1 /* 2 * %CopyrightBegin% 3 * 4 * Copyright Ericsson AB 2010-2020. All Rights Reserved. 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 * 18 * %CopyrightEnd% 19 */ 20 21 #ifndef E_OPENSSL_CONFIG_H__ 22 #define E_OPENSSL_CONFIG_H__ 1 23 24 #define OPENSSL_THREAD_DEFINES 25 #include <openssl/opensslconf.h> 26 27 #include <openssl/crypto.h> 28 #include <openssl/des.h> 29 30 /* #include <openssl/idea.h> This is not supported on the openssl OTP requires */ 31 #include <openssl/dsa.h> 32 #include <openssl/rsa.h> 33 #include <openssl/aes.h> 34 #include <openssl/md5.h> 35 #include <openssl/md4.h> 36 #include <openssl/sha.h> 37 #include <openssl/ripemd.h> 38 #include <openssl/bn.h> 39 #include <openssl/objects.h> 40 #ifndef OPENSSL_NO_RC4 41 #include <openssl/rc4.h> 42 #endif /* OPENSSL_NO_RC4 */ 43 #ifndef OPENSSL_NO_RC2 44 #include <openssl/rc2.h> 45 #endif 46 #include <openssl/blowfish.h> 47 #include <openssl/rand.h> 48 #include <openssl/evp.h> 49 #include <openssl/hmac.h> 50 #include <openssl/err.h> 51 52 /* Helper macro to construct a OPENSSL_VERSION_NUMBER. 53 * See openssl/opensslv.h 54 */ 55 #define PACKED_OPENSSL_VERSION(MAJ, MIN, FIX, P) \ 56 ((((((((MAJ << 8) | MIN) << 8 ) | FIX) << 8) | (P-'a'+1)) << 4) | 0xf) 57 58 #define PACKED_OPENSSL_VERSION_PLAIN(MAJ, MIN, FIX) \ 59 PACKED_OPENSSL_VERSION(MAJ,MIN,FIX,('a'-1)) 60 61 62 /* LibreSSL was cloned from OpenSSL 1.0.1g and claims to be API and BPI compatible 63 * with 1.0.1. 64 * 65 * LibreSSL has the same names on include files and symbols as OpenSSL, but defines 66 * the OPENSSL_VERSION_NUMBER to be >= 2.0.0 67 * 68 * Therefor works tests like this as intendend: 69 * OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 70 * (The test is for example "2.4.2" >= "1.0.0" although the test 71 * with the cloned OpenSSL test would be "1.0.1" >= "1.0.0") 72 * 73 * But tests like this gives wrong result: 74 * OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 75 * (The test is false since "2.4.2" < "1.1.0". It should have been 76 * true because the LibreSSL API version is "1.0.1") 77 * 78 */ 79 80 #ifdef LIBRESSL_VERSION_NUMBER 81 /* A macro to test on in this file */ 82 #define HAS_LIBRESSL 83 #endif 84 85 #ifdef HAS_LIBRESSL 86 /* LibreSSL dislikes FIPS */ 87 # ifdef FIPS_SUPPORT 88 # undef FIPS_SUPPORT 89 # endif 90 91 /* LibreSSL has never supported the custom mem functions */ 92 #ifndef HAS_LIBRESSL 93 # define HAS_CRYPTO_MEM_FUNCTIONS 94 #endif 95 96 # if LIBRESSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(2,7,0) 97 /* LibreSSL wants the 1.0.1 API */ 98 # define NEED_EVP_COMPATIBILITY_FUNCTIONS 99 # endif 100 #endif 101 102 103 104 #if OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 105 # define NEED_EVP_COMPATIBILITY_FUNCTIONS 106 #endif 107 108 #ifndef HAS_LIBRESSL 109 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 110 # define HAS_BN_bn2binpad 111 # endif 112 #endif 113 114 #ifndef HAS_LIBRESSL 115 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 116 # define HAS_EVP_PKEY_CTX 117 # define HAVE_EVP_CIPHER_CTX_COPY 118 # endif 119 120 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1) 121 # define HAVE_PKEY_new_raw_private_key 122 # define HAVE_EVP_PKEY_new_CMAC_key 123 # define HAVE_DigestSign_as_single_op 124 # endif 125 #endif 126 127 128 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 129 #include <openssl/modes.h> 130 #endif 131 132 #include "crypto_callback.h" 133 134 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 135 && !defined(OPENSSL_NO_SHA224) && defined(NID_sha224) \ 136 && !defined(OPENSSL_NO_SHA256) /* disabled like this in my sha.h (?) */ 137 # define HAVE_SHA224 138 #endif 139 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 140 && !defined(OPENSSL_NO_SHA256) && defined(NID_sha256) 141 # define HAVE_SHA256 142 #endif 143 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 144 && !defined(OPENSSL_NO_SHA384) && defined(NID_sha384)\ 145 && !defined(OPENSSL_NO_SHA512) /* disabled like this in my sha.h (?) */ 146 # define HAVE_SHA384 147 #endif 148 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 149 && !defined(OPENSSL_NO_SHA512) && defined(NID_sha512) 150 # define HAVE_SHA512 151 #endif 152 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,7,'e') 153 # define HAVE_DES_ede3_cfb_encrypt 154 #endif 155 156 // SHA3: 157 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1) 158 // An error in beta releases of 1.1.1 fixed in production release 159 # ifdef NID_sha3_224 160 # define HAVE_SHA3_224 161 # endif 162 # ifdef NID_sha3_256 163 # define HAVE_SHA3_256 164 # endif 165 #endif 166 # ifdef NID_sha3_384 167 # define HAVE_SHA3_384 168 # endif 169 # ifdef NID_sha3_512 170 # define HAVE_SHA3_512 171 # endif 172 173 // BLAKE2: 174 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1) \ 175 && !defined(HAS_LIBRESSL) \ 176 && !defined(OPENSSL_NO_BLAKE2) 177 # define HAVE_BLAKE2 178 #endif 179 180 #ifndef OPENSSL_NO_BF 181 # define HAVE_BF 182 #endif 183 184 #ifndef OPENSSL_NO_DES 185 # define HAVE_DES 186 #endif 187 188 #ifndef OPENSSL_NO_DH 189 # define HAVE_DH 190 #endif 191 192 #ifndef OPENSSL_NO_DSA 193 # define HAVE_DSA 194 #endif 195 196 #ifndef OPENSSL_NO_MD4 197 # define HAVE_MD4 198 #endif 199 200 #ifndef OPENSSL_NO_MD5 201 # define HAVE_MD5 202 #endif 203 204 #ifndef OPENSSL_NO_RC2 205 # define HAVE_RC2 206 #endif 207 208 #ifndef OPENSSL_NO_RC4 209 # define HAVE_RC4 210 #endif 211 212 #ifndef OPENSSL_NO_RMD160 213 /* Note RMD160 vs RIPEMD160 */ 214 # define HAVE_RIPEMD160 215 #endif 216 217 218 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'o') \ 219 && !defined(OPENSSL_NO_EC) \ 220 && !defined(OPENSSL_NO_ECDH) \ 221 && !defined(OPENSSL_NO_ECDSA) 222 # define HAVE_EC 223 #endif 224 225 // (test for >= 1.1.1pre8) 226 #if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1) -7) \ 227 && !defined(HAS_LIBRESSL) \ 228 && defined(HAVE_EC) 229 # define HAVE_ED_CURVE_DH 230 # if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1)) 231 # define HAVE_EDDSA 232 # endif 233 #endif 234 235 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'c') 236 # define HAVE_AES_IGE 237 #endif 238 239 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,1) 240 # define HAVE_EVP_AES_CTR 241 # define HAVE_AEAD 242 # define HAVE_GCM 243 # define HAVE_CCM 244 # ifndef OPENSSL_NO_CMAC 245 # define HAVE_CMAC 246 # endif 247 # if defined(RSA_PKCS1_OAEP_PADDING) 248 # define HAVE_RSA_OAEP_PADDING 249 # endif 250 # define HAVE_RSA_MGF1_MD 251 # if OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION(1,0,1,'d') 252 # define HAVE_GCM_EVP_DECRYPT_BUG 253 # endif 254 #endif 255 256 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 257 # ifndef HAS_LIBRESSL 258 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 259 # define HAVE_CHACHA20_POLY1305 260 # endif 261 # define HAVE_RSA_OAEP_MD 262 # endif 263 #endif 264 265 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(1,1,0,'d') 266 # ifndef HAS_LIBRESSL 267 # ifndef OPENSSL_NO_CHACHA 268 # define HAVE_CHACHA20 269 # endif 270 # endif 271 #endif 272 273 // OPENSSL_VERSION_NUMBER >= 1.1.1-pre8 274 #if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1)-7) 275 # ifndef HAS_LIBRESSL 276 # if !defined(OPENSSL_NO_POLY1305) 277 # define HAVE_POLY1305 278 # endif 279 # endif 280 #endif 281 282 #if OPENSSL_VERSION_NUMBER <= PACKED_OPENSSL_VERSION(0,9,8,'l') 283 # define HAVE_ECB_IVEC_BUG 284 #endif 285 286 #ifndef HAS_LIBRESSL 287 # ifdef RSA_SSLV23_PADDING 288 # define HAVE_RSA_SSLV23_PADDING 289 # endif 290 #endif 291 292 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 293 # ifdef RSA_PKCS1_PSS_PADDING 294 # define HAVE_RSA_PKCS1_PSS_PADDING 295 # endif 296 #endif 297 298 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'h') \ 299 && defined(HAVE_EC) 300 /* If OPENSSL_NO_EC is set, there will be an error in ec.h included from engine.h 301 So if EC is disabled, you can't use Engine either.... 