Add support for using freebl3 for SHA1 and MD5 hashing

10 files changed, 141 insertions, 2 deletions

diff --git a/common/hash.c b/common/hash.c
index 9fe3668..f6000c3 100644
--- a/common/hash.c
+++ b/common/hash.c
@@ -39,6 +39,42 @@
 #include <stdint.h>
 #include <string.h>
 
+#ifdef WITH_FREEBL
+
+/*
+ * NSS freebl3 has awkward headers not provided by appropriate packages
+ * in many cases. So put these defines here inline. freebl3 seems completely
+ * undocumented anyway. If you think this is a hack, then you guessed right.
+ *
+ * If you want a stable p11-kit without worries, use the builtin SHA1 and MD5
+ * implementations. They're not used for crypto anyway. If you need p11-kit to
+ * tick the "doesn't implement own crypto" checkbox, then the you're signing
+ * up for this hack.
+ */
+
+typedef enum {
+	HASH_AlgMD5    = 2,
+	HASH_AlgSHA1   = 3,
+} HASH_HashType;
+
+typedef struct NSSLOWInitContextStr NSSLOWInitContext;
+typedef struct NSSLOWHASHContextStr NSSLOWHASHContext;
+
+NSSLOWInitContext *NSSLOW_Init(void);
+NSSLOWHASHContext *NSSLOWHASH_NewContext(
+			NSSLOWInitContext *initContext,
+			HASH_HashType hashType);
+void NSSLOWHASH_Begin(NSSLOWHASHContext *context);
+void NSSLOWHASH_Update(NSSLOWHASHContext *context,
+			const unsigned char *buf,
+			unsigned int len);
+void NSSLOWHASH_End(NSSLOWHASHContext *context,
+			unsigned char *buf,
+			unsigned int *ret, unsigned int len);
+void NSSLOWHASH_Destroy(NSSLOWHASHContext *context);
+
+#endif /* WITH_FREEBL3 */
+
 #define SHA1_BLOCK_LENGTH 64U
 
 typedef struct {
@@ -251,6 +287,38 @@ sha1_final (sha1_t *context,
 	memset (context, 0, sizeof (sha1_t));
 }
 
+#ifdef WITH_FREEBL
+
+static bool
+nss_slow_hash (HASH_HashType type,
+               unsigned char *hash,
+               unsigned int hash_len,
+               const void *input,
+               size_t length,
+               va_list va)
+{
+	NSSLOWHASHContext *ctx;
+	unsigned int len;
+
+	ctx = NSSLOWHASH_NewContext(NSSLOW_Init (), type);
+	if (ctx == NULL)
+		return false;
+
+	NSSLOWHASH_Begin (ctx);
+	while (input != NULL) {
+		NSSLOWHASH_Update (ctx, input, length);
+		input = va_arg (va, const void *);
+		if (input)
+			length = va_arg (va, size_t);
+	}
+	NSSLOWHASH_End (ctx, hash, &len, hash_len);
+	assert (len == hash_len);
+	NSSLOWHASH_Destroy (ctx);
+	return true;
+}
+
+#endif /* WITH_FREEBL */
+
 void
 p11_hash_sha1 (unsigned char *hash,
                const void *input,
@@ -260,6 +328,17 @@ p11_hash_sha1 (unsigned char *hash,
 	va_list va;
 	sha1_t sha1;
 
+#ifdef WITH_FREEBL
+	bool ret;
+
+	va_start (va, length);
+	ret = nss_slow_hash (HASH_AlgSHA1, hash, P11_HASH_SHA1_LEN, input, length, va);
+	va_end (va);
+
+	if (ret)
+		return;
+#endif
+
 	sha1_init (&sha1);
 
 	va_start (va, length);
@@ -526,6 +605,17 @@ p11_hash_md5 (unsigned char *hash,
 	va_list va;
 	md5_t md5;
 
+#ifdef WITH_FREEBL
+	bool ret;
+
+	va_start (va, length);
+	ret = nss_slow_hash (HASH_AlgMD5, hash, P11_HASH_MD5_LEN, input, length, va);
+	va_end (va);
+
+	if (ret)
+		return;
+#endif
+
 	md5_init (&md5);
 
 	va_start (va, length);
diff --git a/common/tests/Makefile.am b/common/tests/Makefile.am
index 6959c4f..15dd35c 100644
--- a/common/tests/Makefile.am
+++ b/common/tests/Makefile.am
@@ -62,4 +62,5 @@ TESTS = $(CHECK_PROGS)
 
 LDADD += \
 	$(top_builddir)/common/libp11-common.la \
+	$(HASH_LIBS) \
 	$(CUTEST_LIBS)
diff --git a/configure.ac b/configure.ac
index 298fb10..33ec808 100644
--- a/configure.ac
+++ b/configure.ac
@@ -156,6 +156,38 @@ AS_IF([test "$with_libtasn1" != "no"], [
 AM_CONDITIONAL(WITH_ASN1, test "$with_libtasn1" = "yes")
 
 # --------------------------------------------------------------------
+# Hash implementation
+
+AC_ARG_WITH([hash-impl],
+            AS_HELP_STRING([--with-hash-impl=@<:@freebl/internal@:>@],
+                           [Choose the hash implementation to use])
+)
+
+AS_IF([test "$with_hash_impl" = ""], [with_hash_impl=internal])
+
+AS_CASE([$with_hash_impl],
+	[freebl], [
+		AC_CHECK_LIB(freebl3, NSSLOW_Init,
+			[
+				HASH_LIBS=-lfreebl3
+				AC_DEFINE_UNQUOTED(WITH_FREEBL, 1, [Use freebl for hash implementation])
+			],
+			AC_MSG_ERROR([could not find the freebl3 library])
+		)
+	],
+
+	[internal], [
+		HASH_LIBS=
+	],
+
+	[
+		AC_MSG_ERROR([unsupported hash impl: $with_hash_impl])
+	]
+)
+
+AC_SUBST(HASH_LIBS)
+
+# --------------------------------------------------------------------
 # Trust Module
 
