[mod_nss] NSS option for TLS (fixes #1218)
(experimental) WARNING: EXPERIMENTAL code sketch; mod_nss is INCOMPLETE and UNTESTED mod_nss supports most ssl.* config options supported by mod_openssl x-ref: "alternate ssl backend" https://redmine.lighttpd.net/issues/1218
This commit is contained in:
parent
8a1ddce0c2
commit
e00deb5578
|
@ -254,6 +254,7 @@ vars.AddVariables(
|
|||
BoolVariable('with_openssl', 'enable openssl support', 'no'),
|
||||
PackageVariable('with_gnutls', 'enable GnuTLS support', 'no'),
|
||||
PackageVariable('with_mbedtls', 'enable mbedTLS support', 'no'),
|
||||
PackageVariable('with_nss', 'enable NSS crypto support', 'no'),
|
||||
PackageVariable('with_wolfssl', 'enable wolfSSL support', 'no'),
|
||||
BoolVariable('with_nettle', 'enable Nettle support', 'no'),
|
||||
BoolVariable('with_pam', 'enable PAM auth support', 'no'),
|
||||
|
@ -337,6 +338,7 @@ if 1:
|
|||
LIBLUA = '',
|
||||
LIBMEMCACHED = '',
|
||||
LIBMYSQL = '',
|
||||
LIBNSS = '',
|
||||
LIBPAM = '',
|
||||
LIBPCRE = '',
|
||||
LIBPGSQL = '',
|
||||
|
@ -589,6 +591,12 @@ if 1:
|
|||
fail("Couldn't find mysql")
|
||||
autoconf.env.Append(CPPFLAGS = [ '-DHAVE_MYSQL_H', '-DHAVE_LIBMYSQL' ])
|
||||
|
||||
if env['with_nss']:
|
||||
nss_config = autoconf.checkProgram('nss', 'nss-config')
|
||||
if not autoconf.CheckParseConfigForLib('LIBNSS', nss_config + ' --cflags --libs'):
|
||||
fail("Couldn't find NSS")
|
||||
autoconf.env.Append(CPPFLAGS = [ '-DHAVE_NSS3_NSS_H' ])
|
||||
|
||||
if env['with_openssl']:
|
||||
if not autoconf.CheckLibWithHeader('ssl', 'openssl/ssl.h', 'C'):
|
||||
fail("Couldn't find openssl")
|
||||
|
|
35
configure.ac
35
configure.ac
|
@ -852,6 +852,38 @@ if test "x$use_gnutls" = "xyes"; then
|
|||
fi
|
||||
fi
|
||||
|
||||
dnl Check for NSS
|
||||
AC_MSG_NOTICE([----------------------------------------])
|
||||
AC_MSG_CHECKING([for NSS])
|
||||
AC_ARG_WITH([nss],
|
||||
AC_HELP_STRING([--with-nss@<:@=DIR@:>@],[Include NSS support. DIR points to the installation root. (default no)]),
|
||||
[WITH_NSS=$withval],
|
||||
[WITH_NSS=no]
|
||||
)
|
||||
|
||||
if test "$WITH_NSS" != "no"; then
|
||||
use_nss=yes
|
||||
else
|
||||
use_nss=no
|
||||
fi
|
||||
AC_MSG_RESULT([$use_nss])
|
||||
AM_CONDITIONAL(BUILD_WITH_NSS, test ! $WITH_NSS = no)
|
||||
|
||||
NSS_CFLAGS=
|
||||
NSS_LIBS=
|
||||
|
||||
if test "x$use_nss" = "xyes"; then
|
||||
if test "$WITH_NSS" != "yes"; then
|
||||
NSS_CFLAGS="-I$WITH_NSS/include"
|
||||
NSS_LIBS="-L$WITH_NSS/lib"
|
||||
else
|
||||
PKG_CHECK_MODULES([NSS],[nss])
|
||||
fi
|
||||
AC_DEFINE([HAVE_NSS3_NSS_H], [1], [nss3/nss.h])
|
||||
AC_SUBST([NSS_CFLAGS])
|
||||
AC_SUBST([NSS_LIBS])
|
||||
fi
|
||||
|
||||
|
||||
dnl pcre support
|
||||
AC_MSG_NOTICE([----------------------------------------])
|
||||
|
@ -1652,6 +1684,9 @@ lighty_track_feature "network-mbedtls" "mod_mbedtls" \
|
|||
lighty_track_feature "network-gnutls" "mod_gnutls" \
|
||||
'test "$WITH_GNUTLS" != no'
|
||||
|
||||
lighty_track_feature "network-nss" "mod_nss" \
|
||||
'test "$WITH_NSS" != no'
|
||||
|
||||
lighty_track_feature "auth-crypt" "" \
|
||||
'test "$found_crypt" != no'
|
||||
|
||||
|
|
|
@ -78,6 +78,11 @@ option('with_nettle',
|
|||
value: false,
|
||||
description: 'with Nettle-support [default: off]',
|
||||
)
|
||||
option('with_nss',
|
||||
type: 'string',
|
||||
value: 'false',
|
||||
