Added ability to compile for FIPS mode

2025-12-15 15:53:55 +00:00 · 2021-01-21 20:13:15 -08:00
parent 22e5693253
commit 4daedfd081
8 changed files with 54 additions and 20 deletions
--- a/23
+++ b/23
@@ -145,17 +145,18 @@

 # Microstack & Microscript
 SOURCES = microstack/ILibAsyncServerSocket.c microstack/ILibAsyncSocket.c microstack/ILibAsyncUDPSocket.c microstack/ILibParsers.c microstack/ILibMulticastSocket.c
-SOURCES += microstack/ILibRemoteLogging.c microstack/ILibWebClient.c microstack/ILibWebRTC.c microstack/ILibWebServer.c microstack/ILibCrypto.c
-SOURCES += microstack/ILibWrapperWebRTC.c microstack/ILibSimpleDataStore.c microstack/ILibProcessPipe.c microstack/ILibIPAddressMonitor.c
+SOURCES += microstack/ILibRemoteLogging.c microstack/ILibWebClient.c microstack/ILibWebServer.c microstack/ILibCrypto.c
+SOURCES += microstack/ILibSimpleDataStore.c microstack/ILibProcessPipe.c microstack/ILibIPAddressMonitor.c
 SOURCES += microscript/duktape.c microscript/duk_module_duktape.c microscript/ILibDuktape_DuplexStream.c microscript/ILibDuktape_Helpers.c
 SOURCES += microscript/ILibDuktape_net.c microscript/ILibDuktape_ReadableStream.c microscript/ILibDuktape_WritableStream.c
-SOURCES += microscript/ILibDuktapeModSearch.c microscript/ILibDuktape_WebRTC.c
+SOURCES += microscript/ILibDuktapeModSearch.c 
 SOURCES += microscript/ILibDuktape_SimpleDataStore.c microscript/ILibDuktape_GenericMarshal.c
 SOURCES += microscript/ILibDuktape_fs.c microscript/ILibDuktape_SHA256.c microscript/ILibduktape_EventEmitter.c
 SOURCES += microscript/ILibDuktape_EncryptionStream.c microscript/ILibDuktape_Polyfills.c microscript/ILibDuktape_Dgram.c
 SOURCES += microscript/ILibDuktape_ScriptContainer.c microscript/ILibDuktape_MemoryStream.c microscript/ILibDuktape_NetworkMonitor.c
 SOURCES += microscript/ILibDuktape_ChildProcess.c microscript/ILibDuktape_HttpStream.c microscript/ILibDuktape_Debugger.c
 SOURCES += microscript/ILibDuktape_CompressedStream.c meshcore/zlib/adler32.c meshcore/zlib/deflate.c meshcore/zlib/inffast.c meshcore/zlib/inflate.c meshcore/zlib/inftrees.c meshcore/zlib/trees.c meshcore/zlib/zutil.c
+
 SOURCES += $(ADDITIONALSOURCES)

 # Mesh Agent core
@@ -212,8 +213,10 @@ ifeq ($(AID), 25)
 SKIPFLAGS = 1
 endif

-
-
+ifeq ($(FIPS),1)
+DYNAMICTLS = 1
+NOWEBRTC = 1
+endif

 ifeq ($(ARCHID),32)
 ARCHNAME = aarch64
@@ -494,6 +497,7 @@ ifeq ($(DYNAMICTLS),1)
 LINUXSSL = 
 MACSSL = 
 BSDSSL = 
+INCDIRS = -I. -I/usr/include/openssl -Imicrostack -Imicroscript -Imeshcore -Imeshconsole
 endif

 ifeq ($(DEBUG),1)
@@ -547,7 +551,16 @@ ifeq ($(BIGCHAINLOCK),1)
 CFLAGS += -DILIBCHAIN_GLOBAL_LOCK
 endif

+ifeq ($(NOWEBRTC),1)
+CFLAGS += -DNO_WEBRTC -DOLDSSL
+SOURCES += microstack/ILibWebRTC.c
+else
+SOURCES += microstack/ILibWebRTC.c microstack/ILibWrapperWebRTC.c microscript/ILibDuktape_WebRTC.c
+endif

