From 2f46744041f9d86a3e9205ce3d0b64cedcb64f71 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Tue, 14 May 2013 18:55:39 +0200 Subject: ssl: Remove use of deprecated crypto functions --- lib/ssl/test/ssl_test_lib.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index a8ff5187b6..ac7cbab883 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -285,7 +285,7 @@ user_lookup(psk, _Identity, UserState) -> {ok, UserState}; user_lookup(srp, Username, _UserState) -> Salt = ssl:random_bytes(16), - UserPassHash = crypto:sha([Salt, crypto:sha([Username, <<$:>>, <<"secret">>])]), + UserPassHash = crypto:hash(sha, [Salt, crypto:hash(sha, [Username, <<$:>>, <<"secret">>])]), {ok, {srp_1024, Salt, UserPassHash}}. cert_options(Config) -> -- cgit v1.2.3 From 7e47d5082b573e3fc535b0252662813647770e66 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 15 May 2013 10:17:21 +0200 Subject: ssl, public_key & inets: Remove use of deprecated crypto functions from test code --- lib/ssl/test/erl_make_certs.erl | 42 ++++++++++++++++++++++------------------- 1 file changed, 23 insertions(+), 19 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl index 723ccf4496..be1253bfb8 100644 --- a/lib/ssl/test/erl_make_certs.erl +++ b/lib/ssl/test/erl_make_certs.erl @@ -391,13 +391,14 @@ gen_dsa2(LSize, NSize) -> error -> gen_dsa2(LSize, NSize); P -> - G = crypto:mod_exp(2, (P-1) div Q, P), % Choose G a number whose multiplicative order modulo p is q. + G = crypto:mod_pow(2, (P-1) div Q, P), % Choose G a number whose multiplicative order modulo p is q. %% such that This may be done by setting g = h^(p-1)/q mod p, commonly h=2 is used. X = prime(20), %% Choose x by some random method, where 0 < x < q. - Y = crypto:mod_exp(G, X, P), %% Calculate y = g^x mod p. + Y = crypto:mod_pow(G, X, P), %% Calculate y = g^x mod p. - #'DSAPrivateKey'{version=0, p=P, q=Q, g=G, y=Y, x=X} + #'DSAPrivateKey'{version=0, p = P, q = Q, + g = crypto:binary_to_integer(G), y = crypto:binary_to_integer(Y), x = X} end. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% @@ -419,7 +420,7 @@ gen_ec2(CurveId) -> %% See fips_186-3.pdf dsa_search(T, P0, Q, Iter) when Iter > 0 -> P = 2*T*Q*P0 + 1, - case is_prime(crypto:mpint(P), 50) of + case is_prime(P, 50) of true -> P; false -> dsa_search(T+1, P0, Q, Iter-1) end; @@ -430,38 +431,40 @@ dsa_search(_,_,_,_) -> %%%%%%% Crypto Math %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% prime(ByteSize) -> Rand = odd_rand(ByteSize), - crypto:erlint(prime_odd(Rand, 0)). + prime_odd(Rand, 0). prime_odd(Rand, N) -> case is_prime(Rand, 50) of true -> Rand; false -> - NotPrime = crypto:erlint(Rand), - prime_odd(crypto:mpint(NotPrime+2), N+1) + prime_odd(Rand+2, N+1) end. %% see http://en.wikipedia.org/wiki/Fermat_primality_test is_prime(_, 0) -> true; is_prime(Candidate, Test) -> - CoPrime = odd_rand(<<0,0,0,4, 10000:32>>, Candidate), - case crypto:mod_exp(CoPrime, Candidate, Candidate) of - CoPrime -> is_prime(Candidate, Test-1); - _ -> false - end. + CoPrime = odd_rand(10000, Candidate), + Result = crypto:mod_pow(CoPrime, Candidate, Candidate) , + is_prime(CoPrime, crypto:binary_to_integer(Result), Candidate, Test). + +is_prime(CoPrime, CoPrime, Candidate, Test) -> + is_prime(Candidate, Test-1); +is_prime(_,_,_,_) -> + false. odd_rand(Size) -> Min = 1 bsl (Size*8-1), Max = (1 bsl (Size*8))-1, - odd_rand(crypto:mpint(Min), crypto:mpint(Max)). + odd_rand(Min, Max). odd_rand(Min,Max) -> - Rand = <> = crypto:rand_uniform(Min,Max), - BitSkip = (Sz+4)*8-1, - case Rand of - Odd = <<_:BitSkip, 1:1>> -> Odd; - Even = <<_:BitSkip, 0:1>> -> - crypto:mpint(crypto:erlint(Even)+1) + Rand = crypto:rand_uniform(Min,Max), + case Rand rem 2 of + 0 -> + Rand + 1; + _ -> + Rand end. extended_gcd(A, B) -> @@ -480,3 +483,4 @@ pem_to_der(File) -> der_to_pem(File, Entries) -> PemBin = public_key:pem_encode(Entries), file:write_file(File, PemBin). + -- cgit v1.2.3 From 36a9e0a0dcb33c0cab6fdfcc6847e04b1b786a73 Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 15 May 2013 15:51:44 +0200 Subject: ssl, public_key, crypto: crypto:algorithms/0 -> crypto:supports/0 --- lib/ssl/test/ssl_test_lib.erl | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index ac7cbab883..255df92d77 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -405,7 +405,8 @@ make_dsa_cert(Config) -> | Config]. make_ecdsa_cert(Config) -> - case proplists:get_bool(ec, crypto:algorithms()) of + CryptoSupport = crypto:supports(), + case proplists:get_bool(ecdsa, proplists:get_value(public_keys, CryptoSupport)) of true -> {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, ec, ec, ""), {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, ec, ec, ""), @@ -429,7 +430,8 @@ make_ecdsa_cert(Config) -> %% This key exchange algorithm is the same as ECDH_ECDSA except that the %% server's certificate MUST be signed with RSA rather than ECDSA. make_ecdh_rsa_cert(Config) -> - case proplists:get_bool(ec, crypto:algorithms()) of + CryptoSupport = crypto:supports(), + case proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)) of true -> {ServerCaCertFile, ServerCertFile, ServerKeyFile} = make_cert_files("server", Config, rsa, ec, "rsa_"), {ClientCaCertFile, ClientCertFile, ClientKeyFile} = make_cert_files("client", Config, rsa, ec, "rsa_"), @@ -939,9 +941,11 @@ init_tls_version(Version) -> ssl:start(). sufficient_crypto_support('tlsv1.2') -> - proplists:get_bool(sha256, crypto:algorithms()); + CryptoSupport = crypto:supports(), + proplists:get_bool(sha256, proplists:get_value(hashs, CryptoSupport)); sufficient_crypto_support(ciphers_ec) -> - proplists:get_bool(ec, crypto:algorithms()); + CryptoSupport = crypto:supports(), + proplists:get_bool(ecdh, proplists:get_value(public_keys, CryptoSupport)); sufficient_crypto_support(_) -> true. -- cgit v1.2.3 From f941576f751fbf59049d982ca901cd3eab7dfe1f Mon Sep 17 00:00:00 2001 From: Sverker Eriksson Date: Tue, 14 May 2013 19:07:51 +0200 Subject: crypto,public_key,ssl: Change return value of crypto:generate_key(ecdh,..) to conform with the return value of the other types. --- lib/ssl/test/erl_make_certs.erl | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl index be1253bfb8..be46fd0d46 100644 --- a/lib/ssl/test/erl_make_certs.erl +++ b/lib/ssl/test/erl_make_certs.erl @@ -410,7 +410,7 @@ int2list(I) -> binary_to_list(<>). gen_ec2(CurveId) -> - {PrivKey, PubKey} = crypto:generate_key(ecdh, CurveId), + {PubKey, PrivKey} = crypto:generate_key(ecdh, CurveId), #'ECPrivateKey'{version = 1, privateKey = int2list(PrivKey), -- cgit v1.2.3 From 6518a54dbbbadb01f546e0e8c3dd3c3dfdf93e13 Mon Sep 17 00:00:00 2001 From: Sverker Eriksson Date: Thu, 16 May 2013 20:08:50 +0200 Subject: crypto, public_key & ssl: Make more functions accept integer keys --- lib/ssl/test/erl_make_certs.erl | 10 +++------- 1 file changed, 3 insertions(+), 7 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/erl_make_certs.erl b/lib/ssl/test/erl_make_certs.erl index be46fd0d46..22dc951ac1 100644 --- a/lib/ssl/test/erl_make_certs.erl +++ b/lib/ssl/test/erl_make_certs.erl @@ -398,22 +398,18 @@ gen_dsa2(LSize, NSize) -> Y = crypto:mod_pow(G, X, P), %% Calculate y = g^x mod p. #'DSAPrivateKey'{version=0, p = P, q = Q, - g = crypto:binary_to_integer(G), y = crypto:binary_to_integer(Y), x = X} + g = crypto:bytes_to_integer(G), y = crypto:bytes_to_integer(Y), x = X} end. %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %% EC key generation (OBS: for testing only) %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% -int2list(I) -> - L = (length(integer_to_list(I, 16)) + 1) div 