1 /* 2 * %CopyrightBegin% 3 * 4 * Copyright Ericsson AB 2010-2020. All Rights Reserved. 5 * 6 * Licensed under the Apache License, Version 2.0 (the "License"); 7 * you may not use this file except in compliance with the License. 8 * You may obtain a copy of the License at 9 * 10 * http://www.apache.org/licenses/LICENSE-2.0 11 * 12 * Unless required by applicable law or agreed to in writing, software 13 * distributed under the License is distributed on an "AS IS" BASIS, 14 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 15 * See the License for the specific language governing permissions and 16 * limitations under the License. 17 * 18 * %CopyrightEnd% 19 */ 20 21 #ifndef E_OPENSSL_CONFIG_H__ 22 #define E_OPENSSL_CONFIG_H__ 1 23 24 #define OPENSSL_THREAD_DEFINES 25 #include <openssl/opensslconf.h> 26 27 #include <openssl/crypto.h> 28 #include <openssl/des.h> 29 30 /* #include <openssl/idea.h> This is not supported on the openssl OTP requires */ 31 #include <openssl/dh.h> 32 #include <openssl/dsa.h> 33 #include <openssl/rsa.h> 34 #include <openssl/aes.h> 35 #include <openssl/md5.h> 36 #include <openssl/md4.h> 37 #include <openssl/sha.h> 38 #include <openssl/ripemd.h> 39 #include <openssl/bn.h> 40 #include <openssl/objects.h> 41 #ifndef OPENSSL_NO_RC4 42 #include <openssl/rc4.h> 43 #endif /* OPENSSL_NO_RC4 */ 44 #ifndef OPENSSL_NO_RC2 45 #include <openssl/rc2.h> 46 #endif 47 #include <openssl/blowfish.h> 48 #include <openssl/rand.h> 49 #include <openssl/evp.h> 50 #include <openssl/hmac.h> 51 #include <openssl/err.h> 52 53 /* Helper macro to construct a OPENSSL_VERSION_NUMBER. 54 * See openssl/opensslv.h 55 */ 56 #define PACKED_OPENSSL_VERSION(MAJ, MIN, FIX, P) \ 57 ((((((((MAJ << 8) | MIN) << 8 ) | FIX) << 8) | (P-'a'+1)) << 4) | 0xf) 58 59 #define PACKED_OPENSSL_VERSION_PLAIN(MAJ, MIN, FIX) \ 60 PACKED_OPENSSL_VERSION(MAJ,MIN,FIX,('a'-1)) 61 62 63 /* LibreSSL was cloned from OpenSSL 1.0.1g and claims to be API and BPI compatible 64 * with 1.0.1. 65 * 66 * LibreSSL has the same names on include files and symbols as OpenSSL, but defines 67 * the OPENSSL_VERSION_NUMBER to be >= 2.0.0 68 * 69 * Therefor works tests like this as intendend: 70 * OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 71 * (The test is for example "2.4.2" >= "1.0.0" although the test 72 * with the cloned OpenSSL test would be "1.0.1" >= "1.0.0") 73 * 74 * But tests like this gives wrong result: 75 * OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 76 * (The test is false since "2.4.2" < "1.1.0". It should have been 77 * true because the LibreSSL API version is "1.0.1") 78 * 79 */ 80 81 #ifdef LIBRESSL_VERSION_NUMBER 82 /* A macro to test on in this file */ 83 #define HAS_LIBRESSL 84 #endif 85 86 #ifdef HAS_LIBRESSL 87 /* LibreSSL dislikes FIPS */ 88 # ifdef FIPS_SUPPORT 89 # undef FIPS_SUPPORT 90 # endif 91 92 /* LibreSSL has never supported the custom mem functions */ 93 #ifndef HAS_LIBRESSL 94 # define HAS_CRYPTO_MEM_FUNCTIONS 95 #endif 96 97 # if LIBRESSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(2,7,0) 98 /* LibreSSL wants the 1.0.1 API */ 99 # define