From 4daedfd0817cf68b2cba75a90537b3c0b4750f25 Mon Sep 17 00:00:00 2001 From: Bryan Roe Date: Thu, 21 Jan 2021 20:13:15 -0800 Subject: [PATCH] Added ability to compile for FIPS mode --- makefile | 23 ++++++++++++++++++----- microscript/ILibDuktape_Polyfills.c | 3 +++ microscript/ILibDuktape_SHA256.c | 8 ++++++++ microscript/ILibDuktape_ScriptContainer.c | 2 ++ microscript/ILibDuktape_net.c | 4 ++++ microstack/ILibAsyncSocket.c | 12 +----------- microstack/ILibCrypto.c | 18 +++++++++++++++--- microstack/ILibWebRTC.c | 4 +++- 8 files changed, 54 insertions(+), 20 deletions(-) diff --git a/makefile b/makefile index 0f71dce..5803346 100644 --- a/makefile +++ b/makefile @@ -145,17 +145,18 @@ # Microstack & Microscript SOURCES = microstack/ILibAsyncServerSocket.c microstack/ILibAsyncSocket.c microstack/ILibAsyncUDPSocket.c microstack/ILibParsers.c microstack/ILibMulticastSocket.c -SOURCES += microstack/ILibRemoteLogging.c microstack/ILibWebClient.c microstack/ILibWebRTC.c microstack/ILibWebServer.c microstack/ILibCrypto.c -SOURCES += microstack/ILibWrapperWebRTC.c microstack/ILibSimpleDataStore.c microstack/ILibProcessPipe.c microstack/ILibIPAddressMonitor.c +SOURCES += microstack/ILibRemoteLogging.c microstack/ILibWebClient.c microstack/ILibWebServer.c microstack/ILibCrypto.c +SOURCES += microstack/ILibSimpleDataStore.c microstack/ILibProcessPipe.c microstack/ILibIPAddressMonitor.c SOURCES += microscript/duktape.c microscript/duk_module_duktape.c microscript/ILibDuktape_DuplexStream.c microscript/ILibDuktape_Helpers.c SOURCES += microscript/ILibDuktape_net.c microscript/ILibDuktape_ReadableStream.c microscript/ILibDuktape_WritableStream.c -SOURCES += microscript/ILibDuktapeModSearch.c microscript/ILibDuktape_WebRTC.c +SOURCES += microscript/ILibDuktapeModSearch.c SOURCES += microscript/ILibDuktape_SimpleDataStore.c microscript/ILibDuktape_GenericMarshal.c SOURCES += microscript/ILibDuktape_fs.c microscript/ILibDuktape_SHA256.c microscript/ILibduktape_EventEmitter.c SOURCES += microscript/ILibDuktape_EncryptionStream.c microscript/ILibDuktape_Polyfills.c microscript/ILibDuktape_Dgram.c SOURCES += microscript/ILibDuktape_ScriptContainer.c microscript/ILibDuktape_MemoryStream.c microscript/ILibDuktape_NetworkMonitor.c SOURCES += microscript/ILibDuktape_ChildProcess.c microscript/ILibDuktape_HttpStream.c microscript/ILibDuktape_Debugger.c SOURCES += microscript/ILibDuktape_CompressedStream.c meshcore/zlib/adler32.c meshcore/zlib/deflate.c meshcore/zlib/inffast.c meshcore/zlib/inflate.c meshcore/zlib/inftrees.c meshcore/zlib/trees.c meshcore/zlib/zutil.c + SOURCES += $(ADDITIONALSOURCES) # Mesh Agent core @@ -212,8 +213,10 @@ ifeq ($(AID), 25) SKIPFLAGS = 1 endif - - +ifeq ($(FIPS),1) +DYNAMICTLS = 1 +NOWEBRTC = 1 +endif ifeq ($(ARCHID),32) ARCHNAME = aarch64 @@ -494,6 +497,7 @@ ifeq ($(DYNAMICTLS),1) LINUXSSL = MACSSL = BSDSSL = +INCDIRS = -I. -I/usr/include/openssl -Imicrostack -Imicroscript -Imeshcore -Imeshconsole endif ifeq ($(DEBUG),1) @@ -547,7 +551,16 @@ ifeq ($(BIGCHAINLOCK),1) CFLAGS += -DILIBCHAIN_GLOBAL_LOCK endif +ifeq ($(NOWEBRTC),1) +CFLAGS += -DNO_WEBRTC -DOLDSSL +SOURCES += microstack/ILibWebRTC.c +else +SOURCES += microstack/ILibWebRTC.c microstack/ILibWrapperWebRTC.c microscript/ILibDuktape_WebRTC.c +endif +ifeq ($(FIPS),1) +CFLAGS += -DFIPSMODE +endif GCCTEST := $(shell $(CC) meshcore/dummy.c -o /dev/null -no-pie > /dev/null 2>&1 ; echo $$? ) ifeq ($(GCCTEST),0) diff --git a/microscript/ILibDuktape_Polyfills.c b/microscript/ILibDuktape_Polyfills.c index 1d59c4b..69e72e0 100644 --- a/microscript/ILibDuktape_Polyfills.c +++ b/microscript/ILibDuktape_Polyfills.c @@ -2146,6 +2146,9 @@ duk_ret_t ILibDuktape_bignum_fromBuffer(duk_context *ctx) } else if (strcmp(endian, "little") == 0) { +#ifdef OLDSSL + return(ILibDuktape_Error(ctx, "Invalid endian specified")); +#endif b = BN_lebin2bn((unsigned char*)buffer, (int)len, NULL); } else diff --git a/microscript/ILibDuktape_SHA256.c b/microscript/ILibDuktape_SHA256.c index ae18bec..0866ffc 100644 --- a/microscript/ILibDuktape_SHA256.c +++ b/microscript/ILibDuktape_SHA256.c @@ -336,7 +336,11 @@ duk_ret_t ILibDuktape_VERIFIER_Create(duk_context *ctx) duk_dup(ctx, 0); duk_put_prop_string(ctx, -2, ILibDuktape_VERIFIER_CERT); data->cert = (struct util_cert*)Duktape_GetBufferProperty(ctx, 0, ILibDuktape_TLS_util_cert); +#ifdef OLDSSL + EVP_PKEY *pkey = X509_get_pubkey(data->cert->x509); +#else EVP_PKEY *pkey = X509_get0_pubkey(data->cert->x509); +#endif EVP_DigestVerifyInit(data->mdctx, NULL, mdtype, NULL, pkey); @@ -388,7 +392,11 @@ duk_ret_t ILibDuktape_RSA_Verify(duk_context *ctx) char *sig = Duktape_GetBuffer(ctx, 3, &sigLen); struct util_cert *cert = (struct util_cert*)Duktape_GetBufferProperty(ctx, 1, ILibDuktape_TLS_util_cert); +#ifdef OLDSSL + RSA *r = EVP_PKEY_get1_RSA(X509_get_pubkey(cert->x509)); +#else RSA *r = EVP_PKEY_get1_RSA(X509_get0_pubkey(cert->x509)); +#endif int vstatus = RSA_verify(duk_require_int(ctx, 0), (unsigned char*)buffer, (unsigned int)bufferLen, (unsigned char*)sig, (unsigned int)sigLen, r); duk_push_boolean(ctx, vstatus == 1); RSA_free(r); diff --git a/microscript/ILibDuktape_ScriptContainer.c b/microscript/ILibDuktape_ScriptContainer.c index 76875b0..e7f17d2 100644 --- a/microscript/ILibDuktape_ScriptContainer.c +++ b/microscript/ILibDuktape_ScriptContainer.c @@ -2610,7 +2610,9 @@ duk_context *ILibDuktape_ScriptContainer_InitializeJavaScriptEngineEx3(duk_conte // Setup the permissions on this engine. JavaScript will only be allowed to access the libraries it has access to. if ((securityFlags & SCRIPT_ENGINE_NO_NETWORK_ACCESS) == 0) { +#ifndef NO_WEBRTC ILibDuktape_WebRTC_Init(ctx); // WebRTC library (browser api) +#endif ILibDuktape_net_init(ctx, chain); // Network library (node api) ILibDuktape_DGram_Init(ctx); // Datagram Sockets ILibDuktape_HttpStream_Init(ctx); // HTTP Library (node api) diff --git a/microscript/ILibDuktape_net.c b/microscript/ILibDuktape_net.c index bdc16de..1b290ac 100644 --- a/microscript/ILibDuktape_net.c +++ b/microscript/ILibDuktape_net.c @@ -39,6 +39,10 @@ limitations under the License. #include #endif +#ifdef OLDSSL +#define TLS_method SSLv23_method +#endif + typedef struct ILibDuktape_net_socket { duk_context *ctx; diff --git a/microstack/ILibAsyncSocket.c b/microstack/ILibAsyncSocket.c index 658ee02..446df8a 100644 --- a/microstack/ILibAsyncSocket.c +++ b/microstack/ILibAsyncSocket.c @@ -1189,7 +1189,6 @@ void ILibProcessAsyncSocket(struct ILibAsyncSocketModule *Reader, int pendingRea if (Reader->ssl != NULL) { BIO_clear_retry_flags(Reader->readBio); -#if defined(WINSOCK2) if (Reader->RemoteAddress.sin6_family == AF_UNIX) { bytesReceived = recv(Reader->internalSocket, Reader->readBioBuffer_mem + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0); @@ -1198,16 +1197,6 @@ void ILibProcessAsyncSocket(struct ILibAsyncSocketModule *Reader, int pendingRea { bytesReceived = recvfrom(Reader->internalSocket, Reader->readBioBuffer_mem + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0, (struct sockaddr*)&(Reader->SourceAddress), (int*)&len); } -#else - if (Reader->RemoteAddress.sin6_family == AF_UNIX) - { - bytesReceived = (int)recv(Reader->internalSocket, Reader->readBioBuffer->data + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0); - } - else - { - bytesReceived = (int)recvfrom(Reader->internalSocket, Reader->readBioBuffer->data + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0, (struct sockaddr*)&(Reader->SourceAddress), (socklen_t*)&len); - } -#endif if (bytesReceived > 0) { Reader->readBioBuffer->length += bytesReceived; @@ -1225,6 +1214,7 @@ void ILibProcessAsyncSocket(struct ILibAsyncSocketModule *Reader, int pendingRea // TODO: We should probably do something break; case 1: + printf("SSL_handshake() SUCCESS\n"); Reader->SSLConnect = Reader->TLSHandshakeCompleted = 1; if (Reader->OnConnect != NULL) { diff --git a/microstack/ILibCrypto.c b/microstack/ILibCrypto.c index 920b484..b55efd4 100644 --- a/microstack/ILibCrypto.c +++ b/microstack/ILibCrypto.c @@ -458,9 +458,19 @@ void __fastcall util_openssl_init() SSL_load_error_strings(); ERR_load_crypto_strings(); // ONE LEAK IN LINUX - OpenSSL_add_all_algorithms(); // OpenSSL 1.1 - OpenSSL_add_all_ciphers(); // OpenSSL 1.1 - OpenSSL_add_all_digests(); // OpenSSL 1.1 + OpenSSL_add_all_algorithms(); // OpenSSL 1.1 + OpenSSL_add_all_ciphers(); // OpenSSL 1.1 + OpenSSL_add_all_digests(); // OpenSSL 1.1 +#ifdef FIPSMODE + if (FIPS_mode() || FIPS_mode_set(1)) + { + printf("ENTERED FIPS mode\n"); + } + else + { + ILIBCRITICALEXITMSG(200, "FAILED to enter FIPS mode"); + } +#endif // Add more random seeding in Windows (This is probably useful since OpenSSL in Windows has weaker seeding) #if defined(WIN32) && !defined(_MINCORE) @@ -503,7 +513,9 @@ void __fastcall util_openssl_uninit() ERR_free_strings(); //ERR_remove_state(0); // Deprecated in OpenSSL/1.1.x +#ifndef OLDSSL OPENSSL_cleanup(); +#endif } // Add extension using V3 code: we can set the config file as NULL because we wont reference any other sections. diff --git a/microstack/ILibWebRTC.c b/microstack/ILibWebRTC.c index 8800050..d4fff15 100644 --- a/microstack/ILibWebRTC.c +++ b/microstack/ILibWebRTC.c @@ -14,6 +14,7 @@ See the License for the specific language governing permissions and limitations under the License. */ +#if !defined(NO_WEBRTC) #if !defined(MICROSTACK_NOTLS) // This is a version of the WebRTC stack with Initiator, TURN and proper retry logic. @@ -7494,13 +7495,14 @@ int ILibSCTP_Debug_SetDebugCallback(void* dtlsSession, char* debugFieldName, ILi } #endif #endif +#endif +#include "ILibParsers.h" #ifdef MICROSTACK_NOTLS #if defined(WINSOCK2) #include #include #endif - #include "ILibParsers.h" #endif /* zlib.h -- interface of the 'zlib' general purpose compression library