diff --git a/configure.ac b/configure.ac
index aa9b2ba6bdb96df8b8c135fb5112fc9006be69b7..f99697a445165c70ba77f94c277d82eb0407b575 100644
--- a/configure.ac
+++ b/configure.ac
@@ -67,14 +67,15 @@ AM_CONDITIONAL(LIBFUZZER_ENABLED, test "x$enable_libfuzzer" = "xyes")
AM_CONDITIONAL(OSS_FUZZ_ENABLED, test "x$enable_oss_fuzz" = "xyes")
AM_CONDITIONAL(USE_RUST, test "x$enable_rust" = "xyes")
AM_CONDITIONAL(USE_NSS, test "x$enable_nss" = "xyes")
-AM_CONDITIONAL(USE_OPENSSL, true)
+AM_CONDITIONAL(USE_OPENSSL, test "x$enable_nss" != "xyes")
if test "x$enable_nss" = "xyes"; then
AC_DEFINE(ENABLE_NSS, 1,
[Defined if we're building with NSS in addition to OpenSSL.])
+else
+ AC_DEFINE(ENABLE_OPENSSL, 1,
+ [Defined if we're building with OpenSSL or LibreSSL])
fi
-AC_DEFINE(ENABLE_OPENSSL, 1,
- [Defined if we're building with OpenSSL or LibreSSL])
if test "$enable_static_tor" = "yes"; then
enable_static_libevent="yes";
@@ -872,6 +873,8 @@ fi
dnl ------------------------------------------------------
dnl Where do you live, openssl? And how do we call you?
+if test "x$enable_nss" != "xyes"; then
+
tor_openssl_pkg_redhat="openssl"
tor_openssl_pkg_debian="libssl-dev"
tor_openssl_devpkg_redhat="openssl-devel"
@@ -971,6 +974,11 @@ AC_CHECK_SIZEOF(SHA_CTX, , [AC_INCLUDES_DEFAULT()
#include <openssl/sha.h>
])
+fi # enable_nss
+
+dnl ======================================================================
+dnl Can we use KIST?
+
dnl Define the set of checks for KIST scheduler support.
AC_DEFUN([CHECK_KIST_SUPPORT],[
dnl KIST needs struct tcp_info and for certain members to exist.
diff --git a/src/app/config/config.c b/src/app/config/config.c
index d2ed295621d452df8a1dbc71243245b9a76eb069..d7c9f6d610654930853181e201e04a8f52330b77 100644
--- a/src/app/config/config.c
+++ b/src/app/config/config.c
@@ -82,6 +82,11 @@
#include "lib/crypt_ops/crypto_rand.h"
#include "lib/crypt_ops/crypto_util.h"
#include "lib/crypt_ops/crypto_init.h"
+#ifdef ENABLE_NSS
+#include "lib/crypt_ops/crypto_nss_mgt.h"
+#else
+#include "lib/crypt_ops/crypto_openssl_mgt.h"
+#endif
#include "feature/dircache/dirserv.h"
#include "feature/relay/dns.h"
#include "core/or/dos.h"
@@ -5238,9 +5243,16 @@ options_init_from_torrc(int argc, char **argv)
printf("Libevent\t\t%-15s\t\t%s\n",
tor_libevent_get_header_version_str(),
tor_libevent_get_version_str());
+#ifdef ENABLE_OPENSSL
printf("OpenSSL \t\t%-15s\t\t%s\n",
crypto_openssl_get_header_version_str(),
crypto_openssl_get_version_str());
+#endif
+#ifdef ENABLE_NSS
+ printf("NSS \t\t%-15s\t\t%s\n",
+ crypto_nss_get_header_version_str(),
+ crypto_nss_get_version_str());
+#endif
if (tor_compress_supports_method(ZLIB_METHOD)) {
printf("Zlib \t\t%-15s\t\t%s\n",
tor_compress_version_str(ZLIB_METHOD),
diff --git a/src/core/mainloop/main.c b/src/core/mainloop/main.c
index ad8c1ead67c714359aa59ec514a2e733bb91e6a4..f40639d087f64ce5d0a7944f6f6ef89900d4ce6a 100644
--- a/src/core/mainloop/main.c
+++ b/src/core/mainloop/main.c
@@ -3504,10 +3504,11 @@ tor_init(int argc, char *argv[])
const char *version = get_version();
log_notice(LD_GENERAL, "Tor %s running on %s with Libevent %s, "
- "OpenSSL %s, Zlib %s, Liblzma %s, and Libzstd %s.", version,
+ "%s %s, Zlib %s, Liblzma %s, and Libzstd %s.", version,
get_uname(),
tor_libevent_get_version_str(),
- crypto_openssl_get_version_str(),
+ crypto_get_library_name(),
+ crypto_get_library_version_string(),
tor_compress_supports_method(ZLIB_METHOD) ?
