 +710,7 @@ static int config_insert_srvconf(server *srv) {
                 ssl_enabled = (0 != cpv->v.u);
                #if !defined(USE_OPENSSL_CRYPTO) \
                 && !defined(USE_MBEDTLS_CRYPTO) \
+                && !defined(USE_NSS_CRYPTO) \
                 && !defined(USE_GNUTLS_CRYPTO)
                 if (ssl_enabled) {
                     log_error(srv->errh, __FILE__, __LINE__,

src/meson.build

@@ -450,6 +450,19 @@ if get_option('with_gnutls')
 	  libcrypto = [ dependency('libgnutls') ]
 	endif
 endif
+if get_option('with_nss')
+	# manual search:
+	# header: nss3/nss.h
+	# function: NSSSSL_GetVersion (-lssl3)
+	# function: NSSSMIME_GetVersion (-lsmime3)
+	# function: NSS_GetVersion (-lnss3)
+	# function: NSSUTIL_GetVersion (-lnssutil3)
+	libssl3 = [ dependency('libssl3') ]
+	libsmime3 = [ dependency('libsmime3') ]
+	libnss3 = [ dependency('libnss3') ]
+	libnssutil3 = [ dependency('libnssutil3') ]
+	conf_data.set('HAVE_NSS3_NSS_H', true)
+endif
 
 libpcre = []
 if get_option('with_pcre')
@@ -1013,6 +1026,12 @@ if get_option('with_mbedtls') != 'false'
 	]
 endif
 
+if get_option('with_nss') != 'false'
+	modules += [
+		[ 'mod_nss', [ 'mod_nss.c' ], libssl3 + libsmime3 + libnss3 + libnssutil3 ],
+	]
+endif
+
 if get_option('with_gnutls') != 'false'
 	modules += [
 		[ 'mod_gnutls', [ 'mod_gnutls.c' ], libgnutls ],

src/mod_extforward.c

@@ -428,6 +428,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
             data_string *ds = (data_string *)srv->srvconf.modules->data[i];
             if (buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_openssl"))
                 || buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_mbedtls"))
+                || buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_nss"))
                 || buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_gnutls"))) {
                 log_error(srv->errh, __FILE__, __LINE__,
                   "mod_extforward must be loaded after %s in "

src/server.c

@@ -73,6 +73,7 @@ static const buffer default_server_tag = { CONST_STR_LEN(PACKAGE_DESC), 0 };
 #include "sys-crypto.h"
 #if defined(USE_OPENSSL_CRYPTO) \
  || defined(USE_MBEDTLS_CRYPTO) \
+ || defined(USE_NSS_CRYPTO) \
  || defined(USE_GNUTLS_CRYPTO)
 #define TEXT_SSL " (ssl)"
 #else
@@ -441,6 +442,11 @@ static void show_features (void) {
 #else
       "\t- mbedTLS support\n"
 #endif
+#ifdef USE_NSS_CRYPTO
+      "\t+ NSS crypto support\n"
+#else
+      "\t- NSS crypto support\n"
+#endif
 #ifdef USE_GNUTLS_CRYPTO
       "\t+ GnuTLS support\n"
 #else

src/sys-crypto.h

@@ -24,6 +24,10 @@
 #include <mbedtls/config.h>
 #endif
 
+#ifdef HAVE_NSS3_NSS_H
+#define USE_NSS_CRYPTO
+#endif
+
 #ifdef HAVE_NETTLE_NETTLE_TYPES_H
 #define USE_LIB_CRYPTO
 #define USE_NETTLE_CRYPTO