description: 'with NSS-crypto-support [default: off]',
|
||||
)
|
||||
option('with_openssl',
|
||||
type: 'boolean',
|
||||
value: false,
|
||||
|
|
|
@ -22,6 +22,7 @@ option(WITH_PGSQL "with postgres-support for mod_vhostdb_pgsql [default: off]")
|
|||
option(WITH_DBI "with dbi-support for mod_vhostdb_dbi [default: off]")
|
||||
option(WITH_GNUTLS "with GnuTLS-support [default: off]")
|
||||
option(WITH_MBEDTLS "with mbedTLS-support [default: off]")
|
||||
option(WITH_NSS "with NSS-crypto-support [default: off]")
|
||||
option(WITH_OPENSSL "with openssl-support [default: off]")
|
||||
option(WITH_WOLFSSL "with wolfSSL-support [default: off]")
|
||||
option(WITH_NETTLE "with Nettle-support [default: off]")
|
||||
|
@ -393,6 +394,28 @@ else()
|
|||
unset(HAVE_LIBMEDX509)
|
||||
endif()
|
||||
|
||||
if(WITH_NSS)
|
||||
check_include_files(nss3/nss.h HAVE_NSS3_NSS_H)
|
||||
if(HAVE_NSS3_NSS_H)
|
||||
check_library_exists(ssl3 NSSSSL_GetVersion "" HAVE_LIBSSL3)
|
||||
if(HAVE_LIBSSL3)
|
||||
check_library_exists(smime3 NSSSMIME_GetVersion "" HAVE_LIBSMIME3)
|
||||
if(HAVE_LIBSMIME3)
|
||||
check_library_exists(nss3 NSS_GetVersion "" HAVE_LIBNSS3)
|
||||
if(HAVE_LIBNSS3)
|
||||
check_library_exists(nssutil3 NSSUTIL_GetVersion "" HAVE_LIBNSSUTIL3)
|
||||
endif()
|
||||
endif()
|
||||
endif()
|
||||
endif()
|
||||
else()
|
||||
unset(HAVE_NSS3_NSS_H)
|
||||
unset(HAVE_LIBSSL3)
|
||||
unset(HAVE_LIBSMIME3)
|
||||
unset(HAVE_LIBNSS3)
|
||||
unset(HAVE_LIBNSSUTIL3)
|
||||
endif()
|
||||
|
||||
if(WITH_NETTLE)
|
||||
if(APPLE)
|
||||
set(CMAKE_REQUIRED_INCLUDES /opt/local/include)
|
||||
|
@ -1116,6 +1139,12 @@ if(HAVE_LIBMBEDTLS AND HAVE_LIBMEDCRYPTO AND HAVE_LIBMEDX509)
|
|||
# not doing "cross module" linkage yet (e.g. mod_authn, secdownload)
|
||||
endif()
|
||||
|
||||
if(HAVE_LIBSSL3 AND HAVE_LIBSMIME3 AND HAVE_LIBNSS3 AND HAVE_LIBNSSUTIL3)
|
||||
add_and_install_library(mod_nss "mod_nss.c")
|
||||
set(L_MOD_NSS ${L_MOD_NSS} ssl3 smime3 nss3 nssutil3)
|
||||
target_link_libraries(mod_nss ${L_MOD_NSS})
|
||||
endif()
|
||||
|
||||
if(WITH_LIBEV)
|
||||
target_link_libraries(lighttpd ${LIBEV_LDFLAGS})
|
||||
add_target_properties(lighttpd COMPILE_FLAGS ${LIBEV_CFLAGS})
|
||||
|
|
|
@ -406,6 +406,14 @@ mod_gnutls_la_LIBADD = $(GNUTLS_LIBS) $(common_libadd)
|
|||
mod_gnutls_la_CPPFLAGS = $(GNUTLS_CFLAGS)
|
||||
endif
|
||||
|
||||
if BUILD_WITH_NSS
|
||||
lib_LTLIBRARIES += mod_nss.la
|
||||
mod_nss_la_SOURCES = mod_nss.c
|
||||
mod_nss_la_LDFLAGS = $(common_module_ldflags)
|
||||
mod_nss_la_LIBADD = $(NSS_LIBS) $(common_libadd)
|
||||
mod_nss_la_CPPFLAGS = $(NSS_CFLAGS)
|
||||
endif
|
||||
|
||||
|
||||
lib_LTLIBRARIES += mod_rewrite.la
|
||||
mod_rewrite_la_SOURCES = mod_rewrite.c
|
||||
|
|
|
@ -182,6 +182,9 @@ if env['with_wolfssl']:
|
|||
if env['with_mbedtls']:
|
||||
modules['mod_mbedtls'] = { 'src' : [ 'mod_mbedtls.c' ], 'lib' : [ env['LIBSSL'], env['LIBX509'], env['LIBCRYPTO'] ] }
|
||||
|
||||
if env['with_nss']:
|
||||
modules['mod_nss'] = { 'src' : [ 'mod_nss.c' ], 'lib' : [ env['LIBNSS'] ] }
|
||||
|
||||
if env['with_gnutls']:
|
||||
modules['mod_gnutls'] = { 'src' : [ 'mod_gnutls.c' ], 'lib' : [ env['LIBGNUTLS'] ] }
|
||||
|
||||
|
|
|
@ -311,6 +311,8 @@ static void config_compat_module_load (server *srv) {
|
|||
append_mod_openssl = 0;
|
||||
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_mbedtls")))