tor_compress_version_str(ZLIB_METHOD) : "N/A",
tor_compress_supports_method(LZMA_METHOD) ?
diff --git a/src/lib/crypt_ops/compat_openssl.h b/src/lib/crypt_ops/compat_openssl.h
index 317c01134a85ac4e9b25b56279516b483c4e474d..f2f632ab4016ebca66d7226ca82ef9114e93aaf7 100644
--- a/src/lib/crypt_ops/compat_openssl.h
+++ b/src/lib/crypt_ops/compat_openssl.h
@@ -7,6 +7,10 @@
#ifndef TOR_COMPAT_OPENSSL_H
#define TOR_COMPAT_OPENSSL_H
+#include "orconfig.h"
+
+#ifdef ENABLE_OPENSSL
+
#include <openssl/opensslv.h>
#include "lib/crypt_ops/crypto_openssl_mgt.h"
@@ -47,5 +51,7 @@
#define CONST_IF_OPENSSL_1_1_API const
#endif /* !defined(OPENSSL_1_1_API) */
+#endif /* defined(ENABLE_OPENSSL) */
+
#endif /* !defined(TOR_COMPAT_OPENSSL_H) */
diff --git a/src/lib/crypt_ops/crypto_dh.h b/src/lib/crypt_ops/crypto_dh.h
index 6e79a6404cb9ce1fb3ab9e9f7b8b9bb6cf8fb20a..3ee343a27833919f615ade12369861dbf780115e 100644
--- a/src/lib/crypt_ops/crypto_dh.h
+++ b/src/lib/crypt_ops/crypto_dh.h
@@ -56,7 +56,7 @@ struct dh_st *crypto_dh_new_openssl_tls(void);
void crypto_dh_init_openssl(void);
void crypto_dh_free_all_openssl(void);
#endif
-#ifdef ENABLE_OPENSSL
+#ifdef ENABLE_NSS
void crypto_dh_init_nss(void);
void crypto_dh_free_all_nss(void);
#endif
diff --git a/src/lib/crypt_ops/crypto_ed25519.c b/src/lib/crypt_ops/crypto_ed25519.c
index 9d2c9e9fabd7bcca3e8fcb0ded0907b3a1f1c28d..11c1f56aef5d2b893aafa04ca5f7b482ecfb01d6 100644
--- a/src/lib/crypt_ops/crypto_ed25519.c
+++ b/src/lib/crypt_ops/crypto_ed25519.c
@@ -37,6 +37,7 @@
#include "ed25519/donna/ed25519_donna_tor.h"
#include <string.h>
+#include <errno.h>
static void pick_ed25519_impl(void);
diff --git a/src/lib/crypt_ops/crypto_format.c b/src/lib/crypt_ops/crypto_format.c
index 50916a8d68d929b87ca42bb21ed5650512366230..09ec753a008d1cc6e95f6f4a2b3bfee072213d4e 100644
--- a/src/lib/crypt_ops/crypto_format.c
+++ b/src/lib/crypt_ops/crypto_format.c
@@ -29,6 +29,7 @@
#include "lib/fs/files.h"
#include <string.h>
+#include <errno.h>
/** Write the <b>datalen</b> bytes from <b>data</b> to the file named
* <b>fname</b> in the tagged-data format. This format contains a
diff --git a/src/lib/crypt_ops/crypto_hkdf.c b/src/lib/crypt_ops/crypto_hkdf.c
index 1873632a9d63075ad54e265f97a8487771aae682..a63d9131d9de25abec3ea60276363dc8dd850441 100644
--- a/src/lib/crypt_ops/crypto_hkdf.c
+++ b/src/lib/crypt_ops/crypto_hkdf.c
@@ -17,12 +17,14 @@
#include "lib/intmath/cmp.h"
#include "lib/log/util_bug.h"
+#ifdef ENABLE_OPENSSL
#include <openssl/opensslv.h>
#if defined(HAVE_ERR_LOAD_KDF_STRINGS)
#include <openssl/kdf.h>
#define HAVE_OPENSSL_HKDF 1
#endif
+#endif
#include <string.h>
