From 8232c1005e56393422b0b1e6018e308ebc4fb4c1 Mon Sep 17 00:00:00 2001
From: Jakub Hrozek <jhrozek@redhat.com>
Date: Thu, 11 Apr 2019 22:39:03 +0200
Subject: [PATCH] DOWNSTREAM: Use OpenSSL for the obfuscation code

---
 Makefile.am                         | 6 ++++++
 configure.ac                        | 7 +++++++
 src/util/crypto/nss/nss_obfuscate.c | 5 +++++
 3 files changed, 18 insertions(+)

diff --git a/Makefile.am b/Makefile.am
index 0c24ae664..8b1f4f144 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -954,6 +954,12 @@ else
         $(NULL)
 endif
 
+if OBF_WITH_LIBCRYPTO
+SSS_CRYPT_SOURCES += src/util/crypto/libcrypto/crypto_obfuscate.c
+SSS_CRYPT_CFLAGS += $(CRYPTO_CFLAGS)
+SSS_CRYPT_LIBS += $(CRYPTO_LIBS)
+endif
+
 libsss_crypt_la_SOURCES = \
     $(SSS_CRYPT_SOURCES)
 libsss_crypt_la_CFLAGS = \
diff --git a/configure.ac b/configure.ac
index 9df463d9c..c3b349af4 100644
--- a/configure.ac
+++ b/configure.ac
@@ -391,6 +391,13 @@ if test x$cryptolib = xnss; then
     AM_CHECK_NSS
 fi
 
+dnl RHEL-specific: We always check for libcrypto because the obfuscation
+dnl feature is only implemented with OpenSSL as the NSS version doesn't
+dnl run in FIPS mode
+AM_CHECK_LIBCRYPTO
+AM_CONDITIONAL([OBF_WITH_LIBCRYPTO], [test x == x])
+AC_DEFINE_UNQUOTED(OBF_WITH_LIBCRYPTO, 1, [Build the obfuscation feature with libcrypt crypto back end])
+
 if test x$cryptolib = xlibcrypto; then
     AM_CHECK_LIBCRYPTO
     m4_include([src/external/p11-kit.m4])
diff --git a/src/util/crypto/nss/nss_obfuscate.c b/src/util/crypto/nss/nss_obfuscate.c
index df9c41b3a..bf2a5f418 100644
--- a/src/util/crypto/nss/nss_obfuscate.c
+++ b/src/util/crypto/nss/nss_obfuscate.c
@@ -31,6 +31,9 @@
  */
 
 #include "config.h"
+
+#ifndef OBF_WITH_LIBCRYPTO
+
 #include <prerror.h>
 #include <pk11func.h>
 
@@ -326,3 +329,5 @@ done:
     talloc_free(tmp_ctx);
     return ret;
 }
+
+#endif /* OBF_WITH_LIBCRYPTO */
-- 
2.19.2