Overview

File 2572-Refactor-pbkdf2-eligible-hash-check.patch of Package erlang

From 60a15f0bb219a7b0aeb143036fd8434bcbe4211b Mon Sep 17 00:00:00 2001
From: gearnode <bryan@frimin.fr>
Date: Thu, 25 Nov 2021 13:08:31 +0100
Subject: [PATCH 2/4] Refactor pbkdf2 eligible hash check

---
 lib/crypto/c_src/digest.c         | 10 ++++-----
 lib/crypto/c_src/digest.h         |  1 +
 lib/crypto/c_src/openssl_config.h |  1 +
 lib/crypto/c_src/pbkdf2_hmac.c    | 34 +++----------------------------
 lib/crypto/test/crypto_SUITE.erl  |  2 +-
 5 files changed, 11 insertions(+), 37 deletions(-)

diff --git a/lib/crypto/c_src/digest.c b/lib/crypto/c_src/digest.c
index d4b1813e11..125784ac42 100644
--- a/lib/crypto/c_src/digest.c
+++ b/lib/crypto/c_src/digest.c
@@ -46,9 +46,9 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha"}, 0, {&EVP_sha1}},
+    {{"sha"}, PBKDF2_ELIGIBLE_DIGEST, {&EVP_sha1}},
 
-    {{"sha224"}, 0,
+    {{"sha224"}, PBKDF2_ELIGIBLE_DIGEST,
 #ifdef HAVE_SHA224
      {&EVP_sha224}
 #else
@@ -56,7 +56,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha256"}, 0,
+    {{"sha256"}, PBKDF2_ELIGIBLE_DIGEST,
 #ifdef HAVE_SHA256
      {&EVP_sha256}
 #else
@@ -64,7 +64,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha384"}, 0,
+    {{"sha384"}, PBKDF2_ELIGIBLE_DIGEST,
 #ifdef HAVE_SHA384
      {&EVP_sha384}
 #else
@@ -72,7 +72,7 @@ static struct digest_type_t digest_types[] =
 #endif
     },
 
-    {{"sha512"}, 0,
+    {{"sha512"}, PBKDF2_ELIGIBLE_DIGEST,
 #ifdef HAVE_SHA512
      {&EVP_sha512}
 #else
diff --git a/lib/crypto/c_src/digest.h b/lib/crypto/c_src/digest.h
index a1cfb4d4cb..8d8cb243d1 100644
--- a/lib/crypto/c_src/digest.h
+++ b/lib/crypto/c_src/digest.h
@@ -37,6 +37,7 @@ struct digest_type_t {
 
 /* masks in the flags field if digest_type_t */
 #define NO_FIPS_DIGEST 1
+#define PBKDF2_ELIGIBLE_DIGEST 2
 
 #ifdef FIPS_SUPPORT
 /* May have FIPS support, must check dynamically if it is enabled */
diff --git a/lib/crypto/c_src/openssl_config.h b/lib/crypto/c_src/openssl_config.h
index 63238105f7..ac089b6ba8 100644
--- a/lib/crypto/c_src/openssl_config.h
+++ b/lib/crypto/c_src/openssl_config.h
@@ -313,6 +313,7 @@
 # ifdef RSA_PKCS1_PSS_PADDING
 #  define HAVE_RSA_PKCS1_PSS_PADDING
 # endif
+# define HAS_PKCS5_PBKDF2_HMAC
 #endif
 
 #if OPENSSL_VERSION_NUMBER >= PACKED_OPENSSL_VERSION(0,9,8,'h') \
diff --git a/lib/crypto/c_src/pbkdf2_hmac.c b/lib/crypto/c_src/pbkdf2_hmac.c
index aa9f27c93d..7eec603d9c 100644
--- a/lib/crypto/c_src/pbkdf2_hmac.c
+++ b/lib/crypto/c_src/pbkdf2_hmac.c
@@ -16,7 +16,6 @@
  * limitations under the License.
  *
  * %CopyrightEnd%
-
  */
 
 #include "common.h"
@@ -30,7 +29,6 @@ ERL_NIF_TERM pbkdf2_hmac_nif(ErlNifEnv* env, int argc,
     ErlNifBinary pass, salt, out;
     ErlNifUInt64 iter, keylen;
     struct digest_type_t* digp = NULL;
-    const EVP_MD* digest;
 
     ASSERT(argc == 5);
 
@@ -38,34 +36,8 @@ ERL_NIF_TERM pbkdf2_hmac_nif(ErlNifEnv* env, int argc,
         goto bad_arg;
     if (digp->md.p == NULL)
         goto bad_arg;
-
-    switch (EVP_MD_type(digp->md.p))
-    {
-    case NID_sha1:
-        digest = EVP_sha1();
-        break;
-#ifdef HAVE_SHA224
-    case NID_sha224:
-        digest = EVP_sha224();
-        break;
-#endif
-#ifdef HAVE_SHA256
-    case NID_sha256:
-        digest = EVP_sha256();
-        break;
-#endif
-#ifdef HAVE_SHA384
-    case NID_sha384:
-        digest = EVP_sha384();
-        break;
-#endif
-#ifdef HAVE_SHA512
-    case NID_sha512:
-        digest = EVP_sha512();
-        break;
-#endif
-    default:
-        goto err;
+    if ((digp->flags & PBKDF2_ELIGIBLE_DIGEST) == 0) {
+        goto bad_arg;
     }
 
     if (!enif_inspect_binary(env, argv[1], &pass))
@@ -87,7 +59,7 @@ ERL_NIF_TERM pbkdf2_hmac_nif(ErlNifEnv* env, int argc,
 
     if (!PKCS5_PBKDF2_HMAC((const char *)pass.data, pass.size,
                            salt.data, salt.size, iter,
-                           digest,
+                           digp->md.p,
                            keylen, out.data)) {
         enif_release_binary(&out);
         goto err;
diff --git a/lib/crypto/test/crypto_SUITE.erl b/lib/crypto/test/crypto_SUITE.erl
index 182af02cb0..b8de45de8b 100644
--- a/lib/crypto/test/crypto_SUITE.erl
+++ b/lib/crypto/test/crypto_SUITE.erl
@@ -4407,7 +4407,7 @@ pbkdf2_hmac(Config) when is_list(Config) ->
       F(binary:encode_unsigned(16#f09d849e), <<"EXAMPLE.COMpianist">>, 50, 32)
   catch
     error:{notsup,{"pbkdf2_hmac.c", _}, "Unsupported CRYPTO_PKCS5_PBKDF2_HMAC"} ->
-            {skip, "No Unsupported CRYPTO_PKCS5_PBKDF2_HMAC"}
+            {skip, "No CRYPTO_PKCS5_PBKDF2_HMAC"}
   end.
 
 
-- 
2.31.1
openSUSE Build Service is sponsored by
Places