From 8232c1005e56393422b0b1e6018e308ebc4fb4c1 Mon Sep 17 00:00:00 2001

From: Jakub Hrozek <jhrozek@redhat.com>

Date: Thu, 11 Apr 2019 22:39:03 +0200

Subject: [PATCH] DOWNSTREAM: Use OpenSSL for the obfuscation code

---

 Makefile.am                         | 6 ++++++

 configure.ac                        | 7 +++++++

 src/util/crypto/nss/nss_obfuscate.c | 5 +++++

 3 files changed, 18 insertions(+)

diff --git a/Makefile.am b/Makefile.am

index 0c24ae664..8b1f4f144 100644

--- a/Makefile.am

+++ b/Makefile.am

@@ -954,6 +954,12 @@ else

         $(NULL)

 endif

+if OBF_WITH_LIBCRYPTO

+SSS_CRYPT_SOURCES += src/util/crypto/libcrypto/crypto_obfuscate.c

+SSS_CRYPT_CFLAGS += $(CRYPTO_CFLAGS)

+SSS_CRYPT_LIBS += $(CRYPTO_LIBS)

+endif

+

 libsss_crypt_la_SOURCES = \

     $(SSS_CRYPT_SOURCES)

 libsss_crypt_la_CFLAGS = \

diff --git a/configure.ac b/configure.ac

index 9df463d9c..c3b349af4 100644

--- a/configure.ac

+++ b/configure.ac

@@ -391,6 +391,13 @@ if test x$cryptolib = xnss; then

     AM_CHECK_NSS

 fi

+dnl RHEL-specific: We always check for libcrypto because the obfuscation

+dnl feature is only implemented with OpenSSL as the NSS version doesn't

+dnl run in FIPS mode

+AM_CHECK_LIBCRYPTO

+AM_CONDITIONAL([OBF_WITH_LIBCRYPTO], [test x == x])

+AC_DEFINE_UNQUOTED(OBF_WITH_LIBCRYPTO, 1, [Build the obfuscation feature with libcrypt crypto back end])

+

 if test x$cryptolib = xlibcrypto; then

     AM_CHECK_LIBCRYPTO

     m4_include([src/external/p11-kit.m4])

diff --git a/src/util/crypto/nss/nss_obfuscate.c b/src/util/crypto/nss/nss_obfuscate.c

index df9c41b3a..bf2a5f418 100644

--- a/src/util/crypto/nss/nss_obfuscate.c

+++ b/src/util/crypto/nss/nss_obfuscate.c

@@ -31,6 +31,9 @@

  */

 #include "config.h"

+

+#ifndef OBF_WITH_LIBCRYPTO

+

 #include <prerror.h>

 #include <pk11func.h>

@@ -326,3 +329,5 @@ done:

     talloc_free(tmp_ctx);

     return ret;

 }

+

+#endif /* OBF_WITH_LIBCRYPTO */

-- 

2.19.2