crypto: Obey compile flags for no DSA, BF, DES, DH

9 files changed, 116 insertions, 12 deletions

diff --git a/lib/crypto/c_src/algorithms.c b/lib/crypto/c_src/algorithms.c
index 1d45ed9df2..20707c0531 100644
--- a/lib/crypto/c_src/algorithms.c
+++ b/lib/crypto/c_src/algorithms.c
@@ -80,8 +80,12 @@ void init_algorithms_types(ErlNifEnv* env)
 
     algo_pubkey_cnt = 0;
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "rsa");
+#ifdef HAVE_DSA
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "dss");
+#endif
+#ifdef HAVE_DH
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "dh");
+#endif
 #if defined(HAVE_EC)
 #if !defined(OPENSSL_NO_EC2M)
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "ec_gf2m");
diff --git a/lib/crypto/c_src/cipher.c b/lib/crypto/c_src/cipher.c
index 13de3562e8..8f0c93c5db 100644
--- a/lib/crypto/c_src/cipher.c
+++ b/lib/crypto/c_src/cipher.c
@@ -20,10 +20,10 @@
 
 #include "cipher.h"
 
-#ifdef OPENSSL_NO_DES
-#define COND_NO_DES_PTR(Ptr) (NULL)
-#else
+#ifdef HAVE_DES
 #define COND_NO_DES_PTR(Ptr) (Ptr)
+#else
+#define COND_NO_DES_PTR(Ptr) (NULL)
 #endif
 
 static struct cipher_type_t cipher_types[] =
@@ -50,10 +50,17 @@ static struct cipher_type_t cipher_types[] =
     {{"des_ede3_cfb"}, {NULL}, 0, 0},
 #endif
 
+#ifdef HAVE_BF
     {{"blowfish_cbc"}, {&EVP_bf_cbc}, 0, NO_FIPS_CIPHER},
     {{"blowfish_cfb64"}, {&EVP_bf_cfb64}, 0, NO_FIPS_CIPHER},
     {{"blowfish_ofb64"}, {&EVP_bf_ofb}, 0, NO_FIPS_CIPHER},
     {{"blowfish_ecb"}, {&EVP_bf_ecb}, 0, NO_FIPS_CIPHER | ECB_BUG_0_9_8L},
+#else
+    {{"blowfish_cbc"}, {NULL}, 0, 0},
+    {{"blowfish_cfb64"}, {NULL}, 0, 0},
+    {{"blowfish_ofb64"}, {NULL}, 0, 0},
+    {{"blowfish_ecb"}, {NULL}, 0, 0},
+#endif
 
     {{"aes_cbc"}, {&EVP_aes_128_cbc}, 16, 0},
     {{"aes_cbc"}, {&EVP_aes_192_cbc}, 24, 0},
diff --git a/lib/crypto/c_src/dh.c b/lib/crypto/c_src/dh.c
index 38eb534d99..13a2336f25 100644
--- a/lib/crypto/c_src/dh.c
+++ b/lib/crypto/c_src/dh.c
@@ -23,6 +23,7 @@
 
 ERL_NIF_TERM dh_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {/* (PrivKey|undefined, DHParams=[P,G], Mpint, Len|0) */
+#ifdef HAVE_DH
     DH *dh_params = NULL;
     unsigned int mpint; /* 0 or 4 */
     ERL_NIF_TERM head, tail;
@@ -187,10 +188,14 @@ ERL_NIF_TERM dh_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
 #endif
 
     return ret;
+#else
+    return enif_raise_exception(env, atom_notsup);
+#endif
 }
 
 ERL_NIF_TERM dh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {/* (OthersPublicKey, MyPrivateKey, DHParams=[P,G]) */
+#ifdef HAVE_DH
     BIGNUM *other_pub_key = NULL;
     BIGNUM *dh_p = NULL;
     BIGNUM *dh_g = NULL;
@@ -291,4 +296,7 @@ ERL_NIF_TERM dh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM arg
         DH_free(dh_priv);
 
     return ret;
+#else
+    return enif_raise_exception(env, atom_notsup);
+#endif
 }
diff --git a/lib/crypto/c_src/dss.c b/lib/crypto/c_src/dss.c
index 9bf8eb3ce0..63268f0f2b 100644
--- a/lib/crypto/c_src/dss.c
+++ b/lib/crypto/c_src/dss.c
@@ -21,6 +21,8 @@
 #include "dss.h"
 #include "bn.h"
 
