From 6a88d8f6b413efdac4b0176cfb78431be46ca9e0 Mon Sep 17 00:00:00 2001 From: Nick Mathewson Date: Sun, 12 Aug 2018 17:18:41 -0400 Subject: [PATCH] When enabling NSS, disable OpenSSL. We used to link both libraries at once, but now that I'm working on TLS, there's nothing left to keep OpenSSL around for when NSS is enabled. Note that this patch causes a couple of places that still assumed OpenSSL to be disabled when NSS is enabled - tor-gencert - pbkdf2 --- configure.ac | 14 ++++++-- src/app/config/config.c | 12 +++++++ src/core/mainloop/main.c | 5 +-- src/lib/crypt_ops/compat_openssl.h | 6 ++++ src/lib/crypt_ops/crypto_dh.h | 2 +- src/lib/crypt_ops/crypto_ed25519.c | 1 + src/lib/crypt_ops/crypto_format.c | 1 + src/lib/crypt_ops/crypto_hkdf.c | 2 ++ src/lib/crypt_ops/crypto_init.c | 42 ++++++++++++++++++++++ src/lib/crypt_ops/crypto_init.h | 4 +++ src/lib/crypt_ops/crypto_rand.c | 14 +++++--- src/lib/crypt_ops/crypto_rsa.c | 6 ++-- src/lib/crypt_ops/crypto_s2k.c | 7 ++++ src/lib/crypt_ops/crypto_util.c | 6 ++-- src/lib/crypt_ops/include.am | 2 +- src/lib/tls/tortls_internal.h | 56 ++++++++++++++++-------------- src/lib/tls/tortls_nss.c | 42 ---------------------- src/test/bench.c | 8 +++++ src/test/include.am | 2 +- src/test/test.c | 2 ++ src/test/test_crypto.c | 4 +++ src/test/test_crypto_slow.c | 2 ++ src/tools/include.am | 14 ++++++-- src/tools/tor-gencert.c | 2 ++ 24 files changed, 170 insertions(+), 86 deletions(-) diff --git a/configure.ac b/configure.ac index aa9b2ba6bd..f99697a445 100644 --- a/configure.ac +++ b/configure.ac @@ -67,14 +67,15 @@ AM_CONDITIONAL(LIBFUZZER_ENABLED, test "x$enable_libfuzzer" = "xyes") AM_CONDITIONAL(OSS_FUZZ_ENABLED, test "x$enable_oss_fuzz" = "xyes") AM_CONDITIONAL(USE_RUST, test "x$enable_rust" = "xyes") AM_CONDITIONAL(USE_NSS, test "x$enable_nss" = "xyes") -AM_CONDITIONAL(USE_OPENSSL, true) +AM_CONDITIONAL(USE_OPENSSL, test "x$enable_nss" != "xyes") if test "x$enable_nss" = "xyes"; then AC_DEFINE(ENABLE_NSS, 1, [Defined if we're building with NSS in addition to OpenSSL.]) +else + AC_DEFINE(ENABLE_OPENSSL, 1, + [Defined if we're building with OpenSSL or LibreSSL]) fi -AC_DEFINE(ENABLE_OPENSSL, 1, - [Defined if we're building with OpenSSL or LibreSSL]) if test "$enable_static_tor" = "yes"; then enable_static_libevent="yes"; @@ -872,6 +873,8 @@ fi dnl ------------------------------------------------------ dnl Where do you live, openssl? And how do we call you? +if test "x$enable_nss" != "xyes"; then + tor_openssl_pkg_redhat="openssl" tor_openssl_pkg_debian="libssl-dev" tor_openssl_devpkg_redhat="openssl-devel" @@ -971,6 +974,11 @@ AC_CHECK_SIZEOF(SHA_CTX, , [AC_INCLUDES_DEFAULT() #include ]) +fi # enable_nss + +dnl ====================================================================== +dnl Can we use KIST? + dnl Define the set of checks for KIST scheduler support. AC_DEFUN([CHECK_KIST_SUPPORT],[ dnl KIST needs struct tcp_info and for certain members to exist. diff --git a/src/app/config/config.c b/src/app/config/config.c index d2ed295621..d7c9f6d610 100644 --- a/src/app/config/config.c +++ b/src/app/config/config.c @@ -82,6 +82,11 @@ #include "lib/crypt_ops/crypto_rand.h" #include "lib/crypt_ops/crypto_util.h" #include "lib/crypt_ops/crypto_init.h" +#ifdef ENABLE_NSS +#include "lib/crypt_ops/crypto_nss_mgt.h" +#else +#include "lib/crypt_ops/crypto_openssl_mgt.h" +#endif #include "feature/dircache/dirserv.h" #include "feature/relay/dns.h" #include "core/or/dos.h" @@ -5238,9 +5243,16 @@ options_init_from_torrc(int argc, char **argv) printf("Libevent\t\t%-15s\t\t%s\n", tor_libevent_get_header_version_str(), tor_libevent_get_version_str()); +#ifdef ENABLE_OPENSSL printf("OpenSSL \t\t%-15s\t\t%s\n", crypto_openssl_get_header_version_str(), crypto_openssl_get_version_str()); +#endif +#ifdef ENABLE_NSS + printf("NSS \t\t%-15s\t\t%s\n", + crypto_nss_get_header_version_str(), + crypto_nss_get_version_str()); +#endif if (tor_compress_supports_method(ZLIB_METHOD)) { printf("Zlib \t\t%-15s\t\t%s\n", tor_compress_version_str(ZLIB_METHOD), diff --git a/src/core/mainloop/main.c b/src/core/mainloop/main.c index ad8c1ead67..f40639d087 100644 --- a/src/core/mainloop/main.c +++ b/src/core/mainloop/main.c @@ -3504,10 +3504,11 @@ tor_init(int argc, char *argv[]) const char *version = get_version(); log_notice(LD_GENERAL, "Tor %s running on %s with Libevent %s, " - "OpenSSL %s, Zlib %s, Liblzma %s, and Libzstd %s.", version, + "%s %s, Zlib %s, Liblzma %s, and Libzstd %s.", version, get_uname(), tor_libevent_get_version_str(), - crypto_openssl_get_version_str(), + crypto_get_library_name(), + crypto_get_library_version_string(), tor_compress_supports_method(ZLIB_METHOD) ? tor_compress_version_str(ZLIB_METHOD) : "N/A", tor_compress_supports_method(LZMA_METHOD) ? diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h index 317c01134a..f2f632ab40 100644 --- a/src/lib/crypt_ops/compat_openssl.h +++ b/src/lib/crypt_ops/compat_openssl.h @@ -7,6 +7,10 @@ #ifndef TOR_COMPAT_OPENSSL_H #define TOR_COMPAT_OPENSSL_H +#include "orconfig.h" + +#ifdef ENABLE_OPENSSL + #include #include "lib/crypt_ops/crypto_openssl_mgt.h" @@ -47,5 +51,7 @@ #define CONST_IF_OPENSSL_1_1_API const #endif /* !defined(OPENSSL_1_1_API) */ +#endif /* defined(ENABLE_OPENSSL) */ + #endif /* !defined(TOR_COMPAT_OPENSSL_H) */ diff --git a/src/lib/crypt_ops/crypto_dh.h b/src/lib/crypt_ops/crypto_dh.h index 6e79a6404c..3ee343a278 100644 --- a/src/lib/crypt_ops/crypto_dh.h +++ b/src/lib/crypt_ops/crypto_dh.h @@ -56,7 +56,7 @@ struct dh_st *crypto_dh_new_openssl_tls(void); void crypto_dh_init_openssl(void); void crypto_dh_free_all_openssl(void); #endif -#ifdef ENABLE_OPENSSL +#ifdef ENABLE_NSS void crypto_dh_init_nss(void); void crypto_dh_free_all_nss(void); #endif diff --git a/src/lib/crypt_ops/crypto_ed25519.c b/src/lib/crypt_ops/crypto_ed25519.c index 9d2c9e9fab..11c1f56aef 100644 --- a/src/lib/crypt_ops/crypto_ed25519.c +++ b/src/lib/crypt_ops/crypto_ed25519.c @@ -37,6 +37,7 @@ #include "ed25519/donna/ed25519_donna_tor.h" #include +#include static void pick_ed25519_impl(void); diff --git a/src/lib/crypt_ops/crypto_format.c b/src/lib/crypt_ops/crypto_format.c index 50916a8d68..09ec753a00 100644 --- a/src/lib/crypt_ops/crypto_format.c +++ b/src/lib/crypt_ops/crypto_format.c @@ -29,6 +29,7 @@ #include "lib/fs/files.h" #include +#include /** Write the datalen bytes from data to the file named * fname in the tagged-data format. This format contains a diff --git a/src/lib/crypt_ops/crypto_hkdf.c b/src/lib/crypt_ops/crypto_hkdf.c index 1873632a9d..a63d9131d9 100644 --- a/src/lib/crypt_ops/crypto_hkdf.c +++ b/src/lib/crypt_ops/crypto_hkdf.c @@ -17,12 +17,14 @@ #include "lib/intmath/cmp.h" #include "lib/log/util_bug.h" +#ifdef ENABLE_OPENSSL #include #if defined(HAVE_ERR_LOAD_KDF_STRINGS) #include #define HAVE_OPENSSL_HKDF 1 #endif +#endif #include diff --git a/src/lib/crypt_ops/crypto_init.c b/src/lib/crypt_ops/crypto_init.c index 620fe8e1be..f9b077e9e7 100644 --- a/src/lib/crypt_ops/crypto_init.c +++ b/src/lib/crypt_ops/crypto_init.c @@ -88,6 +88,10 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir) #ifdef ENABLE_OPENSSL if (crypto_openssl_late_init(useAccel, accelName, accelDir) < 0) return -1; +#else + (void)useAccel; + (void)accelName; + (void)accelDir; #endif #ifdef ENABLE_NSS if (crypto_nss_late_init() < 0) @@ -139,3 +143,41 @@ crypto_postfork(void) crypto_nss_postfork(); #endif } + +/** Return the name of the crypto library we're using. */ +const char * +crypto_get_library_name(void) +{ +#ifdef ENABLE_OPENSSL + return "OpenSSL"; +#endif +#ifdef ENABLE_NSS + return "NSS"; +#endif +} + +/** Return the version of the crypto library we are using, as given in the + * library. */ +const char * +crypto_get_library_version_string(void) +{ +#ifdef ENABLE_OPENSSL + return crypto_openssl_get_version_str(); +#endif +#ifdef ENABLE_NSS + return crypto_nss_get_version_str(); +#endif +} + +/** Return the version of the crypto library we're using, as given in the + * headers. */ +const char * +crypto_get_header_version_string(void) +{ +#ifdef ENABLE_OPENSSL + return crypto_openssl_get_header_version_str(); +#endif +#ifdef ENABLE_NSS + return crypto_nss_get_header_version_str(); +#endif +} diff --git a/src/lib/crypt_ops/crypto_init.h b/src/lib/crypt_ops/crypto_init.h index 3e32456b5c..05b281720c 100644 --- a/src/lib/crypt_ops/crypto_init.h +++ b/src/lib/crypt_ops/crypto_init.h @@ -26,4 +26,8 @@ void crypto_thread_cleanup(void); int crypto_global_cleanup(void); void crypto_postfork(void); +const char *crypto_get_library_name(void); +const char *crypto_get_library_version_string(void); +const char *crypto_get_header_version_string(void); + #endif /* !defined(TOR_CRYPTO_H) */ diff --git a/src/lib/crypt_ops/crypto_rand.c b/src/lib/crypt_ops/crypto_rand.c index 9806714747..78471bf398 100644 --- a/src/lib/crypt_ops/crypto_rand.c +++ b/src/lib/crypt_ops/crypto_rand.c @@ -35,9 +35,11 @@ #include "lib/testsupport/testsupport.h" #include "lib/fs/files.h" +#include "lib/defs/digest_sizes.h" +#include "lib/crypt_ops/crypto_digest.h" + #ifdef ENABLE_NSS #include "lib/crypt_ops/crypto_nss_mgt.h" -#include "lib/crypt_ops/crypto_digest.h" #endif #ifdef ENABLE_OPENSSL @@ -80,6 +82,7 @@ ENABLE_GCC_WARNING(redundant-decls) #endif #include +#include /** * How many bytes of entropy we add at once. @@ -335,7 +338,8 @@ crypto_strongest_rand_raw(uint8_t *out, size_t out_len) void crypto_strongest_rand(uint8_t *out, size_t out_len) { -#define DLEN SHA512_DIGEST_LENGTH +#define DLEN DIGEST512_LEN + /* We're going to hash DLEN bytes from the system RNG together with some * bytes from the PRNGs from our crypto librar(y/ies), in order to yield * DLEN bytes. @@ -360,11 +364,11 @@ crypto_strongest_rand(uint8_t *out, size_t out_len) // LCOV_EXCL_STOP } if (out_len >= DLEN) { - SHA512(inp, sizeof(inp), out); + crypto_digest512((char*)out, (char*)inp, sizeof(inp), DIGEST_SHA512); out += DLEN; out_len -= DLEN; } else { - SHA512(inp, sizeof(inp), tmp); + crypto_digest512((char*)tmp, (char*)inp, sizeof(inp), DIGEST_SHA512); memcpy(out, tmp, out_len); break; } @@ -699,6 +703,7 @@ smartlist_shuffle(smartlist_t *sl) int crypto_force_rand_ssleay(void) { +#ifdef ENABLE_OPENSSL RAND_METHOD *default_method; default_method = RAND_OpenSSL(); if (RAND_get_rand_method() != default_method) { @@ -708,6 +713,7 @@ crypto_force_rand_ssleay(void) RAND_set_rand_method(default_method); return 1; } +#endif return 0; } diff --git a/src/lib/crypt_ops/crypto_rsa.c b/src/lib/crypt_ops/crypto_rsa.c index 0f80bc967f..31497e6509 100644 --- a/src/lib/crypt_ops/crypto_rsa.c +++ b/src/lib/crypt_ops/crypto_rsa.c @@ -37,11 +37,12 @@ crypto_get_rsa_padding_overhead(int padding) { switch (padding) { - case RSA_PKCS1_OAEP_PADDING: return PKCS1_OAEP_PADDING_OVERHEAD; + case PK_PKCS1_OAEP_PADDING: return PKCS1_OAEP_PADDING_OVERHEAD; default: tor_assert(0); return -1; // LCOV_EXCL_LINE } } +#ifdef ENABLE_OPENSSL /** Given a padding method padding, return the correct OpenSSL constant. */ int @@ -53,6 +54,7 @@ crypto_get_rsa_padding(int padding) default: tor_assert(0); return -1; // LCOV_EXCL_LINE } } +#endif /** Compare the public-key components of a and b. Return non-zero iff * a==b. A NULL key is considered to be distinct from all non-NULL @@ -100,7 +102,7 @@ crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env, tor_assert(to); tor_assert(fromlen < SIZE_T_CEILING); - overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding)); + overhead = crypto_get_rsa_padding_overhead(padding); pkeylen = crypto_pk_keysize(env); if (!force && fromlen+overhead <= pkeylen) { diff --git a/src/lib/crypt_ops/crypto_s2k.c b/src/lib/crypt_ops/crypto_s2k.c index 0e151f0a6c..433fbb026d 100644 --- a/src/lib/crypt_ops/crypto_s2k.c +++ b/src/lib/crypt_ops/crypto_s2k.c @@ -21,7 +21,9 @@ #include "lib/ctime/di_ops.h" #include "lib/log/util_bug.h" +#ifdef ENABLE_OPENSSL #include +#endif #if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT) #define HAVE_SCRYPT @@ -265,6 +267,7 @@ secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len, return (int)key_out_len; case S2K_TYPE_PBKDF2: { +#ifdef ENABLE_OPENSSL uint8_t log_iters; if (spec_len < 1 || secret_len > INT_MAX || spec_len > INT_MAX) return S2K_BAD_LEN; @@ -278,6 +281,10 @@ secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len, if (rv < 0) return S2K_FAILED; return (int)key_out_len; +#else + // XXXXXXXXXXXXXXXXXXXXXXXX implement me. + return S2K_NO_SCRYPT_SUPPORT; +#endif } case S2K_TYPE_SCRYPT: { diff --git a/src/lib/crypt_ops/crypto_util.c b/src/lib/crypt_ops/crypto_util.c index a645321bfb..7af80291ef 100644 --- a/src/lib/crypt_ops/crypto_util.c +++ b/src/lib/crypt_ops/crypto_util.c @@ -23,12 +23,14 @@ #include #endif /* defined(_WIN32) */ -DISABLE_GCC_WARNING(redundant-decls) +#include +#ifdef ENABLE_OPENSSL +DISABLE_GCC_WARNING(redundant-decls) #include #include - ENABLE_GCC_WARNING(redundant-decls) +#endif #include "lib/log/log.h" #include "lib/log/util_bug.h" diff --git a/src/lib/crypt_ops/include.am b/src/lib/crypt_ops/include.am index 195dac6bdb..1022096fdc 100644 --- a/src/lib/crypt_ops/include.am +++ b/src/lib/crypt_ops/include.am @@ -9,7 +9,6 @@ src_lib_libtor_crypt_ops_a_SOURCES = \ src/lib/crypt_ops/crypto_cipher.c \ src/lib/crypt_ops/crypto_curve25519.c \ src/lib/crypt_ops/crypto_dh.c \ - src/lib/crypt_ops/crypto_dh_openssl.c \ src/lib/crypt_ops/crypto_digest.c \ src/lib/crypt_ops/crypto_ed25519.c \ src/lib/crypt_ops/crypto_format.c \ @@ -37,6 +36,7 @@ endif if USE_OPENSSL src_lib_libtor_crypt_ops_a_SOURCES += \ + src/lib/crypt_ops/crypto_dh_openssl.c \ src/lib/crypt_ops/crypto_openssl_mgt.c endif diff --git a/src/lib/tls/tortls_internal.h b/src/lib/tls/tortls_internal.h index f6afb348ca..c58379e19b 100644 --- a/src/lib/tls/tortls_internal.h +++ b/src/lib/tls/tortls_internal.h @@ -15,36 +15,11 @@ struct ssl_session_st; int tor_errno_to_tls_error(int e); int tor_tls_get_error(tor_tls_t *tls, int r, int extra, const char *doing, int severity, int domain); -tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl); -void tor_tls_allocate_tor_tls_object_ex_data_index(void); MOCK_DECL(void, try_to_extract_certs_from_tls, (int severity, tor_tls_t *tls, tor_x509_cert_impl_t **cert_out, tor_x509_cert_impl_t **id_cert_out)); -#ifdef TORTLS_OPENSSL_PRIVATE -int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx); -int tor_tls_classify_client_ciphers(const struct ssl_st *ssl, - STACK_OF(SSL_CIPHER) *peer_ciphers); -#endif -int tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl); -#ifndef HAVE_SSL_SESSION_GET_MASTER_KEY -size_t SSL_SESSION_get_master_key(struct ssl_session_st *s, - uint8_t *out, - size_t len); -#endif -void tor_tls_debug_state_callback(const struct ssl_st *ssl, - int type, int val); -void tor_tls_server_info_callback(const struct ssl_st *ssl, - int type, int val); -#ifdef TORTLS_OPENSSL_PRIVATE -STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret, - int *secret_len, - STACK_OF(SSL_CIPHER) *peer_ciphers, - CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher, - void *arg); -STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, - uint16_t cipher); -#endif /* defined(TORTLS_OPENSSL_PRIVATE) */ + tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, unsigned flags, int is_client); int tor_tls_context_init_one(tor_tls_context_t **ppcontext, @@ -53,6 +28,35 @@ int tor_tls_context_init_one(tor_tls_context_t **ppcontext, unsigned int flags, int is_client); +#ifdef ENABLE_OPENSSL +tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl); +int tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl); +void tor_tls_debug_state_callback(const struct ssl_st *ssl, + int type, int val); +void tor_tls_server_info_callback(const struct ssl_st *ssl, + int type, int val); +void tor_tls_allocate_tor_tls_object_ex_data_index(void); + +#if !defined(HAVE_SSL_SESSION_GET_MASTER_KEY) +size_t SSL_SESSION_get_master_key(struct ssl_session_st *s, + uint8_t *out, + size_t len); +#endif + +#ifdef TORTLS_OPENSSL_PRIVATE +int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx); +int tor_tls_classify_client_ciphers(const struct ssl_st *ssl, + STACK_OF(SSL_CIPHER) *peer_ciphers); +STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret, + int *secret_len, + STACK_OF(SSL_CIPHER) *peer_ciphers, + CONST_IF_OPENSSL_1_1_API SSL_CIPHER **cipher, + void *arg); +STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m, + uint16_t cipher); +#endif +#endif + #ifdef TOR_UNIT_TESTS extern int tor_tls_object_ex_data_index; extern tor_tls_context_t *server_tls_context; diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c index 078196ac5f..98fecdaf16 100644 --- a/src/lib/tls/tortls_nss.c +++ b/src/lib/tls/tortls_nss.c @@ -47,19 +47,6 @@ tor_tls_get_error(tor_tls_t *tls, int r, int extra, // XXXX return -1; } -tor_tls_t * -tor_tls_get_by_ssl(const struct ssl_st *ssl) -{ - (void) ssl; - // XXXX - // XXXX refers to ssl_st. - return NULL; -} -void -tor_tls_allocate_tor_tls_object_ex_data_index(void) -{ - // XXXX openssl only. -} MOCK_IMPL(void, try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls, tor_x509_cert_impl_t **cert_out, @@ -71,36 +58,7 @@ try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls, (void)severity; // XXXX } -int -tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl) -{ - (void) ssl; - // XXXX - // XXXX refers to ssl_st. - return 0; -} -void -tor_tls_debug_state_callback(const struct ssl_st *ssl, - int type, int val) -{ - (void) ssl; - (void)type; - (void)val; - // XXXX - // XXXX refers to ssl_st. -} - -void -tor_tls_server_info_callback(const struct ssl_st *ssl, - int type, int val) -{ - (void)ssl; - (void)type; - (void)val; - // XXXX - // XXXX refers to ssl_st. -} tor_tls_context_t * tor_tls_context_new(crypto_pk_t *identity, unsigned int key_lifetime, unsigned flags, int is_client) diff --git a/src/test/bench.c b/src/test/bench.c index 2b90ccf734..3594059057 100644 --- a/src/test/bench.c +++ b/src/test/bench.c @@ -13,11 +13,14 @@ #include "core/or/or.h" #include "core/crypto/onion_tap.h" #include "core/crypto/relay_crypto.h" + +#ifdef ENABLE_OPENSSL #include #include #include #include #include +#endif #include "core/or/circuitlist.h" #include "app/config/config.h" @@ -580,6 +583,7 @@ bench_dh(void) " %f millisec each.\n", NANOCOUNT(start, end, iters)/1e6); } +#ifdef ENABLE_OPENSSL static void bench_ecdh_impl(int nid, const char *name) { @@ -629,6 +633,7 @@ bench_ecdh_p224(void) { bench_ecdh_impl(NID_secp224r1, "P-224"); } +#endif typedef void (*bench_fn)(void); @@ -652,8 +657,11 @@ static struct benchmark_t benchmarks[] = { ENT(cell_aes), ENT(cell_ops), ENT(dh), + +#ifdef ENABLE_OPENSSL ENT(ecdh_p256), ENT(ecdh_p224), +#endif {NULL,NULL,0} }; diff --git a/src/test/include.am b/src/test/include.am index c2e08aa3df..05149b8654 100644 --- a/src/test/include.am +++ b/src/test/include.am @@ -118,7 +118,6 @@ src_test_test_SOURCES += \ src/test/test_controller_events.c \ src/test/test_crypto.c \ src/test/test_crypto_ope.c \ - src/test/test_crypto_openssl.c \ src/test/test_data.c \ src/test/test_dir.c \ src/test/test_dir_common.c \ @@ -189,6 +188,7 @@ if USE_NSS # ... else src_test_test_SOURCES += \ + src/test/test_crypto_openssl.c \ src/test/test_tortls_openssl.c endif diff --git a/src/test/test.c b/src/test/test.c index 3b63f1c07e..9623443057 100644 --- a/src/test/test.c +++ b/src/test/test.c @@ -866,7 +866,9 @@ struct testgroup_t testgroups[] = { { "control/event/", controller_event_tests }, { "crypto/", crypto_tests }, { "crypto/ope/", crypto_ope_tests }, +#ifdef ENABLE_OPENSSL { "crypto/openssl/", crypto_openssl_tests }, +#endif { "crypto/pem/", pem_tests }, { "dir/", dir_tests }, { "dir_handle_get/", dir_handle_get_tests }, diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c index 90fb8d468b..04077b42fb 100644 --- a/src/test/test_crypto.c +++ b/src/test/test_crypto.c @@ -224,6 +224,9 @@ static void test_crypto_openssl_version(void *arg) { (void)arg; +#ifdef ENABLE_NSS + tt_skip(); +#else const char *version = crypto_openssl_get_version_str(); const char *h_version = crypto_openssl_get_header_version_str(); tt_assert(version); @@ -243,6 +246,7 @@ test_crypto_openssl_version(void *arg) tt_int_op(a, OP_GE, 0); tt_int_op(b, OP_GE, 0); tt_int_op(c, OP_GE, 0); +#endif done: ; diff --git a/src/test/test_crypto_slow.c b/src/test/test_crypto_slow.c index 88b31ad9af..ca6b7b8d4d 100644 --- a/src/test/test_crypto_slow.c +++ b/src/test/test_crypto_slow.c @@ -18,7 +18,9 @@ #include #endif +#ifdef ENABLE_OPENSSL #include +#endif /** Run unit tests for our secret-to-key passphrase hashing functionality. */ static void diff --git a/src/tools/include.am b/src/tools/include.am index cdd5616fb1..73ec86935f 100644 --- a/src/tools/include.am +++ b/src/tools/include.am @@ -1,7 +1,7 @@ -bin_PROGRAMS+= src/tools/tor-resolve src/tools/tor-gencert src/tools/tor-print-ed-signing-cert +bin_PROGRAMS+= src/tools/tor-resolve src/tools/tor-print-ed-signing-cert if COVERAGE_ENABLED -noinst_PROGRAMS+= src/tools/tor-cov-resolve src/tools/tor-cov-gencert +noinst_PROGRAMS+= src/tools/tor-cov-resolve endif src_tools_tor_resolve_SOURCES = src/tools/tor-resolve.c @@ -20,6 +20,10 @@ src_tools_tor_cov_resolve_LDADD = \ @TOR_LIB_MATH@ @TOR_LIB_WS32@ endif +if USE_NSS +# ... +else +bin_PROGRAMS += src/tools/tor-gencert src_tools_tor_gencert_SOURCES = src/tools/tor-gencert.c src_tools_tor_gencert_LDFLAGS = @TOR_LDFLAGS_zlib@ $(TOR_LDFLAGS_CRYPTLIB) src_tools_tor_gencert_LDADD = \ @@ -28,6 +32,7 @@ src_tools_tor_gencert_LDADD = \ $(rust_ldadd) \ @TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ $(TOR_LIBS_CRYPTLIB) \ @TOR_LIB_WS32@ @TOR_LIB_IPHLPAPI@ @TOR_LIB_GDI@ @TOR_LIB_USERENV@ @CURVE25519_LIBS@ +endif src_tools_tor_print_ed_signing_cert_SOURCES = src/tools/tor-print-ed-signing-cert.c src_tools_tor_print_ed_signing_cert_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@ @@ -38,7 +43,11 @@ src_tools_tor_print_ed_signing_cert_LDADD = \ @TOR_LIB_MATH@ $(TOR_LIBS_CRYPTLIB) \ @TOR_LIB_WS32@ @TOR_LIB_USERENV@ +if USE_NSS +# ... +else if COVERAGE_ENABLED +noinst_PROGRAMS += src/tools/tor-cov-gencert src_tools_tor_cov_gencert_SOURCES = src/tools/tor-gencert.c src_tools_tor_cov_gencert_CPPFLAGS = $(AM_CPPFLAGS) $(TEST_CPPFLAGS) src_tools_tor_cov_gencert_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS) @@ -49,6 +58,7 @@ src_tools_tor_cov_gencert_LDADD = \ @TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ $(TOR_LIBS_CRYPTLIB) \ @TOR_LIB_WS32@ @TOR_LIB_IPHLPAPI@ @TOR_LIB_GDI@ @CURVE25519_LIBS@ endif +endif if BUILD_LIBTORRUNNER noinst_LIBRARIES += src/tools/libtorrunner.a diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c index e0ac3dec80..a498c205b7 100644 --- a/src/tools/tor-gencert.c +++ b/src/tools/tor-gencert.c @@ -17,6 +17,7 @@ #include "lib/crypt_ops/crypto_init.h" #include "lib/crypt_ops/crypto_openssl_mgt.h" +#ifdef ENABLE_OPENSSL /* Some versions of OpenSSL declare X509_STORE_CTX_set_verify_cb twice in * x509.h and x509_vfy.h. Suppress the GCC warning so we can build with * -Wredundant-decl. */ @@ -30,6 +31,7 @@ DISABLE_GCC_WARNING(redundant-decls) #include ENABLE_GCC_WARNING(redundant-decls) +#endif #include