+ifeq ($(FIPS),1)
+CFLAGS += -DFIPSMODE
+endif

 GCCTEST := $(shell $(CC) meshcore/dummy.c -o /dev/null -no-pie > /dev/null 2>&1 ; echo $$? )
 ifeq ($(GCCTEST),0)
--- a/microscript/ILibDuktape_Polyfills.c
+++ b/microscript/ILibDuktape_Polyfills.c
@@ -2146,6 +2146,9 @@ duk_ret_t ILibDuktape_bignum_fromBuffer(duk_context *ctx)
 	}
 	else if (strcmp(endian, "little") == 0)
 	{
+#ifdef OLDSSL
+		return(ILibDuktape_Error(ctx, "Invalid endian specified"));
+#endif
 		b = BN_lebin2bn((unsigned char*)buffer, (int)len, NULL);
 	}
 	else
--- a/microscript/ILibDuktape_SHA256.c
+++ b/microscript/ILibDuktape_SHA256.c
@@ -336,7 +336,11 @@ duk_ret_t ILibDuktape_VERIFIER_Create(duk_context *ctx)

 	duk_dup(ctx, 0); duk_put_prop_string(ctx, -2, ILibDuktape_VERIFIER_CERT);
 	data->cert = (struct util_cert*)Duktape_GetBufferProperty(ctx, 0, ILibDuktape_TLS_util_cert);
+#ifdef OLDSSL
+	EVP_PKEY *pkey = X509_get_pubkey(data->cert->x509);
+#else
 	EVP_PKEY *pkey = X509_get0_pubkey(data->cert->x509);
+#endif


 	EVP_DigestVerifyInit(data->mdctx, NULL, mdtype, NULL, pkey);
@@ -388,7 +392,11 @@ duk_ret_t ILibDuktape_RSA_Verify(duk_context *ctx)
 	char *sig = Duktape_GetBuffer(ctx, 3, &sigLen);

 	struct util_cert *cert = (struct util_cert*)Duktape_GetBufferProperty(ctx, 1, ILibDuktape_TLS_util_cert);
+#ifdef OLDSSL
+	RSA *r = EVP_PKEY_get1_RSA(X509_get_pubkey(cert->x509));
+#else
 	RSA *r = EVP_PKEY_get1_RSA(X509_get0_pubkey(cert->x509));
+#endif
 	int vstatus = RSA_verify(duk_require_int(ctx, 0), (unsigned char*)buffer, (unsigned int)bufferLen, (unsigned char*)sig, (unsigned int)sigLen, r);
 	duk_push_boolean(ctx, vstatus == 1);
 	RSA_free(r);
--- a/microscript/ILibDuktape_ScriptContainer.c
+++ b/microscript/ILibDuktape_ScriptContainer.c
@@ -2610,7 +2610,9 @@ duk_context *ILibDuktape_ScriptContainer_InitializeJavaScriptEngineEx3(duk_conte
 	// Setup the permissions on this engine. JavaScript will only be allowed to access the libraries it has access to.
 	if ((securityFlags & SCRIPT_ENGINE_NO_NETWORK_ACCESS) == 0)
 	{
+#ifndef NO_WEBRTC
 		ILibDuktape_WebRTC_Init(ctx);						// WebRTC library (browser api)
+#endif
 		ILibDuktape_net_init(ctx, chain);					// Network library (node api)
 		ILibDuktape_DGram_Init(ctx);						// Datagram Sockets
 		ILibDuktape_HttpStream_Init(ctx);					// HTTP Library (node api)
--- a/microscript/ILibDuktape_net.c
+++ b/microscript/ILibDuktape_net.c
@@ -39,6 +39,10 @@ limitations under the License.
 #include <AclAPI.h>
 #endif

