From 39e7ecc0b3c5cbe529093f126189eadbf83d3a80 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Mon, 8 Apr 2019 14:33:12 +0200
Subject: crypto: Obey compile flags for no DSA, BF, DES, DH

---
 lib/crypto/c_src/algorithms.c     |  4 ++++
 lib/crypto/c_src/cipher.c         | 13 ++++++++++---
 lib/crypto/c_src/dh.c             |  8 ++++++++
 lib/crypto/c_src/dss.c            |  4 ++++
 lib/crypto/c_src/dss.h            |  2 ++
 lib/crypto/c_src/openssl_config.h | 19 +++++++++++++++++--
 lib/crypto/c_src/pkey.c           | 31 ++++++++++++++++++++++++++++---
 7 files changed, 73 insertions(+), 8 deletions(-)

(limited to 'lib/crypto/c_src')

diff --git a/lib/crypto/c_src/algorithms.c b/lib/crypto/c_src/algorithms.c
index 1d45ed9df2..20707c0531 100644
--- a/lib/crypto/c_src/algorithms.c
+++ b/lib/crypto/c_src/algorithms.c
@@ -80,8 +80,12 @@ void init_algorithms_types(ErlNifEnv* env)
 
     algo_pubkey_cnt = 0;
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "rsa");
+#ifdef HAVE_DSA
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "dss");
+#endif
+#ifdef HAVE_DH
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "dh");
+#endif
 #if defined(HAVE_EC)
 #if !defined(OPENSSL_NO_EC2M)
     algo_pubkey[algo_pubkey_cnt++] = enif_make_atom(env, "ec_gf2m");
diff --git a/lib/crypto/c_src/cipher.c b/lib/crypto/c_src/cipher.c
index 13de3562e8..8f0c93c5db 100644
--- a/lib/crypto/c_src/cipher.c
+++ b/lib/crypto/c_src/cipher.c
@@ -20,10 +20,10 @@
 
 #include "cipher.h"
 
-#ifdef OPENSSL_NO_DES
-#define COND_NO_DES_PTR(Ptr) (NULL)
-#else
+#ifdef HAVE_DES
 #define COND_NO_DES_PTR(Ptr) (Ptr)
+#else
+#define COND_NO_DES_PTR(Ptr) (NULL)
 #endif
 
 static struct cipher_type_t cipher_types[] =
@@ -50,10 +50,17 @@ static struct cipher_type_t cipher_types[] =
     {{"des_ede3_cfb"}, {NULL}, 0, 0},
 #endif
 
+#ifdef HAVE_BF
     {{"blowfish_cbc"}, {&EVP_bf_cbc}, 0, NO_FIPS_CIPHER},
     {{"blowfish_cfb64"}, {&EVP_bf_cfb64}, 0, NO_FIPS_CIPHER},
     {{"blowfish_ofb64"}, {&EVP_bf_ofb}, 0, NO_FIPS_CIPHER},
     {{"blowfish_ecb"}, {&EVP_bf_ecb}, 0, NO_FIPS_CIPHER | ECB_BUG_0_9_8L},
+#else
+    {{"blowfish_cbc"}, {NULL}, 0, 0},
+    {{"blowfish_cfb64"}, {NULL}, 0, 0},
+    {{"blowfish_ofb64"}, {NULL}, 0, 0},
+    {{"blowfish_ecb"}, {NULL}, 0, 0},
+#endif
 
     {{"aes_cbc"}, {&EVP_aes_128_cbc}, 16, 0},
     {{"aes_cbc"}, {&EVP_aes_192_cbc}, 24, 0},
diff --git a/lib/crypto/c_src/dh.c b/lib/crypto/c_src/dh.c
index 38eb534d99..13a2336f25 100644
--- a/lib/crypto/c_src/dh.c
+++ b/lib/crypto/c_src/dh.c
@@ -23,6 +23,7 @@
 
 ERL_NIF_TERM dh_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {/* (PrivKey|undefined, DHParams=[P,G], Mpint, Len|0) */
+#ifdef HAVE_DH
     DH *dh_params = NULL;
     unsigned int mpint; /* 0 or 4 */
     ERL_NIF_TERM head, tail;
@@ -187,10 +188,14 @@ ERL_NIF_TERM dh_generate_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM ar
 #endif
 
     return ret;
+#else
+    return enif_raise_exception(env, atom_notsup);
+#endif
 }
 
 ERL_NIF_TERM dh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
 {/* (OthersPublicKey, MyPrivateKey, DHParams=[P,G]) */
+#ifdef HAVE_DH
     BIGNUM *other_pub_key = NULL;
     BIGNUM *dh_p = NULL;
     BIGNUM *dh_g = NULL;
@@ -291,4 +296,7 @@ ERL_NIF_TERM dh_compute_key_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM arg
         DH_free(dh_priv);
 
     return ret;
+#else
+    return enif_raise_exception(env, atom_notsup);
+#endif
 }
diff --git a/lib/crypto/c_src/dss.c b/lib/crypto/c_src/dss.c
index 9bf8eb3ce0..63268f0f2b 100644
--- a/lib/crypto/c_src/dss.c
+++ b/lib/crypto/c_src/dss.c
@@ -21,6 +21,8 @@
 #include "dss.h"
 #include "bn.h"
 
+#ifdef HAVE_DSA
+
 int get_dss_private_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa)
 {
     /* key=[P,Q,G,KEY] */
@@ -142,3 +144,5 @@ int get_dss_public_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa)
         BN_free(dsa_y);
     return 0;
 }
+
+#endif
diff --git a/lib/crypto/c_src/dss.h b/lib/crypto/c_src/dss.h
index 3275657e98..07e28ca7c5 100644
--- a/lib/crypto/c_src/dss.h
+++ b/lib/crypto/c_src/dss.h
@@ -23,7 +23,9 @@
 
