Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Version History

Version 1 Next »

This sections describes the cryptography, such as openssl and custom code, that the NIOS modules use.

NameAnchor (Line number, File Name and etc)

Cryptography items description

Apache

A config maker, cipher suites are configurable via serial console

SSL options are made available in below conf files like SSLCipherSuite,SSLCertificateFile,SSLCertificateKeyFile etc

./products/one/server/bloxtools/bloxtools_apache/conf/httpd_simple.conf

./products/one/server/tmpl-captive-portal-common-httpd.conf

./products/one/server/tmpl-bloxtools-httpd.conf

./products/one/server/tmpl-one-httpd.conf

./products/tests/server/src/bin/harness/datasets/httpd-ibdelay.conf

./webui/httpd.conf

OpenSSL C-functions

Apache

A config maker, cipher suites are configurable via serial console

./products/one/server/src/bin/make_httpd_conf/db.c

set_tls_protocols --- will enable "enable_tlsv1"," enable_tlsv1_1" and "enable_tlsv1_2","ALL" in db based on its param

set_tls_ciphers --- validates "cipher_suite" param

OpenSSL C-functions


Apache

     A config maker, cipher suites are configurable via serial console

./products/one/server/src/bin/serial_console/set.c

check_ssl_connection()--- To check ssl connection

download_gm_certificate ---Download certificate from GM

printf_certificate() --- To print certificate


OpenSSL C-functions

SSL_CTX_new,SSL_new,SSL_set_bio,

SSL_connect,SSL_CTX_free,BIO_free,SSL_library_init,

TLSv1_client_method,BIO_new_socket,SSL_get_peer_certificate

PEM_write_bio_X509,BIO_new,BIO_read,X509_free,SSL_CTX_free

BIO_puts,PEM_read_bio_X509,BIO_new_fp,BIO_printf,

X509_NAME_print,X509_get_pubkey,EVP_PKEY_print_public

EVP_PKEY_free,X509_signature_print,X509_free

openvpn

./products/one/server/src/bin/clusterd/util.c

Functions cd_start_replica_vpn, cd_start_master_vpn run command /usr/sbin/openvpn with arguments including:

--ca /infoblox/security/keys/vpn_CaCerts.pem,

--cert /infoblox/security/keys/node.crt,

--key /infoblox/security/keys/node.key,

--cipher AES-128-CB,

--tls-cipher DHE-RSA-AES256-SHA,

--auth SHA1

No OpenSSL function calls in functions cd_start_replica_vpn, cd_start_master_vpn
openvpn

./products/one/server/src/bin/clusterd/sendmsg_handshake.c

This module uses functions cd_derive_serial, cd_sign_msg from module ./products/one/server/src/bin/clusterd/util.c

Function cd_derive_serial derives a serial number from a string using SHA1 digest algorithm,

it is used in function cd_sendmsg_handshake_resp_req

Function cd_sign_msg signs a message with HMAC-SHA256,

it is used in functions cd_sendmsg_handshake_approval, cd_sendmsg_handshake_request_tunnel, cd_sendmsg_handshake_tunnel_approved, cd_sendmsg_handshake_new_master, cd_sendmsg_handshake_restart

This module uses functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c

Function ib_generate_authn_challenge generates auth challenge, it performes base64 encoding with OpenSSL function EVP_EncodeBlock,

it is used in function cd_sendmsg_handshake_challenge,

Function ib_generate_authn_response generates auth response computing MD5 hash, it is used in NIOS versions less than 6.3,

Function ib_generate_authn_response_2 generates auth response using HMAC_SHA256 algorithm, it is used in NIOS versions equal or greater than 6.3

they are used in function cd_sendmsg_handshake_resp_req

Functions cd_derive_serial, cd_sign_msg from module ./products/one/server/src/bin/clusterd/util.c

Functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c

openvpn

./products/one/server/src/bin/clusterd/handshake.c

This module uses functions cd_derive_serial, cd_verify_msg from module ./products/one/server/src/bin/clusterd/util.c

Function cd_derive_serial derives a serial number from a string using SHA1 digest algorithm,

it is used in functions cd_master_handshake_chal, cd_potential_master_handshake_chal, cd_master_handshake_resp_chal, cd_master_handshake_resp_req, Function cd_potential_master_handshake_resp_req, cd_replica_handshake_resp_chal

Function cd_verify_msg verifies a message signed by HMAC-SHA256,

it is used in functions cd_master_handshake_approval_verify, cd_master_handshake_tunnel_request_verify, cd_master_handshake_new_master_verify, cd_potential_master_handshake_new_master, cd_replica_handshake_approval, cd_replica_handshake_tunnel_approved, cd_replica_handshake_restart

This module uses functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c

Function ib_generate_authn_challenge generates auth challenge, it performes base64 encoding with OpenSSL function EVP_EncodeBlock,

it is used in functions cd_master_handshake_chal, cd_potential_master_handshake_chal

Function ib_generate_authn_response generates auth response computing MD5 hash, it is used in NIOS versions less than 6.3,

Function ib_generate_authn_response_2 generates auth response using HMAC_SHA256 algorithm, it is used in NIOS versions equal or greater than 6.3,

they are used in functions cd_master_handshake_chal, cd_potential_master_handshake_chal, cd_master_handshake_resp_chal, cd_master_handshake_resp_req, cd_potential_master_handshake_resp_req, cd_replica_handshake_resp_chal


Functions cd_derive_serial, cd_verify_msg from module ./products/one/server/src/bin/clusterd/util.c

Functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c

ssh

A config maker

./products/one/server/src/bin/util/check_sshd_conf.sh

To generate host keys

ssh-keygen -t rsa -f $SSHD_HOST_RSA_KEY -N "" >/dev/null

ssh-keygen -t dsa -f $SSHD_HOST_DSA_KEY -N "" >/dev/null





































  • No labels