Infrastructure for returning additional fields in crypto:supports/0, /1

FIPS doc page updated, for enable_fips_mode discourage its manual invocation
New store module for algorithms
Porting changes from maint
Merge in crypto.erl and test SUITE

Author: kvakvs

lib/crypto/c_src/Makefile.in

@@ -36,7 +36,7 @@ CC = @DED_CC@
 LD = @DED_LD@
 SHELL = /bin/sh
 LIBS = @DED_LIBS@
-LDFLAGS += @DED_LDFLAGS@
+LDFLAGS += @DED_LDFLAGS@ -lstdc++
 CFLAGS = @DED_CFLAGS@ @SSL_FLAGS@ @DEFS@
 
 # From configure
@@ -91,14 +91,23 @@ CRYPTO_OBJS = $(OBJDIR)/crypto$(TYPEMARKER).o \
 	$(OBJDIR)/aead$(TYPEMARKER).o \
 	$(OBJDIR)/aes$(TYPEMARKER).o \
 	$(OBJDIR)/algorithms$(TYPEMARKER).o \
+	$(OBJDIR)/algorithms_collection$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/algorithms_digest$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/algorithms_pkey$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/algorithms_curve$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/algorithms_kem$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/algorithms_rsaopt$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/algorithms_mac$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/algorithms_cipher$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/auto_openssl_resource$(TYPEMARKER).cpp.o \
+	$(OBJDIR)/evp_compat$(TYPEMARKER).cpp.o \
 	$(OBJDIR)/api_ng$(TYPEMARKER).o \
 	$(OBJDIR)/atoms$(TYPEMARKER).o \
 	$(OBJDIR)/bn$(TYPEMARKER).o \
 	$(OBJDIR)/cipher$(TYPEMARKER).o \
 	$(OBJDIR)/cmac$(TYPEMARKER).o \
 	$(OBJDIR)/common$(TYPEMARKER).o \
 	$(OBJDIR)/dh$(TYPEMARKER).o \
-	$(OBJDIR)/digest$(TYPEMARKER).o \
 	$(OBJDIR)/dss$(TYPEMARKER).o \
 	$(OBJDIR)/ec$(TYPEMARKER).o \
 	$(OBJDIR)/ecdh$(TYPEMARKER).o \
@@ -119,7 +128,8 @@ CRYPTO_OBJS = $(OBJDIR)/crypto$(TYPEMARKER).o \
 	$(OBJDIR)/pbkdf2_hmac$(TYPEMARKER).o
 
 CALLBACK_OBJS = $(OBJDIR)/crypto_callback$(TYPEMARKER).o
-CRYPTO_STATIC_OBJS = $(patsubst $(OBJDIR)/%$(TYPEMARKER).o,$(OBJDIR)/%_static$(TYPEMARKER).o,$(CRYPTO_OBJS) $(CALLBACK_OBJS))
+CRYPTO_STATIC_OBJS = $(patsubst $(OBJDIR)/%$(TYPEMARKER).o,$(OBJDIR)/%_static$(TYPEMARKER).o,$(CRYPTO_OBJS) $(CALLBACK_OBJS)) \
+    $(patsubst $(OBJDIR)/%$(TYPEMARKER).cpp.o,$(OBJDIR)/%_static$(TYPEMARKER).cpp.o,$(CRYPTO_OBJS) $(CALLBACK_OBJS))
 
 NIF_ARCHIVE = $(LIBDIR)/crypto$(TYPEMARKER).a
 
@@ -179,8 +189,12 @@ endif
 
 CONFIGURE_ARGS = -DDISABLE_EVP_DH=@DISABLE_EVP_DH@ -DDISABLE_EVP_HMAC=@DISABLE_EVP_HMAC@
 
-ALL_CFLAGS = $(TYPE_FLAGS) $(EXTRA_FLAGS) $(CONFIGURE_ARGS) $(INCLUDES)
+ALL_CFLAGS = $(TYPE_FLAGS) $(EXTRA_FLAGS) $(CONFIGURE_ARGS) $(INCLUDES) -std=gnu99
+ALL_CXXFLAGS = $(TYPE_FLAGS) $(EXTRA_FLAGS) $(CONFIGURE_ARGS) $(INCLUDES) -std=c++14
+
+# Removed: -Wdeclaration-after-statement, allowed in C99 and C++
 ALL_STATIC_CFLAGS = @DED_STATIC_CFLAGS@ $(TYPE_EXTRA_CFLAGS) $(CONFIGURE_ARGS) $(INCLUDES)
+ALL_STATIC_CFLAGS := $(filter-out -Wdeclaration-after-statement,$(ALL_STATIC_CFLAGS))
 
