1 /*
2  * %CopyrightBegin%
3  *
4  * Copyright Ericsson AB 2010-2020. All Rights Reserved.
5  *
6  * Licensed under the Apache License, Version 2.0 (the "License");
7  * you may not use this file except in compliance with the License.
8  * You may obtain a copy of the License at
9  *
10  *     http://www.apache.org/licenses/LICENSE-2.0
11  *
12  * Unless required by applicable law or agreed to in writing, software
13  * distributed under the License is distributed on an "AS IS" BASIS,
14  * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
15  * See the License for the specific language governing permissions and
16  * limitations under the License.
17  *
18  * %CopyrightEnd%
19  */
20 
21 #ifndef E_OPENSSL_CONFIG_H__
22 #define E_OPENSSL_CONFIG_H__ 1
23 
24 #define OPENSSL_THREAD_DEFINES
25 #include <openssl/opensslconf.h>
26 
27 #include <openssl/crypto.h>
28 #include <openssl/des.h>
29 
30 /* #include <openssl/idea.h> This is not supported on the openssl OTP requires */
31 #include <openssl/dh.h>
32 #include <openssl/dsa.h>
33 #include <openssl/rsa.h>
34 #include <openssl/aes.h>
35 #include <openssl/md5.h>
36 #include <openssl/md4.h>
37 #include <openssl/sha.h>
38 #include <openssl/ripemd.h>
39 #include <openssl/bn.h>
40 #include <openssl/objects.h>
41 #ifndef OPENSSL_NO_RC4
42     #include <openssl/rc4.h>
43 #endif /* OPENSSL_NO_RC4 */
44 #ifndef OPENSSL_NO_RC2
45     #include <openssl/rc2.h>
46 #endif
47 #include <openssl/blowfish.h>
48 #include <openssl/rand.h>
49 #include <openssl/evp.h>
50 #include <openssl/hmac.h>
51 #include <openssl/err.h>
52 
53 /* Helper macro to construct a OPENSSL_VERSION_NUMBER.
54  * See openssl/opensslv.h
55  */
56 #define PACKED_OPENSSL_VERSION(MAJ, MIN, FIX, P)	\
57     ((((((((MAJ << 8) | MIN) << 8 ) | FIX) << 8) | (P-'a'+1)) << 4) | 0xf)
58 
59 #define PACKED_OPENSSL_VERSION_PLAIN(MAJ, MIN, FIX) \
60     PACKED_OPENSSL_VERSION(MAJ,MIN,FIX,('a'-1))
61 
62 
63 /* LibreSSL was cloned from OpenSSL 1.0.1g and claims to be API and BPI compatible
64  * with 1.0.1.
65  *
66  * LibreSSL has the same names on include files and symbols as OpenSSL, but defines
67  * the OPENSSL_VERSION_NUMBER to be >= 2.0.0
68  *
69  * Therefor works tests like this as intendend:
70  *     OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0)
71  * (The test is for example "2.4.2" >= "1.0.0" although the test
72  *  with the cloned OpenSSL test would be "1.0.1" >= "1.0.0")
73  *
74  * But tests like this gives wrong result:
75  *     OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0)
76  * (The test is false since "2.4.2" < "1.1.0".  It should have been
77  *  true because the LibreSSL API version is "1.0.1")
78  *
79  */
80 
81 #ifdef LIBRESSL_VERSION_NUMBER
82 /* A macro to test on in this file */
83 #define HAS_LIBRESSL
84 #endif
85 
86 #ifdef HAS_LIBRESSL
87 /* LibreSSL dislikes FIPS */
88 # ifdef FIPS_SUPPORT
89 #  undef FIPS_SUPPORT
90 # endif
91 
92 /* LibreSSL has never supported the custom mem functions */
93 #ifndef HAS_LIBRESSL
94 #  define HAS_CRYPTO_MEM_FUNCTIONS
95 #endif
96 
97 # if LIBRESSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(2,7,0)
98 /* LibreSSL wants the 1.0.1 API */
99 # define NEED_EVP_COMPATIBILITY_FUNCTIONS
100 # endif
101 #endif
102 
103 
104 
105 #if OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0)
106 # define NEED_EVP_COMPATIBILITY_FUNCTIONS
107 #endif
108 
109 #ifndef HAS_LIBRESSL
110 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,0)
111 #  define HAS_BN_bn2binpad
112 # endif
113 #endif
114 
115 #ifndef HAS_LIBRESSL
116 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0)
117 #  define HAS_EVP_PKEY_CTX
118 #  define HAVE_EVP_CIPHER_CTX_COPY
119 # endif
120 
121 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1)
122 #   define HAVE_PKEY_new_raw_private_key
123 #   define HAVE_EVP_PKEY_new_CMAC_key
124 #   define HAVE_DigestSign_as_single_op
125 # endif
126 #endif
127 
128 #if defined(HAS_EVP_PKEY_CTX) \
129     && OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0)
130      /* EVP is slow on antique crypto libs.