+#ifdef OLDSSL
+#define TLS_method SSLv23_method
+#endif
+
 typedef struct ILibDuktape_net_socket
 {
 	duk_context *ctx;
--- a/microstack/ILibAsyncSocket.c
+++ b/microstack/ILibAsyncSocket.c
@@ -1189,7 +1189,6 @@ void ILibProcessAsyncSocket(struct ILibAsyncSocketModule *Reader, int pendingRea
 		if (Reader->ssl != NULL)
 		{
 			BIO_clear_retry_flags(Reader->readBio);
-#if defined(WINSOCK2)
 			if (Reader->RemoteAddress.sin6_family == AF_UNIX)
 			{
 				bytesReceived = recv(Reader->internalSocket, Reader->readBioBuffer_mem + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0);
@@ -1198,16 +1197,6 @@ void ILibProcessAsyncSocket(struct ILibAsyncSocketModule *Reader, int pendingRea
 			{
 				bytesReceived = recvfrom(Reader->internalSocket, Reader->readBioBuffer_mem + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0, (struct sockaddr*)&(Reader->SourceAddress), (int*)&len);
 			}
-#else
-			if (Reader->RemoteAddress.sin6_family == AF_UNIX)
-			{
-				bytesReceived = (int)recv(Reader->internalSocket, Reader->readBioBuffer->data + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0);
-			}
-			else
-			{
-				bytesReceived = (int)recvfrom(Reader->internalSocket, Reader->readBioBuffer->data + Reader->readBioBuffer->length, (int)(Reader->readBioBuffer->max - Reader->readBioBuffer->length), 0, (struct sockaddr*)&(Reader->SourceAddress), (socklen_t*)&len);
-			}
-#endif
 			if (bytesReceived > 0)
 			{
 				Reader->readBioBuffer->length += bytesReceived;
@@ -1225,6 +1214,7 @@ void ILibProcessAsyncSocket(struct ILibAsyncSocketModule *Reader, int pendingRea
 						// TODO: We should probably do something
 						break;
 					case 1:
+						printf("SSL_handshake() SUCCESS\n");
 						Reader->SSLConnect = Reader->TLSHandshakeCompleted = 1;
 						if (Reader->OnConnect != NULL)
 						{
--- a/microstack/ILibCrypto.c
+++ b/microstack/ILibCrypto.c
@@ -458,9 +458,19 @@ void __fastcall util_openssl_init()
 	SSL_load_error_strings();
 	ERR_load_crypto_strings(); // ONE LEAK IN LINUX

-	OpenSSL_add_all_algorithms(); // OpenSSL 1.1
-	OpenSSL_add_all_ciphers(); // OpenSSL 1.1
-	OpenSSL_add_all_digests(); // OpenSSL 1.1
+	OpenSSL_add_all_algorithms();	// OpenSSL 1.1
+	OpenSSL_add_all_ciphers();		// OpenSSL 1.1
+	OpenSSL_add_all_digests();		// OpenSSL 1.1
+#ifdef FIPSMODE
+	if (FIPS_mode() || FIPS_mode_set(1)) 
+	{
+		printf("ENTERED FIPS mode\n"); 
+	}
+	else
+	{
+		ILIBCRITICALEXITMSG(200, "FAILED to enter FIPS mode");
+	}
+#endif

 	// Add more random seeding in Windows (This is probably useful since OpenSSL in Windows has weaker seeding)
 #if defined(WIN32) && !defined(_MINCORE)
@@ -503,7 +513,9 @@ void __fastcall util_openssl_uninit()
 	ERR_free_strings();
 	//ERR_remove_state(0);										// Deprecated in OpenSSL/1.1.x

+#ifndef OLDSSL
 	OPENSSL_cleanup();
+#endif
 }

 // Add extension using V3 code: we can set the config file as NULL because we wont reference any other sections.
--- a/microstack/ILibWebRTC.c
+++ b/microstack/ILibWebRTC.c
@@ -14,6 +14,7 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */

+#if !defined(NO_WEBRTC)
 #if !defined(MICROSTACK_NOTLS)

 // This is a version of the WebRTC stack with Initiator, TURN and proper retry logic.
@@ -7494,13 +7495,14 @@ int ILibSCTP_Debug_SetDebugCallback(void* dtlsSession, char* debugFieldName, ILi
 }
 #endif
 #endif
+#endif

+#include "ILibParsers.h"
 #ifdef MICROSTACK_NOTLS
 #if defined(WINSOCK2)
 	#include <winsock2.h>
 	#include <ws2tcpip.h>
 #endif
-	#include "ILibParsers.h"
 #endif

 /* zlib.h -- interface of the 'zlib' general purpose compression library