 # ----------------------------------------------------
 # Targets
@@ -222,6 +236,10 @@ $(OBJDIR)/pkey$(TYPEMARKER).o: pkey.c
 
 # ---- End of Hard-coded removal of deprecated warning for ENGINE function calls
 
+$(OBJDIR)/%$(TYPEMARKER).cpp.o: %.cpp
+	$(V_at)$(INSTALL_DIR) $(OBJDIR)
+	$(V_CXX) -MMD -c -o $@ $(ALL_CXXFLAGS) $<
+
 $(OBJDIR)/%$(TYPEMARKER).o: %.c
 	$(V_at)$(INSTALL_DIR) $(OBJDIR)
 	$(V_CC) -MMD -c -o $@ $(ALL_CFLAGS) $<

lib/crypto/c_src/aead.c

@@ -24,12 +24,12 @@
 #include "aes.h"
 #include "cipher.h"
 #include "info.h"
-
+#include "algorithms_cipher.h"
 
 ErlNifResourceType* aead_cipher_ctx_rtype;
 
 struct aead_cipher_ctx {
-    const struct cipher_type_t *cipherp;
+    const cipher_type_C *cipherp;
     EVP_CIPHER_CTX *ctx;
 
     ERL_NIF_TERM key;
@@ -71,6 +71,7 @@ ERL_NIF_TERM aead_cipher_init_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM a
     struct aead_cipher_ctx *ctx_res = NULL;
     ERL_NIF_TERM ret, encflg_arg, type;
     ErlNifBinary key;
+    struct cipher_type_flags_t flags;
 
     if ((ctx_res = enif_alloc_resource(aead_cipher_ctx_rtype, sizeof(struct aead_cipher_ctx))) == NULL)
         return EXCP_ERROR(env, "Can't allocate resource");
@@ -107,11 +108,13 @@ ERL_NIF_TERM aead_cipher_init_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM a
 
     if ((ctx_res->cipherp = get_cipher_type(type, key.size)) == NULL)
         {ret = EXCP_BADARG_N(env, 0, "Unknown cipher or invalid key size"); goto done;}
-    if (ctx_res->cipherp->flags & NON_EVP_CIPHER)
+
+    flags = get_cipher_type_flags(ctx_res->cipherp);
+    if (flags.non_evp_cipher)
         {ret = EXCP_BADARG_N(env, 0, "Bad cipher"); goto done;}
-    if (! (ctx_res->cipherp->flags & AEAD_CIPHER) )
+    if (!flags.aead_cipher)
         {ret = EXCP_BADARG_N(env, 0, "Not aead cipher"); goto done;}
-    if (CIPHER_FORBIDDEN_IN_FIPS(ctx_res->cipherp))
+    if (is_cipher_forbidden_in_fips(ctx_res->cipherp))
         {ret = EXCP_NOTSUP_N(env, 0, "Forbidden in FIPS"); goto done;}
 
 #if defined(HAVE_GCM_EVP_DECRYPT_BUG)
@@ -120,13 +123,19 @@ ERL_NIF_TERM aead_cipher_init_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM a
     }
 #endif
 
-    if (ctx_res->cipherp->cipher.p == NULL)
-        {ret = EXCP_NOTSUP_N(env, 0, "The cipher is not supported in this libcrypto version"); goto done;}
-
-    if ((ctx_res->ctx = EVP_CIPHER_CTX_new()) == NULL)
-        {ret = EXCP_ERROR(env, "Can't allocate ctx"); goto done;}
-    if (EVP_CipherInit_ex(ctx_res->ctx, ctx_res->cipherp->cipher.p, NULL, NULL, NULL, ctx_res->encflg) != 1)
-        {ret = EXCP_ERROR(env, "CipherInit failed"); goto done;}
+    if (get_cipher_type_resource(ctx_res->cipherp) == NULL) {
+        ret = EXCP_NOTSUP_N(env, 0, "The cipher is not supported in this libcrypto version");
+        goto done;
+    }
+    if ((ctx_res->ctx = EVP_CIPHER_CTX_new()) == NULL) {
+        ret = EXCP_ERROR(env, "Can't allocate ctx");
+        goto done;
+    }
+    if (EVP_CipherInit_ex(ctx_res->ctx, get_cipher_type_resource(ctx_res->cipherp),
+        NULL, NULL, NULL, ctx_res->encflg) != 1) {
+        ret = EXCP_ERROR(env, "CipherInit failed");
+        goto done;
+    }
 
     ret = enif_make_resource(env, ctx_res);
 
