[Nut-upsdev] porting nut to use nss for crypto (was: Re: /sbin/upsdrvctl unable to shutdown UPS due to (unmounted) shared library)
mhlavink at redhat.com
Tue Sep 1 06:14:23 UTC 2009
On Friday 28 August 2009 03:29:32 Charles Lepple wrote:
> On Aug 27, 2009, at 10:22 AM, Michal Hlavinka wrote:
> >> [...]
> >>>> ./usbhid-ups
> >>>> libusb-0.1.so.4 => /usr/lib64/libusb-0.1.so.4
> >>>> (0x00000036fe600000)
> >>>> libssl.so.8 => /usr/lib64/libssl.so.8 (0x0000003d07000000)
> >>>> libcrypto.so.8 => /usr/lib64/libcrypto.so.8
> >>>> (0x000000379c400000)
> >>>> libgssapi_krb5.so.2 => /usr/lib64/libgssapi_krb5.so.2
> >>>> (0x0000003d06c00000)
> >>>> libkrb5.so.3 => /usr/lib64/libkrb5.so.3 (0x0000003d06800000)
> >>>> libk5crypto.so.3 => /usr/lib64/libk5crypto.so.3
> >>>> (0x00000036f6200000) libkrb5support.so.0 =>
> >>>> /usr/lib64/libkrb5support.so.0
> >>>> (0x00000036f5200000)
> >>> We could do better here. IIRC, the only reason why we link usbhid-
> >>> ups
> >>> against OpenSSL is for calculating the hash of a HID descriptor,
> >>> and that
> >>> mode does not seem to be used by default (and would never be used at
> >>> shutdown). That hash calculation could be moved into a file in NUT's
> >>> common directory.
> >> Michal,
> >> The code that required OpenSSL has been removed from the SVN trunk.
> >> I have not tested this particular patch against 2.4.1, but it should
> >> apply without much effort:
> >> http://boxster.ghz.cc/projects/nut/changeset/1947
> > Hi Charles,
> > this is awesome! Now only libusb makes some trouble, but I think it
> > should be
> > in /lib, so I've started negotiating about this with libusb
> > maintainer for
> > rhel and fedora.
> Sounds good.
> > Does this means openssl was removed completely or only from usbhid-
> > ups?
> None of the other drivers use OpenSSL (last I checked), so things
> should work at shutdown time (since the drivers are invoked directly).
> upsd and upsc can optionally communicate over SSL, but /usr should be
> available while upsd is running.
this brings me to my second "problem":
We would like to use nss for cryptography instead of OpenSSL. Reason for this
is mostly for FIPS 140 validation.
also OpenSuSE prefers to use the nss for cryptography for the same reason (
Would it be possible to use nss instead of openssl? #ifdef blocks would be
enough. I can prepare patches. What's your opinion?
More information about the Nut-upsdev