 AC_ARG_ENABLE([trust-module],
@@ -454,6 +486,7 @@ AC_MSG_NOTICE([build options:
     Load relative module paths from: $p11_module_path
 
     With libtasn1 dependency:        $with_libtasn1
+    With hash implementation:        $with_hash_impl
 
     Build trust module:              $enable_trust_module
     Trust module paths:              $trust_status
diff --git a/doc/manual/p11-kit-devel.xml b/doc/manual/p11-kit-devel.xml
index 96db868..42c438c 100644
--- a/doc/manual/p11-kit-devel.xml
+++ b/doc/manual/p11-kit-devel.xml
@@ -194,6 +194,13 @@ $ make install
 					compiler warnings become errors.</para></listitem>
 				</varlistentry>
 				<varlistentry>
+					<term><option>--with-hash-impl=freebl</option></term>
+					<listitem><para>Instead of using internal hash code, link to the freebl3
+					library and use its hash implementations. The only advantage this brings is to
+					meet the policy requirements of system builders.</para>
+					</listitem>
+				</varlistentry>
+				<varlistentry>
 					<term><option>--with-libtasn1</option>, <option>--without-libtasn1</option></term>
 					<listitem><para>Build with a dependency on the libtasn1 library. This dependency
 					allows the trust policy module to be built as well as other code that interacts with
diff --git a/p11-kit/Makefile.am b/p11-kit/Makefile.am
index 1ab3b3d..5469ef5 100644
--- a/p11-kit/Makefile.am
+++ b/p11-kit/Makefile.am
@@ -57,6 +57,7 @@ libp11_kit_la_LIBADD = \
 	$(LTLIBINTL) \
 	$(top_builddir)/common/libp11-common.la \
 	$(top_builddir)/common/libp11-library.la \
+	$(HASH_LIBS) \
 	$(NULL)
 
 noinst_LTLIBRARIES = \
diff --git a/p11-kit/tests/Makefile.am b/p11-kit/tests/Makefile.am
index c7b87ae..0c53c55 100644
--- a/p11-kit/tests/Makefile.am
+++ b/p11-kit/tests/Makefile.am
@@ -14,6 +14,7 @@ LDADD = \
 	$(top_builddir)/common/libp11-mock.la \
 	$(top_builddir)/common/libp11-common.la \
 	$(CUTEST_LIBS) \
+	$(HASH_LIBS) \
 	$(LTLIBINTL)
 
 CHECK_PROGS = \
diff --git a/tools/Makefile.am b/tools/Makefile.am
index 5e48149..02b52e6 100644
--- a/tools/Makefile.am
+++ b/tools/Makefile.am
@@ -35,7 +35,8 @@ if WITH_ASN1
 
 p11_kit_LDADD += \
 	$(top_builddir)/common/libp11-data.la \
-	$(LIBTASN1_LIBS)
+	$(LIBTASN1_LIBS) \
+	$(HASH_LIBS)
 
 p11_kit_CFLAGS += \
 	$(LIBTASN1_CFLAGS)
diff --git a/tools/tests/Makefile.am b/tools/tests/Makefile.am
index f6609ec..ad06446 100644
--- a/tools/tests/Makefile.am
+++ b/tools/tests/Makefile.am
@@ -29,6 +29,7 @@ LDADD = \
 	$(LIBTASN1_LIBS) \
 	$(LTLIBINTL) \
 	$(CUTEST_LIBS) \
+	$(HASH_LIBS) \
 	$(NULL)
 
 noinst_LTLIBRARIES = \
diff --git a/trust/Makefile.am b/trust/Makefile.am
index 875c8c4..1aa6cb5 100644
--- a/trust/Makefile.am
+++ b/trust/Makefile.am
@@ -38,6 +38,7 @@ p11_kit_trust_la_LIBADD = \
 	$(top_builddir)/common/libp11-library.la \
 	$(top_builddir)/common/libp11-common.la \
 	$(LIBTASN1_LIBS) \
+	$(HASH_LIBS) \
 	$(NULL)
 
 p11_kit_trust_la_LDFLAGS = \
diff --git a/trust/tests/Makefile.am b/trust/tests/Makefile.am
index 90b9fb5..34ff06e 100644
--- a/trust/tests/Makefile.am
+++ b/trust/tests/Makefile.am
@@ -23,6 +23,7 @@ LDADD = \
 	$(builddir)/libtestdata.la \
 	$(LIBTASN1_LIBS) \
 	$(CUTEST_LIBS) \
+	$(HASH_LIBS) \
 	$(NULL)
 
 CHECK_PROGS = \
@@ -42,7 +43,9 @@ noinst_PROGRAMS = \
 
 frob_nss_trust_LDADD = \
 	$(top_builddir)/common/libp11-common.la \
-	$(top_builddir)/p11-kit/libp11-kit.la
+	$(top_builddir)/p11-kit/libp11-kit.la \
+	$(HASH_LIBS) \
+	$(NULL)
 
 TESTS = $(CHECK_PROGS)