diff options
| author | Hans Nilsson <hans@erlang.org> | 2022-01-13 15:45:49 +0100 |
|---|---|---|
| committer | Hans Nilsson <hans@erlang.org> | 2022-01-24 13:37:52 +0100 |
| commit | e2ca3902651e27509d7ac1486d19d832f8ed1181 (patch) | |
| tree | 1c006deb3007c85574c0fa6c1615a2a44371b9d3 | |
| parent | 4bc1332312189b0c439b93527c4306957fb64143 (diff) | |
| download | erlang-e2ca3902651e27509d7ac1486d19d832f8ed1181.tar.gz | |
crypto: Disallow dynamic IV:s for >=3.0 (deprecated from OTP 25.0)
| -rw-r--r-- | lib/crypto/c_src/api_ng.c | 13 | ||||
| -rw-r--r-- | lib/crypto/test/crypto_SUITE.erl | 13 |
2 files changed, 22 insertions, 4 deletions
diff --git a/lib/crypto/c_src/api_ng.c b/lib/crypto/c_src/api_ng.c index dc4f90ce7a..5da4aa945b 100644 --- a/lib/crypto/c_src/api_ng.c +++ b/lib/crypto/c_src/api_ng.c @@ -289,6 +289,14 @@ static int get_init_args(ErlNifEnv* env, /* Here: (*cipherp)->cipher.p != NULL and ivec_len has a value */ +#if defined(HAS_3_0_API) // Temp disallow dyn iv for >=3.0 (may core dump) + if (argv[ivec_arg_num] == atom_undefined) + { + *return_term = EXCP_NOTSUP(env, "Dynamic IV is not supported for libcrypto versions >= 3.0"); + goto err; + } +#endif + /* Fetch IV */ if (ivec_len && (argv[ivec_arg_num] != atom_undefined)) { if (!enif_inspect_iolist_as_binary(env, argv[ivec_arg_num], &ivec_bin)) @@ -724,6 +732,10 @@ ERL_NIF_TERM ng_crypto_update(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[ if (argc == 3) { /* We have an IV in this call. Make a copy of the context */ +#if defined(HAS_3_0_API) // Temp disallow dyn iv for >=3.0 (may core dump) + ret = EXCP_NOTSUP(env, "Dynamic IV is not supported for libcrypto versions >= 3.0"); + goto err; +#else ErlNifBinary ivec_bin; /* First check the IV provided in the call of this function: */ @@ -785,6 +797,7 @@ ERL_NIF_TERM ng_crypto_update(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[ get_update_args(env, &ctx_res_copy, argv, 1, &ret); ctx_res->size = ctx_res_copy.size; +#endif // Temp disallow dyn iv for >=3.0 (may core dump) } else /* argc != 3, that is, argc = 2 (we don't have an IV in this call) */ get_update_args(env, ctx_res, argv, 1, &ret); diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl index 99a22d3d5a..5d2747ac96 100644 --- a/lib/crypto/test/crypto_SUITE.erl +++ b/lib/crypto/test/crypto_SUITE.erl @@ -871,8 +871,13 @@ api_ng_tls() -> [{doc, "Test special tls api"}]. api_ng_tls(Config) when is_list(Config) -> - [_|_] = Ciphers = lazy_eval(proplists:get_value(cipher, Config, [])), - lists:foreach(fun do_api_ng_tls/1, Ciphers). + try + [_|_] = Ciphers = lazy_eval(proplists:get_value(cipher, Config, [])), + lists:foreach(fun do_api_ng_tls/1, Ciphers) + catch + error:{notsup,_,Reason} -> + {skip, Reason} + end. do_api_ng_tls({Type, Key, PlainTexts}) -> @@ -4322,8 +4327,8 @@ bad_combo(_Config) -> error:_). bad_key_length(_Config) -> - ?chk_api_name(crypto:crypto_dyn_iv_init(des_ede3_cbc, <<1>>, true), - error:{error,{"api_ng.c",_},"Can't initialize context, key_length"++_}). + ?chk_api_name(crypto:crypto_init(aes_128_ctr, <<1>>, <<0:128>>, true), + error:{badarg,_,"Bad key size"++_}). bad_cipher_name(_Config) -> ?chk_api_name(crypto:crypto_init(foobar, <<1:128>>, true), |