NEED_EVP_COMPATIBILITY_FUNCTIONS 100 # endif 101 #endif 102 103 104 105 #if OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 106 # define NEED_EVP_COMPATIBILITY_FUNCTIONS 107 #endif 108 109 #ifndef HAS_LIBRESSL 110 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 111 # define HAS_BN_bn2binpad 112 # endif 113 #endif 114 115 #ifndef HAS_LIBRESSL 116 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 117 # define HAS_EVP_PKEY_CTX 118 # define HAVE_EVP_CIPHER_CTX_COPY 119 # endif 120 121 # if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1) 122 # define HAVE_PKEY_new_raw_private_key 123 # define HAVE_EVP_PKEY_new_CMAC_key 124 # define HAVE_DigestSign_as_single_op 125 # endif 126 #endif 127 128 #if defined(HAS_EVP_PKEY_CTX) \ 129 && OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 130 /* EVP is slow on antique crypto libs. 131 * DISABLE_EVP_* is 0 or 1 from the configure script 132 */ 133 # undef DISABLE_EVP_DH 134 # define DISABLE_EVP_DH 1 135 # undef DISABLE_EVP_HMAC 136 # define DISABLE_EVP_HMAC 1 137 #endif 138 139 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 140 #include <openssl/modes.h> 141 #endif 142 143 #include "crypto_callback.h" 144 145 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 146 && !defined(OPENSSL_NO_SHA224) && defined(NID_sha224) \ 147 && !defined(OPENSSL_NO_SHA256) /* disabled like this in my sha.h (?) */ 148 # define HAVE_SHA224 149 #endif 150 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 151 && !defined(OPENSSL_NO_SHA256) && defined(NID_sha256) 152 # define HAVE_SHA256 153 #endif 154 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 155 && !defined(OPENSSL_NO_SHA384) && defined(NID_sha384)\ 156 && !defined(OPENSSL_NO_SHA512) /* disabled like this in my sha.h (?) */ 157 # define HAVE_SHA384 158 #endif 159 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(0,9,8) \ 160 && !defined(OPENSSL_NO_SHA512) && defined(NID_sha512) 161 # define HAVE_SHA512 162 #endif 163 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,7,'e') 164 # define HAVE_DES_ede3_cfb_encrypt 165 #endif 166 167 // SHA3: 168 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1) 169 // An error in beta releases of 1.1.1 fixed in production release 170 # ifdef NID_sha3_224 171 # define HAVE_SHA3_224 172 # endif 173 # ifdef NID_sha3_256 174 # define HAVE_SHA3_256 175 # endif 176 #endif 177 # ifdef NID_sha3_384 178 # define HAVE_SHA3_384 179 # endif 180 # ifdef NID_sha3_512 181 # define HAVE_SHA3_512 182 # endif 183 184 // BLAKE2: 185 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,1) \ 186 && !defined(HAS_LIBRESSL) \ 187 && !defined(OPENSSL_NO_BLAKE2) 188 # define HAVE_BLAKE2 189 #endif 190 191 #ifndef OPENSSL_NO_BF 192 # define HAVE_BF 193 #endif 194 195 #ifndef OPENSSL_NO_DES 196 # define HAVE_DES 197 #endif 198 199 #ifndef OPENSSL_NO_DH 200 # define HAVE_DH 201 #endif 202 203 #ifndef OPENSSL_NO_DSA 204 # define HAVE_DSA 205 #endif 206 207 #ifndef OPENSSL_NO_MD4 208 # define HAVE_MD4 209 #endif 210 211 #ifndef OPENSSL_NO_MD5 212 # define HAVE_MD5 213 #endif 214 215 #ifndef OPENSSL_NO_RC2 216 # define HAVE_RC2 