131       * DISABLE_EVP_* is 0 or 1 from the configure script
132       */
133 # undef  DISABLE_EVP_DH
134 # define DISABLE_EVP_DH 1
135 # undef  DISABLE_EVP_HMAC
136 # define DISABLE_EVP_HMAC 1
137 #endif
138 
139 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0)
140 #include <openssl/modes.h>
141 #endif
142 
143 #include "crypto_callback.h"
144 
145 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8)	\
146     && !defined(OPENSSL_NO_SHA224) && defined(NID_sha224) \
147     && !defined(OPENSSL_NO_SHA256) /* disabled like this in my sha.h (?) */
148 # define HAVE_SHA224
149 #endif
150 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8)	\
151     && !defined(OPENSSL_NO_SHA256) && defined(NID_sha256)
152 # define HAVE_SHA256
153 #endif
154 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8)	\
155     && !defined(OPENSSL_NO_SHA384) && defined(NID_sha384)\
156     && !defined(OPENSSL_NO_SHA512) /* disabled like this in my sha.h (?) */
157 # define HAVE_SHA384
158 #endif
159 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8)	\
160     && !defined(OPENSSL_NO_SHA512) && defined(NID_sha512)
161 # define HAVE_SHA512
162 #endif
163 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,7,'e')
164 # define HAVE_DES_ede3_cfb_encrypt
165 #endif
166 
167 // SHA3:
168 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1)
169 // An error in beta releases of 1.1.1 fixed in production release
170 # ifdef NID_sha3_224
171 #  define HAVE_SHA3_224
172 # endif
173 # ifdef NID_sha3_256
174 #  define HAVE_SHA3_256
175 # endif
176 #endif
177 # ifdef NID_sha3_384
178 #  define HAVE_SHA3_384
179 # endif
180 # ifdef NID_sha3_512
181 #  define HAVE_SHA3_512
182 # endif
183 
184 // BLAKE2:
185 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1) \
186     && !defined(HAS_LIBRESSL) \
187     && !defined(OPENSSL_NO_BLAKE2)
188 # define HAVE_BLAKE2
189 #endif
190 
191 #ifndef OPENSSL_NO_BF
192 # define HAVE_BF
193 #endif
194 
195 #ifndef OPENSSL_NO_DES
196 # define HAVE_DES
197 #endif
198 
199 #ifndef OPENSSL_NO_DH
200 # define HAVE_DH
201 #endif
202 
203 #ifndef OPENSSL_NO_DSA
204 # define HAVE_DSA
205 #endif
206 
207 #ifndef OPENSSL_NO_MD4
208 # define HAVE_MD4
209 #endif
210 
211 #ifndef OPENSSL_NO_MD5
212 # define HAVE_MD5
213 #endif
214 
215 #ifndef OPENSSL_NO_RC2
216 # define HAVE_RC2
217 #endif
218 
219 #ifndef OPENSSL_NO_RC4
220 # define HAVE_RC4
221 #endif
222 
223 #ifndef OPENSSL_NO_RMD160
224 /* Note RMD160 vs RIPEMD160 */
225 # define HAVE_RIPEMD160
226 #endif
227 
228 
229 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'o') \
230 	&& !defined(OPENSSL_NO_EC) \
231 	&& !defined(OPENSSL_NO_ECDH) \
232 	&& !defined(OPENSSL_NO_ECDSA)
233 # define HAVE_EC
234 #endif
235 
236 // (test for >= 1.1.1pre8)
237 #if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1) -7) \