@@ -146,9 +155,11 @@ ERL_NIF_TERM aead_cipher_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
     const EVP_CIPHER *cipher = NULL;
     ErlNifBinary key, iv, aad, in, tag;
     unsigned int tag_len;
-    unsigned char *outp, *tagp, *tag_data, *in_data;
+    unsigned char *outp, *tag_data, *in_data;
     ERL_NIF_TERM type, out, out_tag, ret, encflg_arg;
     int len, encflg, in_len;
+    struct cipher_type_flags_t flags;
+    struct cipher_type_aead_t aead;
 
     if(argc == 7) {
         /*
@@ -202,29 +213,45 @@ ERL_NIF_TERM aead_cipher_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
             || iv.size > INT_MAX
             || in.size > INT_MAX
             || aad.size > INT_MAX)
-            {ret = EXCP_BADARG_N(env, 5, "binary too long"); goto done;}
+            {ret = EXCP_BADARG_N(env, 5, "binary too long"); goto done;
+        }
+
+        if ((cipherp = get_cipher_type(type, key.size)) == NULL) {
+            ret = EXCP_BADARG_N(env, 0, "Unknown cipher or invalid key size");
+            goto done;
+        }
 
-        if ((cipherp = get_cipher_type(type, key.size)) == NULL)
-            {ret = EXCP_BADARG_N(env, 0, "Unknown cipher or invalid key size"); goto done;}
-        if (cipherp->flags & NON_EVP_CIPHER)
-            {ret = EXCP_BADARG_N(env, 0, "Bad cipher"); goto done;}
-        if (! (cipherp->flags & AEAD_CIPHER) )
-            {ret = EXCP_BADARG_N(env, 0, "Not aead cipher"); goto done;}
-        if (CIPHER_FORBIDDEN_IN_FIPS(cipherp))
-            {ret = EXCP_NOTSUP_N(env, 0, "Forbidden in FIPS"); goto done;}
+        flags = get_cipher_type_flags(cipherp);
+        if (flags.non_evp_cipher) {
+            ret = EXCP_BADARG_N(env, 0, "Bad cipher");
+            goto done;
+        }
+        if (!flags.aead_cipher) {
+            ret = EXCP_BADARG_N(env, 0, "Not aead cipher");
+            goto done;
+        }
+        if (is_cipher_forbidden_in_fips(cipherp)) {
+            ret = EXCP_NOTSUP_N(env, 0, "Forbidden in FIPS");
+            goto done;
+        }
 
 #if defined(HAVE_GCM_EVP_DECRYPT_BUG)
         if ( !encflg && (cipherp->flags & GCM_MODE)) {
             return aes_gcm_decrypt_NO_EVP(env, argc, argv);
         }
 #endif
-        if ((cipher = cipherp->cipher.p) == NULL)
-            {ret = EXCP_NOTSUP_N(env, 0, "The cipher is not supported in this libcrypto version"); goto done;}
-
-        if ((ctx = EVP_CIPHER_CTX_new()) == NULL)
-            {ret = EXCP_ERROR(env, "Can't allocate ctx"); goto done;}
-        if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, encflg) != 1)
-            {ret = EXCP_ERROR(env, "CipherInit failed"); goto done;}
+        if ((cipher = get_cipher_type_resource(cipherp)) == NULL) {
+            ret = EXCP_NOTSUP_N(env, 0, "The cipher is not supported in this libcrypto version");
+            goto done;
+        }
+        if ((ctx = EVP_CIPHER_CTX_new()) == NULL) {
+            ret = EXCP_ERROR(env, "Can't allocate ctx");
+            goto done;
+        }
+        if (EVP_CipherInit_ex(ctx, cipher, NULL, NULL, NULL, encflg) != 1) {
+            ret = EXCP_ERROR(env, "CipherInit failed");
+            goto done;
+        }
 
     } else {
         /* argc = 4  {state, IV, InData, AAD }  */
@@ -258,17 +285,20 @@ ERL_NIF_TERM aead_cipher_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
         }
 
         cipherp = ctx_res->cipherp;
-        cipher = cipherp->cipher.p;
+        cipher = get_cipher_type_resource(cipherp);
         ctx = ctx_res->ctx;
     }
     /* Init done */
 