217 #endif 218 219 #ifndef OPENSSL_NO_RC4 220 # define HAVE_RC4 221 #endif 222 223 #ifndef OPENSSL_NO_RMD160 224 /* Note RMD160 vs RIPEMD160 */ 225 # define HAVE_RIPEMD160 226 #endif 227 228 229 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'o') \ 230 && !defined(OPENSSL_NO_EC) \ 231 && !defined(OPENSSL_NO_ECDH) \ 232 && !defined(OPENSSL_NO_ECDSA) 233 # define HAVE_EC 234 #endif 235 236 // (test for >= 1.1.1pre8) 237 #if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1) -7) \ 238 && !defined(HAS_LIBRESSL) \ 239 && defined(HAVE_EC) 240 # ifdef HAVE_DH 241 # define HAVE_EDDH 242 # endif 243 # if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1)) 244 # define HAVE_EDDSA 245 # endif 246 #endif 247 248 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,1) 249 # define HAVE_EVP_AES_CTR 250 # define HAVE_AEAD 251 # define HAVE_GCM 252 # define HAVE_CCM 253 # ifndef OPENSSL_NO_CMAC 254 # define HAVE_CMAC 255 # endif 256 # if defined(RSA_PKCS1_OAEP_PADDING) 257 # define HAVE_RSA_OAEP_PADDING 258 # endif 259 # define HAVE_RSA_MGF1_MD 260 # if OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION(1,0,1,'d') 261 # define HAVE_GCM_EVP_DECRYPT_BUG 262 # endif 263 #endif 264 265 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,1,0) 266 # ifndef HAS_LIBRESSL 267 # if !defined(OPENSSL_NO_CHACHA) && !defined(OPENSSL_NO_POLY1305) 268 # define HAVE_CHACHA20_POLY1305 269 # endif 270 # define HAVE_RSA_OAEP_MD 271 # endif 272 #endif 273 274 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(1,1,0,'d') 275 # ifndef HAS_LIBRESSL 276 # ifndef OPENSSL_NO_CHACHA 277 # define HAVE_CHACHA20 278 # endif 279 # endif 280 #endif 281 282 // OPENSSL_VERSION_NUMBER >= 1.1.1-pre8 283 #if OPENSSL_VERSION_NUMBER >= (PACKED_OPENSSL_VERSION_PLAIN(1,1,1)-7) 284 # ifndef HAS_LIBRESSL 285 # if !defined(OPENSSL_NO_POLY1305) 286 # define HAVE_POLY1305 287 # endif 288 # endif 289 #endif 290 291 #if OPENSSL_VERSION_NUMBER <= PACKED_OPENSSL_VERSION(0,9,8,'l') 292 # define HAVE_ECB_IVEC_BUG 293 # define HAVE_UPDATE_EMPTY_DATA_BUG 294 #endif 295 296 #ifndef HAS_LIBRESSL 297 # ifdef RSA_SSLV23_PADDING 298 # define HAVE_RSA_SSLV23_PADDING 299 # endif 300 #endif 301 302 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0) 303 # ifdef RSA_PKCS1_PSS_PADDING 304 # define HAVE_RSA_PKCS1_PSS_PADDING 305 # endif 306 #endif 307 308 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'h') \ 309 && defined(HAVE_EC) 310 /* If OPENSSL_NO_EC is set, there will be an error in ec.h included from engine.h 311 So if EC is disabled, you can't use Engine either.... 312 */ 313 #if !defined(OPENSSL_NO_ENGINE) 314 # define HAS_ENGINE_SUPPORT 315 #endif 316 #endif 317 318 319 #if defined(HAS_ENGINE_SUPPORT) 320 # include <openssl/engine.h> 321 #endif 322 323 #if defined(HAVE_CMAC) 324 #include <openssl/cmac.h> 325 #endif 326 327 #if defined(HAVE_EC) 328 #include <openssl/ec.h> 329 #include <openssl/ecdh.h> 330 #include <openssl/ecdsa.h> 331 #endif 332 333 #ifdef VALGRIND 334 # include <valgrind/memcheck.h> 335 336 /* libcrypto mixes supplied buffer contents into its entropy pool, 337 which makes valgrind complain about the use of uninitialized data. 338 We use this valgrind "request" to make sure that no such seemingly 339 undefined data is returned. 