diff --git a/src/lib/crypt_ops/crypto_init.c b/src/lib/crypt_ops/crypto_init.c
index 620fe8e1be8084edde1bb4a6aaf3e2ad355dbdf2..f9b077e9e7641610a4ab7cd511d99582fd40db14 100644
--- a/src/lib/crypt_ops/crypto_init.c
+++ b/src/lib/crypt_ops/crypto_init.c
@@ -88,6 +88,10 @@ crypto_global_init(int useAccel, const char *accelName, const char *accelDir)
#ifdef ENABLE_OPENSSL
if (crypto_openssl_late_init(useAccel, accelName, accelDir) < 0)
return -1;
+#else
+ (void)useAccel;
+ (void)accelName;
+ (void)accelDir;
#endif
#ifdef ENABLE_NSS
if (crypto_nss_late_init() < 0)
@@ -139,3 +143,41 @@ crypto_postfork(void)
crypto_nss_postfork();
#endif
}
+
+/** Return the name of the crypto library we're using. */
+const char *
+crypto_get_library_name(void)
+{
+#ifdef ENABLE_OPENSSL
+ return "OpenSSL";
+#endif
+#ifdef ENABLE_NSS
+ return "NSS";
+#endif
+}
+
+/** Return the version of the crypto library we are using, as given in the
+ * library. */
+const char *
+crypto_get_library_version_string(void)
+{
+#ifdef ENABLE_OPENSSL
+ return crypto_openssl_get_version_str();
+#endif
+#ifdef ENABLE_NSS
+ return crypto_nss_get_version_str();
+#endif
+}
+
+/** Return the version of the crypto library we're using, as given in the
+ * headers. */
+const char *
+crypto_get_header_version_string(void)
+{
+#ifdef ENABLE_OPENSSL
+ return crypto_openssl_get_header_version_str();
+#endif
+#ifdef ENABLE_NSS
+ return crypto_nss_get_header_version_str();
+#endif
+}
diff --git a/src/lib/crypt_ops/crypto_init.h b/src/lib/crypt_ops/crypto_init.h
index 3e32456b5c6db8ef5f482a6241b10f35aa66a689..05b281720c92a34f5e2f1bee1d1725df0370e6a8 100644
--- a/src/lib/crypt_ops/crypto_init.h
+++ b/src/lib/crypt_ops/crypto_init.h
@@ -26,4 +26,8 @@ void crypto_thread_cleanup(void);
int crypto_global_cleanup(void);
void crypto_postfork(void);
+const char *crypto_get_library_name(void);
+const char *crypto_get_library_version_string(void);
+const char *crypto_get_header_version_string(void);
+
#endif /* !defined(TOR_CRYPTO_H) */
diff --git a/src/lib/crypt_ops/crypto_rand.c b/src/lib/crypt_ops/crypto_rand.c
index 9806714747d9367ad472d62ffd25148da63b7dac..78471bf398d862ab16d5a4a39f6acc668e70d2d5 100644
--- a/src/lib/crypt_ops/crypto_rand.c
+++ b/src/lib/crypt_ops/crypto_rand.c
@@ -35,9 +35,11 @@
#include "lib/testsupport/testsupport.h"
#include "lib/fs/files.h"
+#include "lib/defs/digest_sizes.h"
+#include "lib/crypt_ops/crypto_digest.h"
+
#ifdef ENABLE_NSS
#include "lib/crypt_ops/crypto_nss_mgt.h"
-#include "lib/crypt_ops/crypto_digest.h"
#endif
#ifdef ENABLE_OPENSSL
@@ -80,6 +82,7 @@ ENABLE_GCC_WARNING(redundant-decls)
#endif
#include <string.h>
+#include <errno.h>
/**
* How many bytes of entropy we add at once.
