From ff4dee51f4c6602cdbbdbad9ad0ce2068f34265d Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Thu, 6 Sep 2018 12:55:34 +0200
Subject: crypto: Add 'rsa_opts' to crypto:supports/0 Needed in future versions
 of the SSL application.

---
 lib/crypto/c_src/crypto.c | 48 ++++++++++++++++++++++++++++++++++++++++-------
 lib/crypto/src/crypto.erl | 11 +++++++----
 2 files changed, 48 insertions(+), 11 deletions(-)

diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c
index 6949df4b8e..ad84d9cd35 100644
--- a/lib/crypto/c_src/crypto.c
+++ b/lib/crypto/c_src/crypto.c
@@ -211,12 +211,17 @@
 # define HAVE_ECB_IVEC_BUG
 #endif
 
-#define HAVE_RSA_SSLV23_PADDING
-#if defined(HAS_LIBRESSL)                                             \
-    && LIBRESSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(2,6,1)
-# undef HAVE_RSA_SSLV23_PADDING
+#ifdef RSA_SSLV23_PADDING
+# define HAVE_RSA_SSLV23_PADDING
 #endif
 
+// OpenSSL >= 1.0.2
+#ifdef RSA_PKCS1_PSS_PADDING
+# define HAVE_RSA_PKCS1_PSS_PADDING
+#endif
+
+
+
 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'h') \
     && defined(HAVE_EC)
 /* If OPENSSL_NO_EC is set, there will be an error in ec.h included from engine.h
@@ -1319,6 +1324,8 @@ static int algo_mac_cnt, algo_mac_fips_cnt;
 static ERL_NIF_TERM algo_mac[3]; /* increase when extending the list */
 static int algo_curve_cnt, algo_curve_fips_cnt;
 static ERL_NIF_TERM algo_curve[87]; /* increase when extending the list */
+static int algo_rsa_opts_cnt, algo_rsa_opts_fips_cnt;
+static ERL_NIF_TERM algo_rsa_opts[10]; /* increase when extending the list */
 
 static void init_algorithms_types(ErlNifEnv* env)
 {
@@ -1530,12 +1537,36 @@ static void init_algorithms_types(ErlNifEnv* env)
     algo_curve[algo_curve_cnt++] = enif_make_atom(env,"x448");
 #endif
 
+    // Validated algorithms first
+    algo_rsa_opts_cnt = 0;
+#ifdef HAS_EVP_PKEY_CTX
+# ifdef HAVE_RSA_PKCS1_PSS_PADDING
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_pkcs1_pss_padding");
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_pss_saltlen");
+# endif
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_mgf1_md");
+# ifdef HAVE_RSA_OAEP_MD
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_oaep_label");
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_oaep_md");
+# endif
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"signature_md");
+#endif
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_pkcs1_padding");
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_x931_padding");
+#ifdef HAVE_RSA_SSLV23_PADDING
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_sslv23_padding");
+#endif
+    algo_rsa_opts[algo_rsa_opts_cnt++] = enif_make_atom(env,"rsa_no_padding");
+    algo_rsa_opts_fips_cnt = algo_rsa_opts_cnt;
+
+
     // Check that the max number of algos is updated
     ASSERT(algo_hash_cnt <= sizeof(algo_hash)/sizeof(ERL_NIF_TERM));
     ASSERT(algo_pubkey_cnt <= sizeof(algo_pubkey)/sizeof(ERL_NIF_TERM));
     ASSERT(algo_cipher_cnt <= sizeof(algo_cipher)/sizeof(ERL_NIF_TERM));
     ASSERT(algo_mac_cnt <= sizeof(algo_mac)/sizeof(ERL_NIF_TERM));
     ASSERT(algo_curve_cnt <= sizeof(algo_curve)/sizeof(ERL_NIF_TERM));
+    ASSERT(algo_rsa_opts_cnt <= sizeof(algo_rsa_opts)/sizeof(ERL_NIF_TERM));
 }
 