238     && !defined(HAS_LIBRESSL) \
239     && defined(HAVE_EC)
240 # ifdef HAVE_DH
241 #   define HAVE_EDDH
242 # endif
243 # if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1))
244 #   define HAVE_EDDSA
245 # endif
246 #endif
247 
248 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,1)
249 # define HAVE_EVP_AES_CTR
250 # define HAVE_AEAD
251 # define HAVE_GCM
252 # define HAVE_CCM
253 # ifndef OPENSSL_NO_CMAC
254 #   define HAVE_CMAC
255 # endif
256 # if defined(RSA_PKCS1_OAEP_PADDING)
257 #   define HAVE_RSA_OAEP_PADDING
258 # endif
259 # define HAVE_RSA_MGF1_MD
260 # if OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION(1,0,1,'d')
261 #  define HAVE_GCM_EVP_DECRYPT_BUG
262 # endif
263 #endif
264 
265 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,0)
266 # ifndef HAS_LIBRESSL
267 #  if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305)
268 #    define HAVE_CHACHA20_POLY1305
269 #  endif
270 #  define HAVE_RSA_OAEP_MD
271 # endif
272 #endif
273 
274 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(1,1,0,'d')
275 # ifndef HAS_LIBRESSL
276 #  ifndef OPENSSL_NO_CHACHA
277 #    define HAVE_CHACHA20
278 #  endif
279 # endif
280 #endif
281 
282 // OPENSSL_VERSION_NUMBER >= 1.1.1-pre8
283 #if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1)-7)
284 # ifndef HAS_LIBRESSL
285 #  if !defined(OPENSSL_NO_POLY1305)
286 #    define HAVE_POLY1305
287 #  endif
288 # endif
289 #endif
290 
291 #if OPENSSL_VERSION_NUMBER <= PACKED_OPENSSL_VERSION(0,9,8,'l')
292 # define HAVE_ECB_IVEC_BUG
293 # define HAVE_UPDATE_EMPTY_DATA_BUG
294 #endif
295 
296 #ifndef HAS_LIBRESSL
297 # ifdef RSA_SSLV23_PADDING
298 #  define HAVE_RSA_SSLV23_PADDING
299 # endif
300 #endif
301 
302 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0)
303 # ifdef RSA_PKCS1_PSS_PADDING
304 #  define HAVE_RSA_PKCS1_PSS_PADDING
305 # endif
306 #endif
307 
308 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'h') \
309     && defined(HAVE_EC)
310 /* If OPENSSL_NO_EC is set, there will be an error in ec.h included from engine.h
311    So if EC is disabled, you can't use Engine either....
312 */
313 #if !defined(OPENSSL_NO_ENGINE)
314 # define HAS_ENGINE_SUPPORT
315 #endif
316 #endif
317 
318 
319 #if defined(HAS_ENGINE_SUPPORT)
320 # include <openssl/engine.h>
321 #endif
322 
323 #if defined(HAVE_CMAC)
324 #include <openssl/cmac.h>
325 #endif
326 
327 #if defined(HAVE_EC)
328 #include <openssl/ec.h>
329 #include <openssl/ecdh.h>
330 #include <openssl/ecdsa.h>
331 #endif
332 
333 #ifdef VALGRIND
334     #  include <valgrind/memcheck.h>
335 
336 /* libcrypto mixes supplied buffer contents into its entropy pool,
337    which makes valgrind complain about the use of uninitialized data.
338    We use this valgrind "request" to make sure that no such seemingly
339    undefined data is returned.
