Age | Commit message (Collapse) | Author |
|
Replaced by api_ng.c
|
|
Replaced by api_ng.c
|
|
The new files api_ng.h and api_ng.c implements an api using EVP.
The api is not by any mean new, except for the crypto application
in Erlang/OTP.
The aims at using the block api in a stream manor, that is
1) call crypto_init/4
2..N) call crypto_update/{2,3}
The purpose is to simplify and hopefully optimize the SSL and SSH
applications.
By keeping the crypto state in C in an enif_resource the costful state
copying in SSL and SSH is reduced with 1-2 per message sent or received.
Changes in other files are for adaptation like FIPS etc since many
functions uses the central get_cipher_type() function.
|
|
|
|
crypto.c is now only responsible for declaring NIFs and setup/tear down.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Also, move a FIPS check macro to the common openssl_config.h.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
In order to be able to handle runtime library path in crypto
also DED parts was broken out into a macro.
|
|
Add support to plug in alternative implementations for
some or all of the cryptographic operations supported by
the OpenSSL Engine API.
When configured appropriately, OpenSSL calls the engine's
implementation of these operations instead of its own.
|
|
For consistency with other applications.
|
|
FIPS mode support needs to be enabled at compile time, by configuring
Erlang/OTP with --enable-fips option. In FIPS mode the non-FIPS
algorithms are disabled and raise error notsup.
The supported protocols list is properly updated in FIPS mode to
advertise only the enabled protocols.
FIPS mode is off by default even if Erlang/OTP was built with FIPS
support. It needs to be turned on at runtime.
The official approach is to set the fips_mode application environment
parameter of the crypto application to true. This would turn FIPS mode
on when the NIF is loaded and would prevent loading the module on
error.
Another method is provided via the crypto:enable_fips_mode/1
function, but it is not recommended to be used in production, as it
won't prevent the use of the crypto module in case of an error, and
would risk OpenSSL crashing the emulator. It is very useful for test
suites however that need to check both validated and non-validated
functionality.
This commit is based on commit
00b3a04d17a653b4abddeebd6dd8a2c38df532d0.
|
|
|
|
The OSE port is no longer supported and this commit removed it
and any changes related to it. The things that were general
improvements have been left in the code.
|
|
|
|
This port has support for both non-smp and smp.
It contains a new way to do io checking in which erts_poll_wait
receives the payload of the polled entity. This has implications
for all linked-in drivers.
|
|
Both crypto and asn1 are supported.
|
|
With silent rules, the output of make is less verbose and compilation
warnings are easier to spot. Silent rules are disabled by default and
can be disabled or enabled at will by make V=0 and make V=1.
|
|
if static linking of openssl is used.
|
|
Facts:
crypto nif-lib registers callback functions that openssl uses
for memory management and thread synchronization. The callback
functions can only be set once, openssl does not allow changing the
callback functions.
Problem:
If openssl is dynamicly linked to crypto, you might get s scenario
where the crypto lib is unloaded while leaving openssl loaded
with its old pointers to the unloaded crypto code intact.
If crypto is then reloaded (by init:restart() for example), the crypto
nif-lib might get relocated at a different address. crypto calls
openssl which in turn calls the old invalid callback functions...kaboom.
Solution:
Break apart the callback functions into a separate dynamic lib that
crypto loads with dlopen. When crypto is unloaded the callback lib is
left in place to be reused if/when crypto is loaded again.
|
|
|
|
OTP-10106
OTP-10107
|
|
crypto only uses libcrypto.
Superfluous dependency introduced in R14B04 by 52230a417ad0057.
|
|
|
|
|
|
Create directories first, not within implicit rules. If two
'install' instances runs at the same time attempting to create
a directory, one of them may fail with an "File exists" error.
I tried to use order-only prerequisites to create the directories,
but run into two problems: First, order-only prerequisites are
only implemented in Make 3.80 and later. Second, on a computer
running Solaris/Intel 2.8 (with Make 3.80), order-only prerequisites
seemed to work like ordinary prerequisites, causing targets to
be re-built if the timestamp for the directory changed.
Therefore, using a shell command to run mkdir seems to be the
more portable solution.
|
|
|