+#ifdef HAVE_DSA
+
 int get_dss_private_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa)
 {
     /* key=[P,Q,G,KEY] */
@@ -142,3 +144,5 @@ int get_dss_public_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa)
         BN_free(dsa_y);
     return 0;
 }
+
+#endif
diff --git a/lib/crypto/c_src/dss.h b/lib/crypto/c_src/dss.h
index 3275657e98..07e28ca7c5 100644
--- a/lib/crypto/c_src/dss.h
+++ b/lib/crypto/c_src/dss.h
@@ -23,7 +23,9 @@
 
 #include "common.h"
 
+#ifdef HAVE_DSA
 int get_dss_private_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa);
 int get_dss_public_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa);
+#endif
 
 #endif /* E_DSS_H__ */
diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h
index f926f8af13..339eb5b8f4 100644
--- a/lib/crypto/c_src/openssl_config.h
+++ b/lib/crypto/c_src/openssl_config.h
@@ -25,9 +25,8 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/crypto.h>
-#ifndef OPENSSL_NO_DES
 #include <openssl/des.h>
-#endif /* #ifndef OPENSSL_NO_DES */
+
 /* #include <openssl/idea.h> This is not supported on the openssl OTP requires */
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
@@ -166,6 +165,22 @@
 # define HAVE_BLAKE2
 #endif
 
+#ifndef OPENSSL_NO_BF
+# define HAVE_BF
+#endif
+
+#ifndef OPENSSL_NO_DES
+# define HAVE_DES
+#endif
+
+#ifndef OPENSSL_NO_DH
+# define HAVE_DH
+#endif
+
+#ifndef OPENSSL_NO_DSA
+# define HAVE_DSA
+#endif
+
 #ifndef OPENSSL_NO_MD4
 # define HAVE_MD4
 #endif
diff --git a/lib/crypto/c_src/pkey.c b/lib/crypto/c_src/pkey.c
index 638bb588fa..a1e2677b34 100644
--- a/lib/crypto/c_src/pkey.c
+++ b/lib/crypto/c_src/pkey.c
@@ -254,7 +254,9 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
 {
     EVP_PKEY *result = NULL;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #if defined(HAVE_EC)
     EC_KEY *ec = NULL;
 #endif
@@ -327,6 +329,7 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
             return PKEY_NOTSUP;
 #endif
     } else if (algorithm == atom_dss) {
+#ifdef HAVE_DSA
         if ((dsa = DSA_new()) == NULL)
             goto err;
         if (!get_dss_private_key(env, key, dsa))
@@ -340,9 +343,9 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
         dsa = NULL;
 
     } else {
+#endif
 	return PKEY_BADARG;
     }
-
     goto done;
 
  err:
@@ -357,8 +360,10 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
         enif_free(id);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -377,7 +382,9 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
 {
     EVP_PKEY *result = NULL;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #if defined(HAVE_EC)
     EC_KEY *ec = NULL;
 #endif
@@ -449,6 +456,7 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
 	return PKEY_NOTSUP;
 #endif
     } else if (algorithm == atom_dss) {
+#ifdef HAVE_DSA
         if ((dsa = DSA_new()) == NULL)
             goto err;
 
@@ -461,7 +469,9 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
             goto err;
         /* On success, result owns dsa */
         dsa = NULL;
-
+#else
+        return PKEY_NOTSUP;
+#endif
     } else {
 	return PKEY_BADARG;
     }
@@ -480,8 +490,10 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
         enif_free(id);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -518,7 +530,9 @@ ERL_NIF_TERM pkey_sign_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
     unsigned char *tbs; /* data to be signed */
     size_t tbslen;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #if defined(HAVE_EC)
     EC_KEY *ec = NULL;
 #endif
@@ -706,8 +720,10 @@ enif_get_atom(env,argv[1],buf,1024,ERL_NIF_LATIN1); printf("hash=%s ",buf);
         enif_release_binary(&sig_bin);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -744,7 +760,9 @@ ERL_NIF_TERM pkey_verify_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]
     size_t tbslen;
     ERL_NIF_TERM ret;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #ifdef HAVE_EC
     EC_KEY *ec = NULL;
 #endif
@@ -890,8 +908,10 @@ ERL_NIF_TERM pkey_verify_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]
         EVP_PKEY_free(pkey);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -1358,7 +1378,9 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
     ERL_NIF_TERM ret;
     EVP_PKEY *pkey = NULL;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
     ERL_NIF_TERM result[8];
 
