Age | Commit message (Collapse) | Author |
|
|
|
|
|
Engine
Only RSA and DSA so far.
|
|
|
|
|
|
|
|
Add support to plug in alternative implementations for
some or all of the cryptographic operations supported by
the OpenSSL Engine API.
When configured appropriately, OpenSSL calls the engine's
implementation of these operations instead of its own.
|
|
maint
|
|
|
|
|
|
|
|
Testcases for ECDSA and DSA encrypt/decrypt and some other adaptions
|
|
introduced in 03f3ec41f5468413235e3923a542a11cfd631089
|
|
|
|
|
|
Same comment as previous commit applies.
|
|
The function pkey_verify_nif handles pk signing with a general approach that is enabled by EVP api in OpenSSL 1.0.0
The rejected PR838 introduced that function and lots of other stuff so far neglected. It also made some different rsa padding methods possible (included).
Since the crypto code base has changed significantly, it was an overhelming work to try a git merge. Therefore this commit is a manual move of the source code from the PR into current maint.
This commit concentrates to use the new function compatible with the old functions. This includes some #if:s for different versions, compatibility code for 0.9.8.
Lacking: test cases, exporting the more general erlang api, documentation...
|
|
|
|
|
|
Make some C code static
|
|
Fix backwards equality check in aes cfb128 function
OTP-14435
|
|
|
|
|
|
|
|
|
|
Conflicts:
OTP_VERSION
erts/vsn.mk
lib/crypto/c_src/crypto.c
lib/crypto/src/crypto.erl
lib/ssh/src/ssh.erl
|
|
Fix a bug with the use of the aes_cfb128 cipher by calling the correct
underlying openssl interface function when the cipher is specified.
|
|
Demonstrate a bug with AES CFB 128 for certain key sizes introduced
with the Erlang 19.0 release. The code in the block_crypt_nif function
in the crypto.c source file incorrectly calls aes_cfb_8_crypt when the
specified cipher is aes_cfb8 or aes_cfb128 and the key size is 24 or
32. The aes_cfb_8_crypt function calls the AES_cfb8_encrypt function
from the openssl interface, but this is incorrect when the cipher is
aes_cfb128.
Unfortunately the test cases in the crypto test suite are insufficient
to detect an issue like this because it exercises the encryption and
decryption roundtrip using the same incorrect underlying function. The
problem was observed when trying to update an application to Erlang 19
that attempted to decrypt data that was encrypted using aes_cfb128 by
another source. In this commit I altered the crypto test suite to
provide a demonstration of this problem.
|
|
for usage in rand
|
|
|
|
|
|
|
|
|
|
|
|
Conflicts:
lib/crypto/c_src/crypto.c
lib/crypto/src/crypto.erl
|
|
|
|
Support RSA key generation using generate_key(rsa, {bits, e}). This depends
on the currently-experimental "dirty scheduler" support because key
generation is a potentially lengthy process.
|
|
|
|
This commit reactivates chacha20_poly1305 and fixes the imprementation
for the released OpenSSL 1.1.0 or later.
|
|
|
|
In June 2014, fb9d36c2c7c1 added support for the AES GCM ciphers
(ChaCha/Poly1305) based on a development version of OpenSSL 1.1.0.
The code is seriously broken when used with the released OpenSSL 1.1.0.
|
|
|
|
Conflicts:
lib/crypto/c_src/crypto.c
lib/ssl/src/ssl_cipher.erl
|
|
|
|
Renamed the init function as the return semantics are changed.
|
|
|
|
* RoadRunnr/crypto/no-rc4/PR-1169/OTP-13896:
disable RC4 in SSL when crypto doesn't support it
Fix compilation when OpenSSL doesn't support RC4
Conflicts:
lib/crypto/c_src/crypto.c
|
|
For consistency with other applications.
|
|
FIPS mode support needs to be enabled at compile time, by configuring
Erlang/OTP with --enable-fips option. In FIPS mode the non-FIPS
algorithms are disabled and raise error notsup.
The supported protocols list is properly updated in FIPS mode to
advertise only the enabled protocols.
FIPS mode is off by default even if Erlang/OTP was built with FIPS
support. It needs to be turned on at runtime.
The official approach is to set the fips_mode application environment
parameter of the crypto application to true. This would turn FIPS mode
on when the NIF is loaded and would prevent loading the module on
error.
Another method is provided via the crypto:enable_fips_mode/1
function, but it is not recommended to be used in production, as it
won't prevent the use of the crypto module in case of an error, and
would risk OpenSSL crashing the emulator. It is very useful for test
suites however that need to check both validated and non-validated
functionality.
This commit is based on commit
00b3a04d17a653b4abddeebd6dd8a2c38df532d0.
|
|
When OpenSSL has been configured with the "no-rc4" option, the header
file rc4.h doesn't exist, and neither does the rc4 functions.
Let's handle those by checking whether OPENSSL_NO_RC4 is defined.
|