[Nut-upsdev] porting nut to use nss for crypto (was: Re: /sbin/upsdrvctl unable to shutdown UPS due to (unmounted) shared library)

Michal Hlavinka mhlavink at redhat.com
Tue Sep 1 06:14:23 UTC 2009 

On Friday 28 August 2009 03:29:32 Charles Lepple wrote:
> On Aug 27, 2009, at 10:22 AM, Michal Hlavinka wrote:
> >> [...]
> >>
> >>>> ./usbhid-ups
> >>>>      libusb-0.1.so.4 => /usr/lib64/libusb-0.1.so.4
> >>>> (0x00000036fe600000)
> >>>>      libssl.so.8 => /usr/lib64/libssl.so.8 (0x0000003d07000000)
> >>>>      libcrypto.so.8 => /usr/lib64/libcrypto.so.8
> >>>> (0x000000379c400000)
> >>>>      libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
> >>>> (0x0000003d06c00000)
> >>>>      libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x0000003d06800000)
> >>>>      libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
> >>>> (0x00000036f6200000) libkrb5support.so.0 =>
> >>>> /usr/lib64/libkrb5support.so.0
> >>>> (0x00000036f5200000)
> >>>
> >>> We could do better here. IIRC, the only reason why we link usbhid-
> >>> ups
> >>> against OpenSSL is for calculating the hash of a HID descriptor,
> >>> and that
> >>> mode does not seem to be used by default (and would never be used at
> >>> shutdown). That hash calculation could be moved into a file in NUT's
> >>> common directory.
> >>
> >> Michal,
> >>
> >> The code that required OpenSSL has been removed from the SVN trunk.
> >>
> >> I have not tested this particular patch against 2.4.1, but it should
> >> apply without much effort:
> >>
> >> http://boxster.ghz.cc/projects/nut/changeset/1947
> >
> > Hi Charles,
> >
> > this is awesome! Now only libusb makes some trouble, but I think it
> > should be
> > in /lib, so I've started negotiating about this with libusb
> > maintainer for
> > rhel and fedora.
>
> Sounds good.
>
> > Does this means openssl was removed completely or only from usbhid-
> > ups?
>
> None of the other drivers use OpenSSL (last I checked), so things
> should work at shutdown time (since the drivers are invoked directly).
>
> upsd and upsc can optionally communicate over SSL, but /usr should be
> available while upsd is running.

this brings me to my second "problem":

We would like to use nss for cryptography instead of OpenSSL. Reason for this 
is mostly for FIPS 140 validation.

See:
http://fedoraproject.org/wiki/FedoraCryptoConsolidation
http://fedoraproject.org/wiki/CryptoConsolidationEval
http://fedoraproject.org/wiki/CryptoConsolidationScorecard

also OpenSuSE prefers to use the nss for cryptography for the same reason ( 
http://en.opensuse.org/SharedCertStore )

Would it be possible to use nss instead of openssl? #ifdef blocks would be 
enough. I can prepare patches. What's your opinion?

Michal

More information about the Nut-upsdev mailing list