@@ -335,7 +338,8 @@ crypto_strongest_rand_raw(uint8_t *out, size_t out_len)
void
crypto_strongest_rand(uint8_t *out, size_t out_len)
{
-#define DLEN SHA512_DIGEST_LENGTH
+#define DLEN DIGEST512_LEN
+
/* We're going to hash DLEN bytes from the system RNG together with some
* bytes from the PRNGs from our crypto librar(y/ies), in order to yield
* DLEN bytes.
@@ -360,11 +364,11 @@ crypto_strongest_rand(uint8_t *out, size_t out_len)
// LCOV_EXCL_STOP
}
if (out_len >= DLEN) {
- SHA512(inp, sizeof(inp), out);
+ crypto_digest512((char*)out, (char*)inp, sizeof(inp), DIGEST_SHA512);
out += DLEN;
out_len -= DLEN;
} else {
- SHA512(inp, sizeof(inp), tmp);
+ crypto_digest512((char*)tmp, (char*)inp, sizeof(inp), DIGEST_SHA512);
memcpy(out, tmp, out_len);
break;
}
@@ -699,6 +703,7 @@ smartlist_shuffle(smartlist_t *sl)
int
crypto_force_rand_ssleay(void)
{
+#ifdef ENABLE_OPENSSL
RAND_METHOD *default_method;
default_method = RAND_OpenSSL();
if (RAND_get_rand_method() != default_method) {
@@ -708,6 +713,7 @@ crypto_force_rand_ssleay(void)
RAND_set_rand_method(default_method);
return 1;
}
+#endif
return 0;
}
diff --git a/src/lib/crypt_ops/crypto_rsa.c b/src/lib/crypt_ops/crypto_rsa.c
index 0f80bc967fdde46c8e2c705d9819a440739d1b5b..31497e65097d2eaa58db4306becb57db8b10610d 100644
--- a/src/lib/crypt_ops/crypto_rsa.c
+++ b/src/lib/crypt_ops/crypto_rsa.c
@@ -37,11 +37,12 @@ crypto_get_rsa_padding_overhead(int padding)
{
switch (padding)
{
- case RSA_PKCS1_OAEP_PADDING: return PKCS1_OAEP_PADDING_OVERHEAD;
+ case PK_PKCS1_OAEP_PADDING: return PKCS1_OAEP_PADDING_OVERHEAD;
default: tor_assert(0); return -1; // LCOV_EXCL_LINE
}
}
+#ifdef ENABLE_OPENSSL
/** Given a padding method <b>padding</b>, return the correct OpenSSL constant.
*/
int
@@ -53,6 +54,7 @@ crypto_get_rsa_padding(int padding)
default: tor_assert(0); return -1; // LCOV_EXCL_LINE
}
}
+#endif
/** Compare the public-key components of a and b. Return non-zero iff
* a==b. A NULL key is considered to be distinct from all non-NULL
@@ -100,7 +102,7 @@ crypto_pk_obsolete_public_hybrid_encrypt(crypto_pk_t *env,
tor_assert(to);
tor_assert(fromlen < SIZE_T_CEILING);
- overhead = crypto_get_rsa_padding_overhead(crypto_get_rsa_padding(padding));
+ overhead = crypto_get_rsa_padding_overhead(padding);
pkeylen = crypto_pk_keysize(env);
if (!force && fromlen+overhead <= pkeylen) {
diff --git a/src/lib/crypt_ops/crypto_s2k.c b/src/lib/crypt_ops/crypto_s2k.c
index 0e151f0a6c2775232a80e17544020d5b327559f8..433fbb026d73500b9755ac9ef5b550f9d799900a 100644
--- a/src/lib/crypt_ops/crypto_s2k.c
+++ b/src/lib/crypt_ops/crypto_s2k.c
@@ -21,7 +21,9 @@
#include "lib/ctime/di_ops.h"
#include "lib/log/util_bug.h"
+#ifdef ENABLE_OPENSSL
#include <openssl/evp.h>
+#endif
#if defined(HAVE_LIBSCRYPT_H) && defined(HAVE_LIBSCRYPT_SCRYPT)
#define HAVE_SCRYPT
@@ -265,6 +267,7 @@ secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len,
return (int)key_out_len;
case S2K_TYPE_PBKDF2: {
+#ifdef ENABLE_OPENSSL
uint8_t log_iters;
if (spec_len < 1 || secret_len > INT_MAX || spec_len > INT_MAX)
return S2K_BAD_LEN;
@@ -278,6 +281,10 @@ secret_to_key_compute_key(uint8_t *key_out, size_t key_out_len,
if (rv < 0)
return S2K_FAILED;
return (int)key_out_len;
+#else
+ // XXXXXXXXXXXXXXXXXXXXXXXX implement me.