     ASSERT(argc == 2);
@@ -1383,6 +1405,7 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
 
         ret = enif_make_list_from_array(env, result, 2);
 
+#ifdef HAVE_DSA
     } else if (argv[0] == atom_dss) {
         const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL;
 
@@ -1402,7 +1425,7 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
             goto err;
 
         ret = enif_make_list_from_array(env, result, 4);
-
+#endif
     } else if (argv[0] == atom_ecdsa) {
 #if defined(HAVE_EC)
         /* not yet implemented
@@ -1452,8 +1475,10 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
  done:
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
     if (pkey)
         EVP_PKEY_free(pkey);
 
diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl
index 04b2f62266..a99ab2faea 100644
--- a/lib/crypto/src/crypto.erl
+++ b/lib/crypto/src/crypto.erl
@@ -1058,8 +1058,21 @@ ng_crypto_one_time_nif(_Cipher, _Key, _IVec, _Data, _EncryptFlg) -> ?nif_stub.
 %%%----------------------------------------------------------------
 %%% Cipher aliases
 %%%
-prepend_cipher_aliases(L) ->
-    [des3_cbc, des_ede3, des_ede3_cbf, des3_cbf, des3_cfb, aes_cbc128, aes_cbc256 | L].
+prepend_cipher_aliases(L0) ->
+    L =
+        case lists:member(des_ede3_cbc, L0) of
+            true ->
+                [des3_cbc, des_ede3, des_ede3_cbf, des3_cbf, des3_cfb | L0];
+            false ->
+                L0
+        end,
+    case lists:member(aes_128_cbc, L0) of
+        true ->
+            [aes_cbc128, aes_cbc256 | L];
+        false ->
+            L
+    end.
+
 
 %%%---- des_ede3_cbc
 alias(des3_cbc)     -> des_ede3_cbc;
diff --git a/lib/crypto/test/engine_SUITE.erl b/lib/crypto/test/engine_SUITE.erl
index 3416fbd78d..41cd132734 100644
--- a/lib/crypto/test/engine_SUITE.erl
+++ b/lib/crypto/test/engine_SUITE.erl
@@ -148,8 +148,21 @@ end_per_group(_, Config) ->
     end.
 
 %%--------------------------------------------------------------------
-init_per_testcase(_Case, Config) ->
-    Config.
+init_per_testcase(Case, Config) ->
+    case string:tokens(atom_to_list(Case),"_") of
+        ["sign","verify",Type|_] ->
+            skip_if_unsup(list_to_atom(Type), Config);
+
+        ["priv","encrypt","pub","decrypt",Type|_] ->
+            skip_if_unsup(list_to_atom(Type), Config);
+
+        ["get","pub","from","priv","key",Type|_] ->
+            skip_if_unsup(list_to_atom(Type), Config);
+
+        _ ->
+            Config
+    end.
+
 end_per_testcase(_Case, _Config) ->
     ok.
 
@@ -851,6 +864,19 @@ get_pub_from_priv_key_ecdsa(Config) ->
 %%%================================================================
 %%% Help for engine_stored_pub_priv_keys* test cases
 %%%
+skip_if_unsup(Type, Config) ->
+    case pkey_supported(Type) of
+        false ->
+            {skip, "Unsupported in this cryptolib"};
+        true ->
+            Config
+    end.
+
+
+pkey_supported(Type) ->
+    lists:member(Type, proplists:get_value(public_keys, crypto:supports(), [])).
+
+
 load_storage_engine(Config) ->
     load_storage_engine(Config, []).