-    if (EVP_CIPHER_CTX_ctrl(ctx, cipherp->extra.aead.ctx_ctrl_set_ivlen, (int)iv.size, NULL) != 1)
+    aead = get_cipher_type_aead(cipherp);
+    flags = get_cipher_type_flags(cipherp);
+
+    if (EVP_CIPHER_CTX_ctrl(ctx, aead.ctx_ctrl_set_ivlen, (int)iv.size, NULL) != 1)
         {ret = EXCP_BADARG_N(env, 2, "Bad IV length"); goto done;}
 
 #if defined(HAVE_CCM)
-    if (cipherp->flags & CCM_MODE) {
-        if (EVP_CIPHER_CTX_ctrl(ctx, cipherp->extra.aead.ctx_ctrl_set_tag, (int)tag_len, tag_data) != 1)
+    if (flags.ccm_mode) {
+        if (EVP_CIPHER_CTX_ctrl(ctx, aead.ctx_ctrl_set_tag, (int)tag_len, tag_data) != 1)
             {ret = EXCP_BADARG_N(env, 5, "Can't set tag"); goto done;}
         if (EVP_CipherInit_ex(ctx, NULL, NULL, key.data, iv.data, -1) != 1)
             {ret = EXCP_ERROR(env, "Can't set key or iv"); goto done;}
@@ -304,8 +334,8 @@ ERL_NIF_TERM aead_cipher_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
                 ret = atom_error;
             goto done;
         }
-    if (encflg)
-        {
+    if (encflg) {
+            unsigned char *tagp;
             if (argc == 7) {
                 /* Finalize the encrypted text */
                 if (EVP_CipherFinal_ex(ctx, outp, &len) != 1)
@@ -314,7 +344,7 @@ ERL_NIF_TERM aead_cipher_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
                 /* Get the tag */
                 if ((tagp = enif_make_new_binary(env, tag_len, &out_tag)) == NULL)
                     {ret = EXCP_ERROR(env, "Can't make 'Out' binary"); goto done;}
-                if (EVP_CIPHER_CTX_ctrl(ctx, cipherp->extra.aead.ctx_ctrl_get_tag, (int)tag_len, tagp) != 1)
+                if (EVP_CIPHER_CTX_ctrl(ctx, aead.ctx_ctrl_get_tag, (int)tag_len, tagp) != 1)
                     {ret = EXCP_ERROR(env, "Can't get Tag"); goto done;}
 
                 /* Make the return value (the tuple with binary crypto text and the tag) */
@@ -324,7 +354,7 @@ ERL_NIF_TERM aead_cipher_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
                     {ret = EXCP_ERROR(env, "Encrypt error"); goto done;}
                 /* Add tag to output end */
                 tagp = outp + in_len;
-                if (EVP_CIPHER_CTX_ctrl(ctx, cipherp->extra.aead.ctx_ctrl_get_tag, (int)tag_len, tagp) != 1)
+                if (EVP_CIPHER_CTX_ctrl(ctx, aead.ctx_ctrl_get_tag, (int)tag_len, tagp) != 1)
                     {ret = EXCP_ERROR(env, "Can't get Tag"); goto done;}
                 ret = out;
             }
@@ -333,8 +363,8 @@ ERL_NIF_TERM aead_cipher_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[]
         {
 #if defined(HAVE_GCM) || defined(HAVE_CHACHA20_POLY1305)
             /* Check the Tag before returning. CCM_MODE does this previously. */
-            if (!(cipherp->flags & CCM_MODE)) { /* That is, CHACHA20_POLY1305 or GCM_MODE */ 
-                if (EVP_CIPHER_CTX_ctrl(ctx, cipherp->extra.aead.ctx_ctrl_set_tag, (int)tag_len, tag_data) != 1)
+            if (!flags.ccm_mode) { /* That is, CHACHA20_POLY1305 or GCM_MODE */
+                if (EVP_CIPHER_CTX_ctrl(ctx, aead.ctx_ctrl_set_tag, (int)tag_len, tag_data) != 1)
                     /* Decrypt error */
                     {ret = atom_error; goto done;}
                 /* CCM dislikes EVP_DecryptFinal_ex on decrypting for pre 1.1.1, so we do it only here */