+ return S2K_NO_SCRYPT_SUPPORT;
+#endif
}
case S2K_TYPE_SCRYPT: {
diff --git a/src/lib/crypt_ops/crypto_util.c b/src/lib/crypt_ops/crypto_util.c
index a645321bfb9134c887a7959ed8877047c5101ef7..7af80291ef7c9105f4d4c8d928510ae54b6b5fd5 100644
--- a/src/lib/crypt_ops/crypto_util.c
+++ b/src/lib/crypt_ops/crypto_util.c
@@ -23,12 +23,14 @@
#include <wincrypt.h>
#endif /* defined(_WIN32) */
-DISABLE_GCC_WARNING(redundant-decls)
+#include <stdlib.h>
+#ifdef ENABLE_OPENSSL
+DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/err.h>
#include <openssl/crypto.h>
-
ENABLE_GCC_WARNING(redundant-decls)
+#endif
#include "lib/log/log.h"
#include "lib/log/util_bug.h"
diff --git a/src/lib/crypt_ops/include.am b/src/lib/crypt_ops/include.am
index 195dac6bdbcba1b200e563802f25a436c86b7381..1022096fdc885db82426d90dd1fb7db88566357d 100644
--- a/src/lib/crypt_ops/include.am
+++ b/src/lib/crypt_ops/include.am
@@ -9,7 +9,6 @@ src_lib_libtor_crypt_ops_a_SOURCES = \
src/lib/crypt_ops/crypto_cipher.c \
src/lib/crypt_ops/crypto_curve25519.c \
src/lib/crypt_ops/crypto_dh.c \
- src/lib/crypt_ops/crypto_dh_openssl.c \
src/lib/crypt_ops/crypto_digest.c \
src/lib/crypt_ops/crypto_ed25519.c \
src/lib/crypt_ops/crypto_format.c \
@@ -37,6 +36,7 @@ endif
if USE_OPENSSL
src_lib_libtor_crypt_ops_a_SOURCES += \
+ src/lib/crypt_ops/crypto_dh_openssl.c \
src/lib/crypt_ops/crypto_openssl_mgt.c
endif
diff --git a/src/lib/tls/tortls_internal.h b/src/lib/tls/tortls_internal.h
index f6afb348ca5ebb8c469682aa967e9faf85a2b923..c58379e19b9616fa4418980160714512cf2f69b9 100644
--- a/src/lib/tls/tortls_internal.h
+++ b/src/lib/tls/tortls_internal.h
@@ -15,28 +15,38 @@ struct ssl_session_st;
int tor_errno_to_tls_error(int e);
int tor_tls_get_error(tor_tls_t *tls, int r, int extra,
const char *doing, int severity, int domain);
-tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl);
-void tor_tls_allocate_tor_tls_object_ex_data_index(void);
MOCK_DECL(void, try_to_extract_certs_from_tls,
(int severity, tor_tls_t *tls,
tor_x509_cert_impl_t **cert_out,
tor_x509_cert_impl_t **id_cert_out));
-#ifdef TORTLS_OPENSSL_PRIVATE
-int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx);
-int tor_tls_classify_client_ciphers(const struct ssl_st *ssl,
- STACK_OF(SSL_CIPHER) *peer_ciphers);
-#endif
+
+tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity,
+ unsigned int key_lifetime, unsigned flags, int is_client);
+int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
+ crypto_pk_t *identity,
+ unsigned int key_lifetime,
+ unsigned int flags,
+ int is_client);
+
+#ifdef ENABLE_OPENSSL
+tor_tls_t *tor_tls_get_by_ssl(const struct ssl_st *ssl);
int tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl);