302 */ 303 # define HAS_ENGINE_SUPPORT 304 #endif 305 306 307 #if defined(HAS_ENGINE_SUPPORT) 308 # include <openssl/engine.h> 309 #endif 310 311 #if defined(HAVE_CMAC) 312 #include <openssl/cmac.h> 313 #endif 314 315 #if defined(HAVE_EC) 316 #include <openssl/ec.h> 317 #include <openssl/ecdh.h> 318 #include <openssl/ecdsa.h> 319 #endif 320 321 #ifdef VALGRIND 322 # include <valgrind/memcheck.h> 323 324 /* libcrypto mixes supplied buffer contents into its entropy pool, 325 which makes valgrind complain about the use of uninitialized data. 326 We use this valgrind "request" to make sure that no such seemingly 327 undefined data is returned. 328 */ 329 # define ERL_VALGRIND_MAKE_MEM_DEFINED(ptr,size) \ 330 VALGRIND_MAKE_MEM_DEFINED(ptr,size) 331 332 # define ERL_VALGRIND_ASSERT_MEM_DEFINED(Ptr,Size) \ 333 do { \ 334 int __erl_valgrind_mem_defined = VALGRIND_CHECK_MEM_IS_DEFINED((Ptr),(Size)); \ 335 if (__erl_valgrind_mem_defined != 0) { \ 336 fprintf(stderr,"\r\n####### VALGRIND_ASSSERT(%p,%ld) failed at %s:%d\r\n", \ 337 (Ptr),(long)(Size), __FILE__, __LINE__); \ 338 abort(); \ 339 } \ 340 } while (0) 341 342 #else 343 # define ERL_VALGRIND_MAKE_MEM_DEFINED(ptr,size) 344 # define ERL_VALGRIND_ASSERT_MEM_DEFINED(ptr,size) 345 #endif 346 347 #ifdef DEBUG 348 # define ASSERT(e) \ 349 ((void) ((e) ? 1 : (fprintf(stderr,"Assert '%s' failed at %s:%d\n",\ 350 #e, __FILE__, __LINE__), abort(), 0))) 351 #else 352 # define ASSERT(e) ((void) 1) 353 #endif 354 355 #ifdef __GNUC__ 356 # define INLINE __inline__ 357 #elif defined(__WIN32__) 358 # define INLINE __forceinline 359 #else 360 # define INLINE 361 #endif 362 363 364 #define get_int32(s) ((((unsigned char*) (s))[0] << 24) | \ 365 (((unsigned char*) (s))[1] << 16) | \ 366 (((unsigned char*) (s))[2] << 8) | \ 367 (((unsigned char*) (s))[3])) 368 369 #define put_uint32(s,i) \ 370 { (s)[0] = (unsigned char)(((i) >> 24) & 0xff);\ 371 (s)[1] = (unsigned char)(((i) >> 16) & 0xff);\ 372 (s)[2] = (unsigned char)(((i) >> 8) & 0xff);\ 373 (s)[3] = (unsigned char)((i) & 0xff);\ 374 } 375 376 /* This shall correspond to the similar macro in crypto.erl */ 377 /* Current value is: erlang:system_info(context_reductions) * 10 */ 378 #define MAX_BYTES_TO_NIF 20000 379 380 #define CONSUME_REDS(NifEnv, Ibin) \ 381 do { \ 382 size_t _cost = (Ibin).size; \ 383 if (_cost > SIZE_MAX / 100) \ 384 _cost = 100; \ 385 else \ 386 _cost = (_cost * 100) / MAX_BYTES_TO_NIF; \ 387 \ 388 if (_cost) { \ 389 (void) enif_consume_timeslice((NifEnv), \ 390 (_cost > 100) ? 100 : (int)_cost); \ 391 } \ 392 } while (0) 393 394 #ifdef NEED_EVP_COMPATIBILITY_FUNCTIONS 395 # include "evp_compat.h" 396 #else 397 # define HAVE_OPAQUE_BN_GENCB 398 #endif 399 400 #if 0 401 # define PRINTF_ERR0(FMT) enif_fprintf(stderr, FMT "\n") 402 # define PRINTF_ERR1(FMT, A1) enif_fprintf(stderr, FMT "\n", A1) 403 # define PRINTF_ERR2(FMT, A1, A2) enif_fprintf(stderr, FMT "\n", A1, A2) 404 #else 405 # define PRINTF_ERR0(FMT) 406 # define PRINTF_ERR1(FMT,A1) 407 # define PRINTF_ERR2(FMT,A1,A2) 408 #endif 409 410 #ifdef FIPS_SUPPORT 411 /* In FIPS mode non-FIPS algorithms are disabled and return badarg. */ 412 #define CHECK_NO_FIPS_MODE() { if (FIPS_mode()) return atom_notsup; } 413 #else 414 #define CHECK_NO_FIPS_MODE() 415 #endif 416 417 #endif /* E_OPENSSL_CONFIG_H__ */ 418