2, - binary_to_list(<>). - gen_ec2(CurveId) -> {PubKey, PrivKey} = crypto:generate_key(ecdh, CurveId), #'ECPrivateKey'{version = 1, - privateKey = int2list(PrivKey), + privateKey = binary_to_list(PrivKey), parameters = {namedCurve, pubkey_cert_records:namedCurves(CurveId)}, publicKey = {0, PubKey}}. @@ -446,7 +442,7 @@ is_prime(_, 0) -> true; is_prime(Candidate, Test) -> CoPrime = odd_rand(10000, Candidate), Result = crypto:mod_pow(CoPrime, Candidate, Candidate) , - is_prime(CoPrime, crypto:binary_to_integer(Result), Candidate, Test). + is_prime(CoPrime, crypto:bytes_to_integer(Result), Candidate, Test). is_prime(CoPrime, CoPrime, Candidate, Test) -> is_prime(Candidate, Test-1); -- cgit v1.2.3 From 6ec1399aa8e6f80d8423acc37027eeda4394e7ad Mon Sep 17 00:00:00 2001 From: Ingela Anderton Andin Date: Wed, 22 May 2013 11:17:11 +0200 Subject: ssl: Do not advertise EC ciphers if crypto support is insufficient --- lib/ssl/test/ssl_basic_SUITE.erl | 4 ++-- lib/ssl/test/ssl_test_lib.erl | 24 ++++++++++++++++++++---- lib/ssl/test/ssl_to_openssl_SUITE.erl | 6 +++--- 3 files changed, 25 insertions(+), 9 deletions(-) (limited to 'lib/ssl/test') diff --git a/lib/ssl/test/ssl_basic_SUITE.erl b/lib/ssl/test/ssl_basic_SUITE.erl index 165a8a5fcc..c4a6cf1407 100644 --- a/lib/ssl/test/ssl_basic_SUITE.erl +++ b/lib/ssl/test/ssl_basic_SUITE.erl @@ -1549,7 +1549,7 @@ ciphers_rsa_signed_certs(Config) when is_list(Config) -> Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])), - Ciphers = ssl_test_lib:rsa_suites(erlang), + Ciphers = ssl_test_lib:rsa_suites(crypto), ct:log("~p erlang cipher suites ~p~n", [Version, Ciphers]), run_suites(Ciphers, Version, Config, rsa). %%------------------------------------------------------------------- @@ -1559,7 +1559,7 @@ ciphers_rsa_signed_certs_openssl_names() -> ciphers_rsa_signed_certs_openssl_names(Config) when is_list(Config) -> Version = ssl_record:protocol_version(ssl_record:highest_protocol_version([])), - Ciphers = ssl_test_lib:openssl_rsa_suites(), + Ciphers = ssl_test_lib:openssl_rsa_suites(crypto), ct:log("tls1 openssl cipher suites ~p~n", [Ciphers]), run_suites(Ciphers, Version, Config, rsa). diff --git a/lib/ssl/test/ssl_test_lib.erl b/lib/ssl/test/ssl_test_lib.erl index 255df92d77..34c52b10b3 100644 --- a/lib/ssl/test/ssl_test_lib.erl +++ b/lib/ssl/test/ssl_test_lib.erl @@ -756,14 +756,20 @@ ecdh_rsa_suites() -> end, ssl:cipher_suites()). -openssl_rsa_suites() -> +openssl_rsa_suites(CounterPart) -> Ciphers = ssl:cipher_suites(openssl), + Names = case is_sane_ecc(CounterPart) of + true -> + "DSS | ECDSA"; + false -> + "DSS | ECDHE | ECDH" + end, lists:filter(fun(Str) -> - case re:run(Str,"DSS|ECDH-RSA|ECDSA",[]) of + case re:run(Str, Names,[]) of nomatch -> - true; + false; _ -> - false + true end end, Ciphers). @@ -994,6 +1000,16 @@ is_sane_ecc(openssl) -> _ -> true end; +is_sane_ecc(crypto) -> + [{_,_, Bin}] = crypto:info_lib(), + case binary_to_list(Bin) of + "OpenSSL 0.9.8" ++ _ -> % Does not support ECC + false; + "OpenSSL 0.9.7" ++ _ -> % Does not support ECC + false; + _ -> + true + end; is_sane_ecc(_) -> true. diff --git a/lib/ssl/test/ssl_to_openssl_SUITE.erl b/lib/ssl/test/ssl_to_openssl_SUITE.erl index 075b4b1ec4..7f91865a86 100644 --- a/lib/ssl/test/ssl_to_openssl_SUITE.erl +++ b/lib/ssl/test/ssl_to_openssl_SUITE.erl @@ -106,9 +106,9 @@ init_per_suite(Config0) -> ?config(priv_dir, Config0))), ct:log("Make certs ~p~n", [Result]), Config1 = ssl_test_lib:make_dsa_cert(Config0), - Config = ssl_test_lib:cert_options(Config1), - NewConfig = [{watchdog, Dog} | Config], - ssl_test_lib:cipher_restriction(NewConfig) + Config2 = ssl_test_lib:cert_options(Config1), + Config = [{watchdog, Dog} | Config2], + ssl_test_lib:cipher_restriction(Config) catch _:_ -> {skip, "Crypto did not start"} end -- cgit v1.2.3