-#ifndef HAVE_SSL_SESSION_GET_MASTER_KEY
-size_t SSL_SESSION_get_master_key(struct ssl_session_st *s,
- uint8_t *out,
- size_t len);
-#endif
void tor_tls_debug_state_callback(const struct ssl_st *ssl,
int type, int val);
void tor_tls_server_info_callback(const struct ssl_st *ssl,
int type, int val);
+void tor_tls_allocate_tor_tls_object_ex_data_index(void);
+
+#if !defined(HAVE_SSL_SESSION_GET_MASTER_KEY)
+size_t SSL_SESSION_get_master_key(struct ssl_session_st *s,
+ uint8_t *out,
+ size_t len);
+#endif
+
#ifdef TORTLS_OPENSSL_PRIVATE
+int always_accept_verify_cb(int preverify_ok, X509_STORE_CTX *x509_ctx);
+int tor_tls_classify_client_ciphers(const struct ssl_st *ssl,
+ STACK_OF(SSL_CIPHER) *peer_ciphers);
STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret,
int *secret_len,
STACK_OF(SSL_CIPHER) *peer_ciphers,
@@ -44,14 +54,8 @@ STATIC int tor_tls_session_secret_cb(struct ssl_st *ssl, void *secret,
void *arg);
STATIC int find_cipher_by_id(const SSL *ssl, const SSL_METHOD *m,
uint16_t cipher);
-#endif /* defined(TORTLS_OPENSSL_PRIVATE) */
-tor_tls_context_t *tor_tls_context_new(crypto_pk_t *identity,
- unsigned int key_lifetime, unsigned flags, int is_client);
-int tor_tls_context_init_one(tor_tls_context_t **ppcontext,
- crypto_pk_t *identity,
- unsigned int key_lifetime,
- unsigned int flags,
- int is_client);
+#endif
+#endif
#ifdef TOR_UNIT_TESTS
extern int tor_tls_object_ex_data_index;
diff --git a/src/lib/tls/tortls_nss.c b/src/lib/tls/tortls_nss.c
index 078196ac5f8d7c269b0895e81ed62211b8b1ee78..98fecdaf1635e0937b1e5042b16a562807820f09 100644
--- a/src/lib/tls/tortls_nss.c
+++ b/src/lib/tls/tortls_nss.c
@@ -47,19 +47,6 @@ tor_tls_get_error(tor_tls_t *tls, int r, int extra,
// XXXX
return -1;
}
-tor_tls_t *
-tor_tls_get_by_ssl(const struct ssl_st *ssl)
-{
- (void) ssl;
- // XXXX
- // XXXX refers to ssl_st.
- return NULL;
-}
-void
-tor_tls_allocate_tor_tls_object_ex_data_index(void)
-{
- // XXXX openssl only.
-}
MOCK_IMPL(void,
try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
tor_x509_cert_impl_t **cert_out,
@@ -71,36 +58,7 @@ try_to_extract_certs_from_tls,(int severity, tor_tls_t *tls,
(void)severity;
// XXXX
}
-int
-tor_tls_client_is_using_v2_ciphers(const struct ssl_st *ssl)
-{
- (void) ssl;
- // XXXX
- // XXXX refers to ssl_st.
- return 0;
-}
-void
-tor_tls_debug_state_callback(const struct ssl_st *ssl,
- int type, int val)
-{
- (void) ssl;
- (void)type;
- (void)val;
- // XXXX
- // XXXX refers to ssl_st.
-}
-
-void
-tor_tls_server_info_callback(const struct ssl_st *ssl,
- int type, int val)
-{
- (void)ssl;
- (void)type;
- (void)val;
- // XXXX
- // XXXX refers to ssl_st.