|
||||
append_mod_openssl = 0;
|
||||
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_nss")))
|
||||
append_mod_openssl = 0;
|
||||
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_openssl")))
|
||||
append_mod_openssl = 0;
|
||||
else if (buffer_eq_slen(m, CONST_STR_LEN("mod_authn_file")))
|
||||
|
@ -708,6 +710,7 @@ static int config_insert_srvconf(server *srv) {
|
|||
ssl_enabled = (0 != cpv->v.u);
|
||||
#if !defined(USE_OPENSSL_CRYPTO) \
|
||||
&& !defined(USE_MBEDTLS_CRYPTO) \
|
||||
&& !defined(USE_NSS_CRYPTO) \
|
||||
&& !defined(USE_GNUTLS_CRYPTO)
|
||||
if (ssl_enabled) {
|
||||
log_error(srv->errh, __FILE__, __LINE__,
|
||||
|
|
|
@ -450,6 +450,19 @@ if get_option('with_gnutls')
|
|||
libcrypto = [ dependency('libgnutls') ]
|
||||
endif
|
||||
endif
|
||||
if get_option('with_nss')
|
||||
# manual search:
|
||||
# header: nss3/nss.h
|
||||
# function: NSSSSL_GetVersion (-lssl3)
|
||||
# function: NSSSMIME_GetVersion (-lsmime3)
|
||||
# function: NSS_GetVersion (-lnss3)
|
||||
# function: NSSUTIL_GetVersion (-lnssutil3)
|
||||
libssl3 = [ dependency('libssl3') ]
|
||||
libsmime3 = [ dependency('libsmime3') ]
|
||||
libnss3 = [ dependency('libnss3') ]
|
||||
libnssutil3 = [ dependency('libnssutil3') ]
|
||||
conf_data.set('HAVE_NSS3_NSS_H', true)
|
||||
endif
|
||||
|
||||
libpcre = []
|
||||
if get_option('with_pcre')
|
||||
|
@ -1013,6 +1026,12 @@ if get_option('with_mbedtls') != 'false'
|
|||
]
|
||||
endif
|
||||
|
||||
if get_option('with_nss') != 'false'
|
||||
modules += [
|
||||
[ 'mod_nss', [ 'mod_nss.c' ], libssl3 + libsmime3 + libnss3 + libnssutil3 ],
|
||||
]
|
||||
endif
|
||||
|
||||
if get_option('with_gnutls') != 'false'
|
||||
modules += [
|
||||
[ 'mod_gnutls', [ 'mod_gnutls.c' ], libgnutls ],
|
||||
|
|
|
@ -428,6 +428,7 @@ SETDEFAULTS_FUNC(mod_extforward_set_defaults) {
|
|||
data_string *ds = (data_string *)srv->srvconf.modules->data[i];
|
||||
if (buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_openssl"))
|
||||
|| buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_mbedtls"))
|
||||
|| buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_nss"))
|
||||
|| buffer_eq_slen(&ds->value, CONST_STR_LEN("mod_gnutls"))) {
|
||||
log_error(srv->errh, __FILE__, __LINE__,
|
||||
"mod_extforward must be loaded after %s in "
|
||||
|
|
File diff suppressed because it is too large
Load Diff
|
@ -73,6 +73,7 @@ static const buffer default_server_tag = { CONST_STR_LEN(PACKAGE_DESC), 0 };
|
|||
#include "sys-crypto.h"
|
||||
#if defined(USE_OPENSSL_CRYPTO) \
|
||||
|| defined(USE_MBEDTLS_CRYPTO) \
|
||||
|| defined(USE_NSS_CRYPTO) \
|
||||
|| defined(USE_GNUTLS_CRYPTO)
|
||||
#define TEXT_SSL " (ssl)"
|
||||
#else
|
||||
|
@ -441,6 +442,11 @@ static void show_features (void) {
|
|||
#else
|
||||
"\t- mbedTLS support\n"
|
||||
#endif
|
||||
#ifdef USE_NSS_CRYPTO
|
||||
"\t+ NSS crypto support\n"
|
||||
#else
|
||||
"\t- NSS crypto support\n"
|
||||
#endif
|
||||
#ifdef USE_GNUTLS_CRYPTO
|
||||
"\t+ GnuTLS support\n"
|
||||
#else
|
||||
|
|
|
@ -24,6 +24,10 @@
|
|||
#include <mbedtls/config.h>
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_NSS3_NSS_H
|
||||
#define USE_NSS_CRYPTO
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_NETTLE_NETTLE_TYPES_H
|
||||
#define USE_LIB_CRYPTO
|
||||
#define USE_NETTLE_CRYPTO
|
||||
|
|
Loading…
Reference in New Issue