This sections describes the cryptography, such as openssl and custom code, that the NIOS modules use.
| Name | Anchor (Line number, File Name and etc) | Cryptography items description |
|---|---|---|
| Apache | A config maker, cipher suites are configurable via serial console SSL options are made available in below conf files like SSLCipherSuite,SSLCertificateFile,SSLCertificateKeyFile etc ./products/one/server/bloxtools/bloxtools_apache/conf/httpd_simple.conf ./products/one/server/tmpl-captive-portal-common-httpd.conf ./products/one/server/tmpl-bloxtools-httpd.conf ./products/one/server/tmpl-one-httpd.conf ./products/tests/server/src/bin/harness/datasets/httpd-ibdelay.conf ./webui/httpd.conf | OpenSSL C-functions |
| Apache | A config maker, cipher suites are configurable via serial console ./products/one/server/src/bin/make_httpd_conf/db.c set_tls_protocols --- will enable "enable_tlsv1"," enable_tlsv1_1" and "enable_tlsv1_2","ALL" in db based on its param set_tls_ciphers --- validates "cipher_suite" param | OpenSSL C-functions |
| Apache | A config maker, cipher suites are configurable via serial console ./products/one/server/src/bin/serial_console/set.c check_ssl_connection()--- To check ssl connection download_gm_certificate ---Download certificate from GM printf_certificate() --- To print certificate | OpenSSL C-functions SSL_CTX_new,SSL_new,SSL_set_bio, SSL_connect,SSL_CTX_free,BIO_free,SSL_library_init, TLSv1_client_method,BIO_new_socket,SSL_get_peer_certificate PEM_write_bio_X509,BIO_new,BIO_read,X509_free,SSL_CTX_free BIO_puts,PEM_read_bio_X509,BIO_new_fp,BIO_printf, X509_NAME_print,X509_get_pubkey,EVP_PKEY_print_public EVP_PKEY_free,X509_signature_print,X509_free |
| openvpn | ./products/one/server/src/bin/clusterd/util.c Functions cd_start_replica_vpn, cd_start_master_vpn run command /usr/sbin/openvpn with arguments including: --ca /infoblox/security/keys/vpn_CaCerts.pem, --cert /infoblox/security/keys/node.crt, --key /infoblox/security/keys/node.key, --cipher AES-128-CB, --tls-cipher DHE-RSA-AES256-SHA, --auth SHA1 | No OpenSSL function calls in functions cd_start_replica_vpn, cd_start_master_vpn |
| openvpn | ./products/one/server/src/bin/clusterd/sendmsg_handshake.c This module uses functions cd_derive_serial, cd_sign_msg from module ./products/one/server/src/bin/clusterd/util.c Function cd_derive_serial derives a serial number from a string using SHA1 digest algorithm, it is used in function cd_sendmsg_handshake_resp_req Function cd_sign_msg signs a message with HMAC-SHA256, it is used in functions cd_sendmsg_handshake_approval, cd_sendmsg_handshake_request_tunnel, cd_sendmsg_handshake_tunnel_approved, cd_sendmsg_handshake_new_master, cd_sendmsg_handshake_restart This module uses functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c Function ib_generate_authn_challenge generates auth challenge, it performes base64 encoding with OpenSSL function EVP_EncodeBlock, it is used in function cd_sendmsg_handshake_challenge, Function ib_generate_authn_response generates auth response computing MD5 hash, it is used in NIOS versions less than 6.3, Function ib_generate_authn_response_2 generates auth response using HMAC_SHA256 algorithm, it is used in NIOS versions equal or greater than 6.3 they are used in function cd_sendmsg_handshake_resp_req | Functions cd_derive_serial, cd_sign_msg from module ./products/one/server/src/bin/clusterd/util.c Functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c |
| openvpn | ./products/one/server/src/bin/clusterd/handshake.c This module uses functions cd_derive_serial, cd_verify_msg from module ./products/one/server/src/bin/clusterd/util.c Function cd_derive_serial derives a serial number from a string using SHA1 digest algorithm, it is used in functions cd_master_handshake_chal, cd_potential_master_handshake_chal, cd_master_handshake_resp_chal, cd_master_handshake_resp_req, Function cd_potential_master_handshake_resp_req, cd_replica_handshake_resp_chal Function cd_verify_msg verifies a message signed by HMAC-SHA256, it is used in functions cd_master_handshake_approval_verify, cd_master_handshake_tunnel_request_verify, cd_master_handshake_new_master_verify, cd_potential_master_handshake_new_master, cd_replica_handshake_approval, cd_replica_handshake_tunnel_approved, cd_replica_handshake_restart This module uses functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c Function ib_generate_authn_challenge generates auth challenge, it performes base64 encoding with OpenSSL function EVP_EncodeBlock, it is used in functions cd_master_handshake_chal, cd_potential_master_handshake_chal Function ib_generate_authn_response generates auth response computing MD5 hash, it is used in NIOS versions less than 6.3, Function ib_generate_authn_response_2 generates auth response using HMAC_SHA256 algorithm, it is used in NIOS versions equal or greater than 6.3, they are used in functions cd_master_handshake_chal, cd_potential_master_handshake_chal, cd_master_handshake_resp_chal, cd_master_handshake_resp_req, cd_potential_master_handshake_resp_req, cd_replica_handshake_resp_chal | Functions cd_derive_serial, cd_verify_msg from module ./products/one/server/src/bin/clusterd/util.c Functions ib_generate_authn_challenge, ib_generate_authn_response, ib_generate_authn_response_2 from module ./common/server/src/lib/security/security_functions.c |
| ssh | A config maker ./products/one/server/src/bin/util/check_sshd_conf.sh To generate host keys | ssh-keygen -t rsa -f $SSHD_HOST_RSA_KEY -N "" >/dev/null ssh-keygen -t dsa -f $SSHD_HOST_DSA_KEY -N "" >/dev/null |