 static ERL_NIF_TERM algorithms(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
@@ -1547,19 +1578,22 @@ static ERL_NIF_TERM algorithms(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv
     int cipher_cnt = fips_mode ? algo_cipher_fips_cnt : algo_cipher_cnt;
     int mac_cnt    = fips_mode ? algo_mac_fips_cnt    : algo_mac_cnt;
     int curve_cnt    = fips_mode ? algo_curve_fips_cnt    : algo_curve_cnt;
+    int rsa_opts_cnt = fips_mode ? algo_rsa_opts_fips_cnt : algo_rsa_opts_cnt;
 #else
     int hash_cnt   = algo_hash_cnt;
     int pubkey_cnt = algo_pubkey_cnt;
     int cipher_cnt = algo_cipher_cnt;
     int mac_cnt    = algo_mac_cnt;
     int curve_cnt    = algo_curve_cnt;
+    int rsa_opts_cnt = algo_rsa_opts_cnt;
 #endif
-    return enif_make_tuple5(env,
+    return enif_make_tuple6(env,
                             enif_make_list_from_array(env, algo_hash,   hash_cnt),
 			    enif_make_list_from_array(env, algo_pubkey, pubkey_cnt),
 			    enif_make_list_from_array(env, algo_cipher, cipher_cnt),
                             enif_make_list_from_array(env, algo_mac,    mac_cnt),
-			    enif_make_list_from_array(env, algo_curve,  curve_cnt)
+			    enif_make_list_from_array(env, algo_curve,  curve_cnt),
+			    enif_make_list_from_array(env, algo_rsa_opts, rsa_opts_cnt)
                             );
 }
 
@@ -4385,7 +4419,7 @@ static int get_pkey_sign_options(ErlNifEnv *env, ERL_NIF_TERM algorithm, ERL_NIF
 		    if (tpl_terms[1] == atom_rsa_pkcs1_padding) {
 			opt->rsa_padding = RSA_PKCS1_PADDING;
                     } else if (tpl_terms[1] == atom_rsa_pkcs1_pss_padding) {
-#if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0)
+#ifdef HAVE_RSA_PKCS1_PSS_PADDING
                         opt->rsa_padding = RSA_PKCS1_PSS_PADDING;
                         if (opt->rsa_mgf1_md == NULL) {
                             opt->rsa_mgf1_md = md;
diff --git a/lib/crypto/src/crypto.erl b/lib/crypto/src/crypto.erl
index c64586897e..7d8f0479ee 100644
--- a/lib/crypto/src/crypto.erl
+++ b/lib/crypto/src/crypto.erl
@@ -319,7 +319,8 @@ stop() ->
                                       | {ciphers, Ciphers}
                                       | {public_keys, PKs}
                                       | {macs,    Macs}
-                                      | {curves,  Curves},
+                                      | {curves,  Curves}
+                                      | {rsa_opts, RSAopts},
                              Hashs :: [sha1() | sha2() | sha3() | ripemd160 | compatibility_only_hash()],
                              Ciphers :: [stream_cipher()
                                          | block_cipher_with_iv() | block_cipher_without_iv()
@@ -327,14 +328,16 @@ stop() ->
                                         ], 
                              PKs :: [rsa | dss | ecdsa | dh | ecdh | ec_gf2m],
                              Macs :: [hmac | cmac | poly1305],
-                             Curves :: [ec_named_curve() | edwards_curve()].
+                             Curves :: [ec_named_curve() | edwards_curve()],
+                             RSAopts :: [rsa_sign_verify_opt() | rsa_opt()] .
 supports()->
-    {Hashs, PubKeys, Ciphers, Macs, Curves} = algorithms(),
+    {Hashs, PubKeys, Ciphers, Macs, Curves, RsaOpts} = algorithms(),
     [{hashs, Hashs},
      {ciphers, Ciphers},
      {public_keys, PubKeys},
      {macs, Macs},
-     {curves, Curves}
+     {curves, Curves},
+     {rsa_opts, RsaOpts}
     ].
 
