diff options
| author | Hans Nilsson <[email protected]> | 2018-09-17 10:14:09 +0200 |
|---|---|---|
| committer | Hans Nilsson <[email protected]> | 2018-09-17 10:14:09 +0200 |
| commit | 4b48d5b1d21d741b6802a7187129e4b78b87a052 (patch) | |
| tree | 6e4427b01bcbf47b6ac1b8baa26d2254873180fd | |
| parent | 51dcd166c58bf371da4c85250c8d76c27b4148da (diff) | |
| parent | 94d4676a7f73cb948d3baa617d1f8fcd8ee5aec2 (diff) | |
| download | otp-4b48d5b1d21d741b6802a7187129e4b78b87a052.tar.gz otp-4b48d5b1d21d741b6802a7187129e4b78b87a052.tar.bz2 otp-4b48d5b1d21d741b6802a7187129e4b78b87a052.zip | |
Merge branch 'hans/crypto/rsassa_pss/OTP-15260' into maint
* hans/crypto/rsassa_pss/OTP-15260:
crypto: Add forgotten #ifdef MAY prevent compilation errors if the symbol is configured to not be defined in an OpenSSL version where it exists by default.
crypto: Change condition for RSA_PKCS1_PSS Trubble on a couple of cross-building machines
crypto: RSA options list disclaimer in documentation for crypto:supports/0 The final appearence of the rs_opts entry is still not completly decided.
crypto: Add 'rsa_opts' to crypto:supports/0 Needed in future versions of the SSL application.
| -rw-r--r-- | lib/crypto/c_src/crypto.c | 49 | ||||
| -rw-r--r-- | lib/crypto/doc/src/crypto.xml | 3 | ||||
| -rw-r--r-- | lib/crypto/src/crypto.erl | 11 |
3 files changed, 52 insertions, 11 deletions
diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c index 6949df4b8e..3939a6f309 100644 --- a/lib/crypto/c_src/crypto.c +++ b/lib/crypto/c_src/crypto.c @@ -211,10 +211,14 @@ # define HAVE_ECB_IVEC_BUG #endif -#define HAVE_RSA_SSLV23_PADDING -#if defined(HAS_LIBRESSL) \ - && LIBRESSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(2,6,1) -# undef HAVE_RSA_SSLV23_PADDING +#ifdef RSA_SSLV23_PADDING +# define HAVE_RSA_SSLV23_PADDING +#endif + +#if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) +# ifdef RSA_PKCS1_PSS_PADDING +# define HAVE_RSA_PKCS1_PSS_PADDING +# endif #endif #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'h') \ @@ -1319,6 +1323,8 @@ static int algo_mac_cnt, algo_mac_fips_cnt; static ERL_NIF_TERM algo_mac[3]; /* increase when extending the list */ static int algo_curve_cnt, algo_curve_fips_cnt; static ERL_NIF_TERM algo_curve[87]; /* increase when extending the list */ +static int algo_rsa_opts_cnt, algo_rsa_opts_fips_cnt; +static ERL_NIF_TERM algo_rsa_opts[10]; /* increase when extending the list */ static void init_algorithms_types(ErlNifEnv* env) { @@ -1530,12 +1536,36 @@ static void init_algorithms_types(ErlNifEnv* env) algo_curve[algo_curve_cnt++] = enif_make_atom(env,"x448"); #endif + // Validated algorithms first + algo_rsa_opts_cnt = 0; +#ifdef HAS_EVP_PKEY_CTX +# ifdef HAVE_RSA_PKCS1_PSS_PADDING + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_pkcs1_pss_padding"); + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_pss_saltlen"); +# endif + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_mgf1_md"); +# ifdef HAVE_RSA_OAEP_MD + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_oaep_label"); + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_oaep_md"); +# endif + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"signature_md"); +#endif + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_pkcs1_padding"); + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_x931_padding"); +#ifdef HAVE_RSA_SSLV23_PADDING + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_sslv23_padding"); +#endif + algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_no_padding"); + algo_rsa_opts_fips_cnt = algo_rsa_opts_cnt; + + // Check that the max number of algos is updated ASSERT(algo_hash_cnt <= sizeof(algo_hash)/sizeof(ERL_NIF_TERM)); ASSERT(algo_pubkey_cnt <= sizeof(algo_pubkey)/sizeof(ERL_NIF_TERM)); ASSERT(algo_cipher_cnt <= sizeof(algo_cipher)/sizeof(ERL_NIF_TERM)); ASSERT(algo_mac_cnt <= sizeof(algo_mac)/sizeof(ERL_NIF_TERM)); ASSERT(algo_curve_cnt <= sizeof(algo_curve)/sizeof(ERL_NIF_TERM)); + ASSERT(algo_rsa_opts_cnt <= sizeof(algo_rsa_opts)/sizeof(ERL_NIF_TERM)); } static ERL_NIF_TERM algorithms(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]) @@ -1547,19 +1577,22 @@ static ERL_NIF_TERM algorithms(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv int cipher_cnt = fips_mode ? algo_cipher_fips_cnt : algo_cipher_cnt; int mac_cnt = fips_mode ? algo_mac_fips_cnt : algo_mac_cnt; int curve_cnt = fips_mode ? algo_curve_fips_cnt : algo_curve_cnt; + int rsa_opts_cnt = fips_mode ? algo_rsa_opts_fips_cnt : algo_rsa_opts_cnt; #else int hash_cnt = algo_hash_cnt; int pubkey_cnt = algo_pubkey_cnt; int cipher_cnt = algo_cipher_cnt; int mac_cnt = algo_mac_cnt; int curve_cnt = algo_curve_cnt; + int rsa_opts_cnt = algo_rsa_opts_cnt; #endif - return enif_make_tuple5(env, + return enif_make_tuple6(env, enif_make_list_from_array(env, algo_hash, hash_cnt), enif_make_list_from_array(env, algo_pubkey, pubkey_cnt), enif_make_list_from_array(env, algo_cipher, cipher_cnt), enif_make_list_from_array(env, algo_mac, mac_cnt), - enif_make_list_from_array(env, algo_curve, curve_cnt) + enif_make_list_from_array(env, algo_curve, curve_cnt), + enif_make_list_from_array(env, algo_rsa_opts, rsa_opts_cnt) ); } @@ -4385,7 +4418,7 @@ static int get_pkey_sign_options(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF if (tpl_terms[1] == atom_rsa_pkcs1_padding) { opt->rsa_padding = RSA_PKCS1_PADDING; } else if (tpl_terms[1] == atom_rsa_pkcs1_pss_padding) { -#if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) +#ifdef HAVE_RSA_PKCS1_PSS_PADDING opt->rsa_padding = RSA_PKCS1_PSS_PADDING; if (opt->rsa_mgf1_md == NULL) { opt->rsa_mgf1_md = md; @@ -4674,6 +4707,7 @@ printf("\r\n"); if (argv[0] == atom_rsa) { if (EVP_PKEY_CTX_set_rsa_padding(ctx, sig_opt.rsa_padding) <= 0) goto badarg; +#ifdef HAVE_RSA_PKCS1_PSS_PADDING if (sig_opt.rsa_padding == RSA_PKCS1_PSS_PADDING) { if (sig_opt.rsa_mgf1_md != NULL) { #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,1) @@ -4688,6 +4722,7 @@ printf("\r\n"); && EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, sig_opt.rsa_pss_saltlen) <= 0) goto badarg; } +#endif } if (EVP_PKEY_sign(ctx, NULL, &siglen, tbs, tbslen) <= 0) goto badarg; diff --git a/lib/crypto/doc/src/crypto.xml b/lib/crypto/doc/src/crypto.xml index d5f5009297..dab6e4ed4f 100644 --- a/lib/crypto/doc/src/crypto.xml +++ b/lib/crypto/doc/src/crypto.xml @@ -1044,6 +1044,9 @@ _FloatValue = rand:uniform(). % [0.0; 1.0[</pre> <desc> <p> Can be used to determine which crypto algorithms that are supported by the underlying libcrypto library</p> + <p>Note: the <c>rsa_opts</c> entry is in an experimental state and may change or be removed without notice. + No guarantee for the accuarcy of the rsa option's value list should be assumed. + </p> </desc> </func> diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl index c64586897e..7d8f0479ee 100644 --- a/lib/crypto/src/crypto.erl +++ b/lib/crypto/src/crypto.erl @@ -319,7 +319,8 @@ stop() -> | {ciphers, Ciphers} | {public_keys, PKs} | {macs, Macs} - | {curves, Curves}, + | {curves, Curves} + | {rsa_opts, RSAopts}, Hashs :: [sha1() | sha2() | sha3() | ripemd160 | compatibility_only_hash()], Ciphers :: [stream_cipher() | block_cipher_with_iv() | block_cipher_without_iv() @@ -327,14 +328,16 @@ stop() -> ], PKs :: [rsa | dss | ecdsa | dh | ecdh | ec_gf2m], Macs :: [hmac | cmac | poly1305], - Curves :: [ec_named_curve() | edwards_curve()]. + Curves :: [ec_named_curve() | edwards_curve()], + RSAopts :: [rsa_sign_verify_opt() | rsa_opt()] . supports()-> - {Hashs, PubKeys, Ciphers, Macs, Curves} = algorithms(), + {Hashs, PubKeys, Ciphers, Macs, Curves, RsaOpts} = algorithms(), [{hashs, Hashs}, {ciphers, Ciphers}, {public_keys, PubKeys}, {macs, Macs}, - {curves, Curves} + {curves, Curves}, + {rsa_opts, RsaOpts} ]. -spec info_lib() -> [{Name,VerNum,VerStr}] when Name :: binary(), |