-}
tor_tls_context_t *
tor_tls_context_new(crypto_pk_t *identity,
unsigned int key_lifetime, unsigned flags, int is_client)
diff --git a/src/test/bench.c b/src/test/bench.c
index 2b90ccf734055e29f954a0431ba51be1f2fde869..3594059057816fd2da59f6629a943f8f5c7b1048 100644
--- a/src/test/bench.c
+++ b/src/test/bench.c
@@ -13,11 +13,14 @@
#include "core/or/or.h"
#include "core/crypto/onion_tap.h"
#include "core/crypto/relay_crypto.h"
+
+#ifdef ENABLE_OPENSSL
#include <openssl/opensslv.h>
#include <openssl/evp.h>
#include <openssl/ec.h>
#include <openssl/ecdh.h>
#include <openssl/obj_mac.h>
+#endif
#include "core/or/circuitlist.h"
#include "app/config/config.h"
@@ -580,6 +583,7 @@ bench_dh(void)
" %f millisec each.\n", NANOCOUNT(start, end, iters)/1e6);
}
+#ifdef ENABLE_OPENSSL
static void
bench_ecdh_impl(int nid, const char *name)
{
@@ -629,6 +633,7 @@ bench_ecdh_p224(void)
{
bench_ecdh_impl(NID_secp224r1, "P-224");
}
+#endif
typedef void (*bench_fn)(void);
@@ -652,8 +657,11 @@ static struct benchmark_t benchmarks[] = {
ENT(cell_aes),
ENT(cell_ops),
ENT(dh),
+
+#ifdef ENABLE_OPENSSL
ENT(ecdh_p256),
ENT(ecdh_p224),
+#endif
{NULL,NULL,0}
};
diff --git a/src/test/include.am b/src/test/include.am
index c2e08aa3df03f86e22153a3f31adeced642da52f..05149b8654dabd24de4620b7de5a7eff0931114f 100644
--- a/src/test/include.am
+++ b/src/test/include.am
@@ -118,7 +118,6 @@ src_test_test_SOURCES += \
src/test/test_controller_events.c \
src/test/test_crypto.c \
src/test/test_crypto_ope.c \
- src/test/test_crypto_openssl.c \
src/test/test_data.c \
src/test/test_dir.c \
src/test/test_dir_common.c \
@@ -189,6 +188,7 @@ if USE_NSS
# ...
else
src_test_test_SOURCES += \
+ src/test/test_crypto_openssl.c \
src/test/test_tortls_openssl.c
endif
diff --git a/src/test/test.c b/src/test/test.c
index 3b63f1c07efe3d894748219a398e7a94fd4727cd..9623443057eb524a9fe41892302d90a6b2b1d983 100644
--- a/src/test/test.c
+++ b/src/test/test.c
@@ -866,7 +866,9 @@ struct testgroup_t testgroups[] = {
{ "control/event/", controller_event_tests },
{ "crypto/", crypto_tests },
{ "crypto/ope/", crypto_ope_tests },
+#ifdef ENABLE_OPENSSL
{ "crypto/openssl/", crypto_openssl_tests },
+#endif
{ "crypto/pem/", pem_tests },
{ "dir/", dir_tests },
{ "dir_handle_get/", dir_handle_get_tests },
diff --git a/src/test/test_crypto.c b/src/test/test_crypto.c
index 90fb8d468b0a3c505c7e7dd25377d36e7ce3d1d0..04077b42fb1ce17bc3d1f0d7f28d48a1ffa704f6 100644
--- a/src/test/test_crypto.c
+++ b/src/test/test_crypto.c
@@ -224,6 +224,9 @@ static void
test_crypto_openssl_version(void *arg)
{
(void)arg;
+#ifdef ENABLE_NSS
+ tt_skip();
+#else
const char *version = crypto_openssl_get_version_str();
const char *h_version = crypto_openssl_get_header_version_str();
tt_assert(version);
@@ -243,6 +246,7 @@ test_crypto_openssl_version(void *arg)
tt_int_op(a, OP_GE, 0);
tt_int_op(b, OP_GE, 0);
tt_int_op(c, OP_GE, 0);
+#endif
done:
;
diff --git a/src/test/test_crypto_slow.c b/src/test/test_crypto_slow.c
index 88b31ad9af2b4fcb7ad30097de61138d8c26fb3c..ca6b7b8d4dad4a33faa41821a6360a7e6a8cb6c6 100644
--- a/src/test/test_crypto_slow.c
+++ b/src/test/test_crypto_slow.c
@@ -18,7 +18,9 @@
#include <libscrypt.h>
#endif
+#ifdef ENABLE_OPENSSL
#include <openssl/evp.h>
+#endif
/** Run unit tests for our secret-to-key passphrase hashing functionality. */
static void
diff --git a/src/tools/include.am b/src/tools/include.am
index cdd5616fb19fdcd5bde46985b1a2834ffcdfb05b..73ec86935fdb2388d2aa1551508e05a65a6401e9 100644
--- a/src/tools/include.am
+++ b/src/tools/include.am
@@ -1,7 +1,7 @@
-bin_PROGRAMS+= src/tools/tor-resolve src/tools/tor-gencert src/tools/tor-print-ed-signing-cert
+bin_PROGRAMS+= src/tools/tor-resolve src/tools/tor-print-ed-signing-cert
if COVERAGE_ENABLED
-noinst_PROGRAMS+= src/tools/tor-cov-resolve src/tools/tor-cov-gencert
+noinst_PROGRAMS+= src/tools/tor-cov-resolve
endif
src_tools_tor_resolve_SOURCES = src/tools/tor-resolve.c
@@ -20,6 +20,10 @@ src_tools_tor_cov_resolve_LDADD = \
@TOR_LIB_MATH@ @TOR_LIB_WS32@
endif
+if USE_NSS
+# ...