340 */
341     #  define ERL_VALGRIND_MAKE_MEM_DEFINED(ptr,size) \
342     VALGRIND_MAKE_MEM_DEFINED(ptr,size)
343 
344     #   define ERL_VALGRIND_ASSERT_MEM_DEFINED(Ptr,Size)			\
345           do {								\
346               int __erl_valgrind_mem_defined = VALGRIND_CHECK_MEM_IS_DEFINED((Ptr),(Size));	\
347               if (__erl_valgrind_mem_defined != 0) {			\
348 	          fprintf(stderr,"\r\n####### VALGRIND_ASSSERT(%p,%ld) failed at %s:%d\r\n", \
349 		          (Ptr),(long)(Size), __FILE__, __LINE__);	\
350 	          abort();						\
351               }								\
352           } while (0)
353 
354 #else
355     #  define ERL_VALGRIND_MAKE_MEM_DEFINED(ptr,size)
356     #  define ERL_VALGRIND_ASSERT_MEM_DEFINED(ptr,size)
357 #endif
358 
359 #ifdef DEBUG
360     #  define ASSERT(e) \
361     ((void) ((e) ? 1 : (fprintf(stderr,"Assert '%s' failed at %s:%d\n",\
362 				#e, __FILE__, __LINE__), abort(), 0)))
363 #else
364     #  define ASSERT(e) ((void) 1)
365 #endif
366 
367 #ifdef __GNUC__
368     #  define INLINE __inline__
369 #elif defined(__WIN32__)
370     #  define INLINE __forceinline
371 #else
372     #  define INLINE
373 #endif
374 
375 
376 #define get_int32(s) ((((unsigned char*) (s))[0] << 24) | \
377                       (((unsigned char*) (s))[1] << 16) | \
378                       (((unsigned char*) (s))[2] << 8)  | \
379                       (((unsigned char*) (s))[3]))
380 
381 #define put_uint32(s,i) \
382 { (s)[0] = (unsigned char)(((i) >> 24) & 0xff);\
383   (s)[1] = (unsigned char)(((i) >> 16) & 0xff);\
384   (s)[2] = (unsigned char)(((i) >> 8) & 0xff);\
385   (s)[3] = (unsigned char)((i) & 0xff);\
386 }
387 
388 /* This shall correspond to the similar macro in crypto.erl */
389 /* Current value is: erlang:system_info(context_reductions) * 10 */
390 #define MAX_BYTES_TO_NIF 20000
391 
392 #define CONSUME_REDS(NifEnv, Ibin)			\
393 do {                                                    \
394     size_t _cost = (Ibin).size;                         \
395     if (_cost > SIZE_MAX / 100)                         \
396         _cost = 100;                                    \
397     else                                                \
398         _cost = (_cost * 100) / MAX_BYTES_TO_NIF;       \
399                                                         \
400     if (_cost) {                                        \
401         (void) enif_consume_timeslice((NifEnv),		\
402                 (_cost > 100) ? 100 : (int)_cost);      \
403     }                                                   \
404  } while (0)
405 
406 #ifdef NEED_EVP_COMPATIBILITY_FUNCTIONS
407 #  include "evp_compat.h"
408 #else
409 #  define HAVE_OPAQUE_BN_GENCB
410 #endif
411 
412 #if 0
413 #  define PRINTF_ERR0(FMT)         enif_fprintf(stderr, FMT "\n")
414 #  define PRINTF_ERR1(FMT, A1)     enif_fprintf(stderr, FMT "\n", A1)
415 #  define PRINTF_ERR2(FMT, A1, A2) enif_fprintf(stderr, FMT "\n", A1, A2)
416 #else
417 #  define PRINTF_ERR0(FMT)
418 #  define PRINTF_ERR1(FMT,A1)
419 #  define PRINTF_ERR2(FMT,A1,A2)
420 #endif
421 
422 #if defined(FIPS_SUPPORT) \
423     && OPENSSL_VERSION_NUMBER  < PACKED_OPENSSL_VERSION_PLAIN(1,0,1)
424 /* FIPS is not supported for versions < 1.0.1.  If FIPS_SUPPORT is enabled
425    there are some warnings/errors for thoose
426 */
427 # undef FIPS_SUPPORT
428 #endif
429 
430 
431 #ifdef FIPS_SUPPORT
432 /* In FIPS mode non-FIPS algorithms are disabled and return badarg. */
433 #define CHECK_NO_FIPS_MODE() { if (FIPS_mode()) return atom_notsup; }
434 #else
435 #define CHECK_NO_FIPS_MODE()
436 #endif
437 
438 #endif /* E_OPENSSL_CONFIG_H__ */
439