 -spec info_lib() -> [{Name,VerNum,VerStr}] when Name :: binary(),
-- 
cgit v1.2.1


From 769c73a8cbe40c865d337d1d2eb651ea1ea68e31 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Thu, 13 Sep 2018 12:55:30 +0200
Subject: crypto: RSA options list disclaimer in documentation for
 crypto:supports/0 The final appearence of the rs_opts entry is still not
 completly decided.

---
 lib/crypto/doc/src/crypto.xml | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib/crypto/doc/src/crypto.xml b/lib/crypto/doc/src/crypto.xml
index d5f5009297..dab6e4ed4f 100644
--- a/lib/crypto/doc/src/crypto.xml
+++ b/lib/crypto/doc/src/crypto.xml
@@ -1044,6 +1044,9 @@ _FloatValue = rand:uniform().     % [0.0; 1.0[</pre>
       <desc>
         <p> Can be used to determine which crypto algorithms that are supported
 	by the underlying libcrypto library</p>
+	<p>Note: the <c>rsa_opts</c> entry is in an experimental state and may change or be removed without notice.
+	No guarantee for the accuarcy of the rsa option's value list should be assumed.
+	</p>
       </desc>
     </func>
 
-- 
cgit v1.2.1


From 35eac8acb8c47416a0fde79280a2fef60bc9339e Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Wed, 12 Sep 2018 10:42:10 +0200
Subject: crypto: Change condition for RSA_PKCS1_PSS Trubble on a couple of
 cross-building machines

---
 lib/crypto/c_src/crypto.c | 9 ++++-----
 1 file changed, 4 insertions(+), 5 deletions(-)

diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c
index ad84d9cd35..592027d946 100644
--- a/lib/crypto/c_src/crypto.c
+++ b/lib/crypto/c_src/crypto.c
@@ -215,13 +215,12 @@
 # define HAVE_RSA_SSLV23_PADDING
 #endif
 
-// OpenSSL >= 1.0.2
-#ifdef RSA_PKCS1_PSS_PADDING
-# define HAVE_RSA_PKCS1_PSS_PADDING
+#if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,0)
+# ifdef RSA_PKCS1_PSS_PADDING
+#  define HAVE_RSA_PKCS1_PSS_PADDING
+# endif
 #endif
 
-
-
 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'h') \
     && defined(HAVE_EC)
 /* If OPENSSL_NO_EC is set, there will be an error in ec.h included from engine.h
-- 
cgit v1.2.1


From 94d4676a7f73cb948d3baa617d1f8fcd8ee5aec2 Mon Sep 17 00:00:00 2001
From: Hans Nilsson <hans@erlang.org>
Date: Thu, 13 Sep 2018 11:41:35 +0200
Subject: crypto: Add forgotten #ifdef MAY prevent compilation errors if the
 symbol is configured to not be defined in an OpenSSL version where it exists
 by default.

---
 lib/crypto/c_src/crypto.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/lib/crypto/c_src/crypto.c b/lib/crypto/c_src/crypto.c
index 592027d946..3939a6f309 100644
--- a/lib/crypto/c_src/crypto.c
+++ b/lib/crypto/c_src/crypto.c
@@ -4707,6 +4707,7 @@ printf("\r\n");
 
     if (argv[0] == atom_rsa) {
 	if (EVP_PKEY_CTX_set_rsa_padding(ctx, sig_opt.rsa_padding) <= 0) goto badarg;
+#ifdef HAVE_RSA_PKCS1_PSS_PADDING
 	if (sig_opt.rsa_padding == RSA_PKCS1_PSS_PADDING) {
             if (sig_opt.rsa_mgf1_md != NULL) {
 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION_PLAIN(1,0,1)
@@ -4721,6 +4722,7 @@ printf("\r\n");
 		&& EVP_PKEY_CTX_set_rsa_pss_saltlen(ctx, sig_opt.rsa_pss_saltlen) <= 0)
 		goto badarg;
 	}
+#endif
     }
 
     if (EVP_PKEY_sign(ctx, NULL, &siglen, tbs, tbslen) <= 0) goto badarg;
-- 
cgit v1.2.1