+else
+bin_PROGRAMS += src/tools/tor-gencert
src_tools_tor_gencert_SOURCES = src/tools/tor-gencert.c
src_tools_tor_gencert_LDFLAGS = @TOR_LDFLAGS_zlib@ $(TOR_LDFLAGS_CRYPTLIB)
src_tools_tor_gencert_LDADD = \
@@ -28,6 +32,7 @@ src_tools_tor_gencert_LDADD = \
$(rust_ldadd) \
@TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ $(TOR_LIBS_CRYPTLIB) \
@TOR_LIB_WS32@ @TOR_LIB_IPHLPAPI@ @TOR_LIB_GDI@ @TOR_LIB_USERENV@ @CURVE25519_LIBS@
+endif
src_tools_tor_print_ed_signing_cert_SOURCES = src/tools/tor-print-ed-signing-cert.c
src_tools_tor_print_ed_signing_cert_LDFLAGS = @TOR_LDFLAGS_zlib@ @TOR_LDFLAGS_openssl@
@@ -38,7 +43,11 @@ src_tools_tor_print_ed_signing_cert_LDADD = \
@TOR_LIB_MATH@ $(TOR_LIBS_CRYPTLIB) \
@TOR_LIB_WS32@ @TOR_LIB_USERENV@
+if USE_NSS
+# ...
+else
if COVERAGE_ENABLED
+noinst_PROGRAMS += src/tools/tor-cov-gencert
src_tools_tor_cov_gencert_SOURCES = src/tools/tor-gencert.c
src_tools_tor_cov_gencert_CPPFLAGS = $(AM_CPPFLAGS) $(TEST_CPPFLAGS)
src_tools_tor_cov_gencert_CFLAGS = $(AM_CFLAGS) $(TEST_CFLAGS)
@@ -49,6 +58,7 @@ src_tools_tor_cov_gencert_LDADD = \
@TOR_LIB_MATH@ @TOR_ZLIB_LIBS@ $(TOR_LIBS_CRYPTLIB) \
@TOR_LIB_WS32@ @TOR_LIB_IPHLPAPI@ @TOR_LIB_GDI@ @CURVE25519_LIBS@
endif
+endif
if BUILD_LIBTORRUNNER
noinst_LIBRARIES += src/tools/libtorrunner.a
diff --git a/src/tools/tor-gencert.c b/src/tools/tor-gencert.c
index e0ac3dec809e44322a4b406798e25754825e4a70..a498c205b71da93e6ce481ce1243030310d76b91 100644
--- a/src/tools/tor-gencert.c
+++ b/src/tools/tor-gencert.c
@@ -17,6 +17,7 @@
#include "lib/crypt_ops/crypto_init.h"
#include "lib/crypt_ops/crypto_openssl_mgt.h"
+#ifdef ENABLE_OPENSSL
/* Some versions of OpenSSL declare X509_STORE_CTX_set_verify_cb twice in
* x509.h and x509_vfy.h. Suppress the GCC warning so we can build with
* -Wredundant-decl. */
@@ -30,6 +31,7 @@ DISABLE_GCC_WARNING(redundant-decls)
#include <openssl/err.h>
ENABLE_GCC_WARNING(redundant-decls)
+#endif
#include <errno.h>