 #include "common.h"
 
+#ifdef HAVE_DSA
 int get_dss_private_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa);
 int get_dss_public_key(ErlNifEnv* env, ERL_NIF_TERM key, DSA *dsa);
+#endif
 
 #endif /* E_DSS_H__ */
diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h
index f926f8af13..339eb5b8f4 100644
--- a/lib/crypto/c_src/openssl_config.h
+++ b/lib/crypto/c_src/openssl_config.h
@@ -25,9 +25,8 @@
 #include <openssl/opensslconf.h>
 
 #include <openssl/crypto.h>
-#ifndef OPENSSL_NO_DES
 #include <openssl/des.h>
-#endif /* #ifndef OPENSSL_NO_DES */
+
 /* #include <openssl/idea.h> This is not supported on the openssl OTP requires */
 #include <openssl/dsa.h>
 #include <openssl/rsa.h>
@@ -166,6 +165,22 @@
 # define HAVE_BLAKE2
 #endif
 
+#ifndef OPENSSL_NO_BF
+# define HAVE_BF
+#endif
+
+#ifndef OPENSSL_NO_DES
+# define HAVE_DES
+#endif
+
+#ifndef OPENSSL_NO_DH
+# define HAVE_DH
+#endif
+
+#ifndef OPENSSL_NO_DSA
+# define HAVE_DSA
+#endif
+
 #ifndef OPENSSL_NO_MD4
 # define HAVE_MD4
 #endif
diff --git a/lib/crypto/c_src/pkey.c b/lib/crypto/c_src/pkey.c
index 638bb588fa..a1e2677b34 100644
--- a/lib/crypto/c_src/pkey.c
+++ b/lib/crypto/c_src/pkey.c
@@ -254,7 +254,9 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
 {
     EVP_PKEY *result = NULL;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #if defined(HAVE_EC)
     EC_KEY *ec = NULL;
 #endif
@@ -327,6 +329,7 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
             return PKEY_NOTSUP;
 #endif
     } else if (algorithm == atom_dss) {
+#ifdef HAVE_DSA
         if ((dsa = DSA_new()) == NULL)
             goto err;
         if (!get_dss_private_key(env, key, dsa))
@@ -340,9 +343,9 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
         dsa = NULL;
 
     } else {
+#endif
 	return PKEY_BADARG;
     }
-
     goto done;
 
  err:
@@ -357,8 +360,10 @@ static int get_pkey_private_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_
         enif_free(id);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -377,7 +382,9 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
 {
     EVP_PKEY *result = NULL;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #if defined(HAVE_EC)
     EC_KEY *ec = NULL;
 #endif
@@ -449,6 +456,7 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
 	return PKEY_NOTSUP;
 #endif
     } else if (algorithm == atom_dss) {
+#ifdef HAVE_DSA
         if ((dsa = DSA_new()) == NULL)
             goto err;
 
@@ -461,7 +469,9 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
             goto err;
         /* On success, result owns dsa */
         dsa = NULL;
-
+#else
+        return PKEY_NOTSUP;
+#endif
     } else {
 	return PKEY_BADARG;
     }
@@ -480,8 +490,10 @@ static int get_pkey_public_key(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF_T
         enif_free(id);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -518,7 +530,9 @@ ERL_NIF_TERM pkey_sign_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[])
     unsigned char *tbs; /* data to be signed */
     size_t tbslen;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #if defined(HAVE_EC)
     EC_KEY *ec = NULL;
 #endif
@@ -706,8 +720,10 @@ enif_get_atom(env,argv[1],buf,1024,ERL_NIF_LATIN1); printf("hash=%s ",buf);
         enif_release_binary(&sig_bin);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -744,7 +760,9 @@ ERL_NIF_TERM pkey_verify_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]
     size_t tbslen;
     ERL_NIF_TERM ret;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
 #ifdef HAVE_EC
     EC_KEY *ec = NULL;
 #endif
@@ -890,8 +908,10 @@ ERL_NIF_TERM pkey_verify_nif(ErlNifEnv *env, int argc, const ERL_NIF_TERM argv[]
         EVP_PKEY_free(pkey);
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
 #ifdef HAVE_EC
     if (ec)
         EC_KEY_free(ec);
@@ -1358,7 +1378,9 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
     ERL_NIF_TERM ret;
     EVP_PKEY *pkey = NULL;
     RSA *rsa = NULL;
+#ifdef HAVE_DSA
     DSA *dsa = NULL;
+#endif
     ERL_NIF_TERM result[8];
 
     ASSERT(argc == 2);
@@ -1383,6 +1405,7 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
 
         ret = enif_make_list_from_array(env, result, 2);
 
+#ifdef HAVE_DSA
     } else if (argv[0] == atom_dss) {
         const BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL;
 
@@ -1402,7 +1425,7 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
             goto err;
 
         ret = enif_make_list_from_array(env, result, 4);
-
+#endif
     } else if (argv[0] == atom_ecdsa) {
 #if defined(HAVE_EC)
         /* not yet implemented
@@ -1452,8 +1475,10 @@ ERL_NIF_TERM privkey_to_pubkey_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM
  done:
     if (rsa)
         RSA_free(rsa);
+#ifdef HAVE_DSA
     if (dsa)
         DSA_free(dsa);
+#endif
     if (pkey)
         EVP_PKEY_free(pkey);
 
-- 
cgit v1.2.3