340 */ 341 # define ERL_VALGRIND_MAKE_MEM_DEFINED(ptr,size) \ 342 VALGRIND_MAKE_MEM_DEFINED(ptr,size) 343 344 # define ERL_VALGRIND_ASSERT_MEM_DEFINED(Ptr,Size) \ 345 do { \ 346 int __erl_valgrind_mem_defined = VALGRIND_CHECK_MEM_IS_DEFINED((Ptr),(Size)); \ 347 if (__erl_valgrind_mem_defined != 0) { \ 348 fprintf(stderr,"\r\n####### VALGRIND_ASSSERT(%p,%ld) failed at %s:%d\r\n", \ 349 (Ptr),(long)(Size), __FILE__, __LINE__); \ 350 abort(); \ 351 } \ 352 } while (0) 353 354 #else 355 # define ERL_VALGRIND_MAKE_MEM_DEFINED(ptr,size) 356 # define ERL_VALGRIND_ASSERT_MEM_DEFINED(ptr,size) 357 #endif 358 359 #ifdef DEBUG 360 # define ASSERT(e) \ 361 ((void) ((e) ? 1 : (fprintf(stderr,"Assert '%s' failed at %s:%d\n",\ 362 #e, __FILE__, __LINE__), abort(), 0))) 363 #else 364 # define ASSERT(e) ((void) 1) 365 #endif 366 367 #ifdef __GNUC__ 368 # define INLINE __inline__ 369 #elif defined(__WIN32__) 370 # define INLINE __forceinline 371 #else 372 # define INLINE 373 #endif 374 375 376 #define get_int32(s) ((((unsigned char*) (s))[0] << 24) | \ 377 (((unsigned char*) (s))[1] << 16) | \ 378 (((unsigned char*) (s))[2] << 8) | \ 379 (((unsigned char*) (s))[3])) 380 381 #define put_uint32(s,i) \ 382 { (s)[0] = (unsigned char)(((i) >> 24) & 0xff);\ 383 (s)[1] = (unsigned char)(((i) >> 16) & 0xff);\ 384 (s)[2] = (unsigned char)(((i) >> 8) & 0xff);\ 385 (s)[3] = (unsigned char)((i) & 0xff);\ 386 } 387 388 /* This shall correspond to the similar macro in crypto.erl */ 389 /* Current value is: erlang:system_info(context_reductions) * 10 */ 390 #define MAX_BYTES_TO_NIF 20000 391 392 #define CONSUME_REDS(NifEnv, Ibin) \ 393 do { \ 394 size_t _cost = (Ibin).size; \ 395 if (_cost > SIZE_MAX / 100) \ 396 _cost = 100; \ 397 else \ 398 _cost = (_cost * 100) / MAX_BYTES_TO_NIF; \ 399 \ 400 if (_cost) { \ 401 (void) enif_consume_timeslice((NifEnv), \ 402 (_cost > 100) ? 100 : (int)_cost); \ 403 } \ 404 } while (0) 405 406 #ifdef NEED_EVP_COMPATIBILITY_FUNCTIONS 407 # include "evp_compat.h" 408 #else 409 # define HAVE_OPAQUE_BN_GENCB 410 #endif 411 412 #if 0 413 # define PRINTF_ERR0(FMT) enif_fprintf(stderr, FMT "\n") 414 # define PRINTF_ERR1(FMT, A1) enif_fprintf(stderr, FMT "\n", A1) 415 # define PRINTF_ERR2(FMT, A1, A2) enif_fprintf(stderr, FMT "\n", A1, A2) 416 #else 417 # define PRINTF_ERR0(FMT) 418 # define PRINTF_ERR1(FMT,A1) 419 # define PRINTF_ERR2(FMT,A1,A2) 420 #endif 421 422 #if defined(FIPS_SUPPORT) \ 423 && OPENSSL_VERSION_NUMBER < PACKED_OPENSSL_VERSION_PLAIN(1,0,1) 424 /* FIPS is not supported for versions < 1.0.1. If FIPS_SUPPORT is enabled 425 there are some warnings/errors for thoose 426 */ 427 # undef FIPS_SUPPORT 428 #endif 429 430 431 #ifdef FIPS_SUPPORT 432 /* In FIPS mode non-FIPS algorithms are disabled and return badarg. */ 433 #define CHECK_NO_FIPS_MODE() { if (FIPS_mode()) return atom_notsup; } 434 #else 435 #define CHECK_NO_FIPS_MODE() 436 #endif 437 438 #endif /* E_OPENSSL_CONFIG_H__ */ 439