Merge pull request #955 from bettio/remove-openssl

Remove OpenSSL Do not depend both on Mbed-TLS and OpenSSL at the same time, just use Mbed-TLS. Also now the same code base can be both used on generic unix and MCUs. Closes #950 These changes are made under both the "Apache 2.0" and the "GNU Lesser General Public License 2.1 or later" license terms (dual license). SPDX-License-Identifier: Apache-2.0 OR LGPL-2.1-or-later
atomvm · Dec 5, 2023 · dfcfc96 · dfcfc96
2 parents 8a97964 + 2052e3d
commit dfcfc96
Show file tree

Hide file tree

Showing 21 changed files with 611 additions and 77 deletions.
diff --git a/.github/workflows/build-and-test-macos.yaml b/.github/workflows/build-and-test-macos.yaml
@@ -65,7 +65,7 @@ jobs:
       working-directory: build
       run: |
         export PATH="/usr/local/opt/erlang@${{ matrix.otp }}/bin:$PATH"
-        cmake -G Ninja -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl ..
+        cmake -G Ninja ..
 
     - name: "Build: run ninja"
       working-directory: build

diff --git a/.github/workflows/build-and-test-other.yaml b/.github/workflows/build-and-test-other.yaml
@@ -98,7 +98,7 @@ jobs:
             apt update &&
             apt install -y -t stretch-backports-sloppy libarchive13 &&
             apt install -y -t stretch-backports cmake &&
-            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libssl-dev libmbedtls-dev
+            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libmbedtls-dev
 
         - arch: "arm32v7"
           platform: "arm/v7"
@@ -148,7 +148,7 @@ jobs:
             ${{ matrix.install_deps }}
         else
             apt update &&
-            apt install -y file gcc g++ binutils cmake make doxygen gperf zlib1g-dev libssl-dev libmbedtls-dev
+            apt install -y file gcc g++ binutils cmake make doxygen gperf zlib1g-dev libmbedtls-dev
         fi &&
         file /bin/bash &&
         uname -a &&

diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -171,10 +171,10 @@ jobs:
           cflags: "-m32 -O3"
           otp: "23"
           elixir_version: "1.11"
-          cmake_opts_other: "-DOPENSSL_CRYPTO_LIBRARY=/usr/lib/i386-linux-gnu/libcrypto.so -DAVM_CREATE_STACKTRACES=off"
+          cmake_opts_other: "-DAVM_CREATE_STACKTRACES=off"
           arch: "i386"
           compiler_pkgs: "gcc-10 g++-10 gcc-10-multilib g++-10-multilib libc6-dev-i386
-          libc6-dbg:i386 zlib1g-dev:i386 libssl-dev:i386 libmbedtls-dev:i386"
+          libc6-dbg:i386 zlib1g-dev:i386 libmbedtls-dev:i386"
 
     env:
       CC: ${{ matrix.cc }}

diff --git a/.github/workflows/build-libraries.yaml b/.github/workflows/build-libraries.yaml
@@ -35,7 +35,7 @@ jobs:
       run: sudo apt update -y
 
     - name: "Install deps"
-      run: sudo apt install -y build-essential cmake gperf zlib1g-dev libssl-dev valgrind
+      run: sudo apt install -y build-essential cmake gperf zlib1g-dev libmbedtls-dev valgrind
 
     # Builder info
     - name: "System info"

diff --git a/.github/workflows/build-linux-artifacts.yaml b/.github/workflows/build-linux-artifacts.yaml
@@ -84,10 +84,10 @@ jobs:
             apt update &&
             apt install -y -t stretch-backports-sloppy libarchive13 &&
             apt install -y -t stretch-backports cmake &&
-            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libssl-dev tzdata
+            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libmbedtls-dev tzdata
 
         - arch: "arm32v7"
-          build_name: "linux-arm32v7thl-openssl1"
+          build_name: "linux-arm32v7thl"
           docker_image: "arm32v7/debian"
           platform: "arm/v7"
           tag: "stretch"
@@ -104,14 +104,7 @@ jobs:
             apt update &&
             apt install -y -t stretch-backports-sloppy libarchive13 &&
             apt install -y -t stretch-backports cmake &&
-            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libssl-dev tzdata
-
-        - arch: "arm32v7"
-          build_name: "linux-arm32v7thl"
-          docker_image: "arm32v7/ubuntu"
-          platform: "arm/v7"
-          tag: "22.04"
-          cflags: "-mfloat-abi=hard -mthumb -mthumb-interwork"
+            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libmbedtls-dev tzdata
 
         - arch: "arm64v8"
           build_name: "linux-arm64v8"
@@ -131,26 +124,19 @@ jobs:
           build_name: "linux-x86_64"
           docker_image: "ubuntu"
           platform: "amd64"
-          tag: "22.04"
-          cflags: ""
-
-        - arch: "x86_64"
-          build_name: "linux-x86_64-openssl1"
-          docker_image: "ubuntu"
-          platform: "amd64"
           tag: "18.04"
           cflags: ""
           install_deps: |
             apt update &&
-            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libssl-dev wget tzdata &&
+            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libmbedtls-dev wget tzdata &&
             apt purge -y cmake &&
             wget https://cmake.org/files/v3.13/cmake-3.13.5-Linux-x86_64.tar.gz &&
             tar xf cmake-3.13.5-Linux-x86_64.tar.gz &&
             mv cmake-3.13.5-Linux-x86_64 /opt/cmake-3.13.5 &&
             ln -sf /opt/cmake-3.13.5/bin/* /usr/bin/
 
         - arch: "i386"
-          build_name: "linux-i386-openssl1"
+          build_name: "linux-i386"
           docker_image: "i386/debian"
           platform: "386"
           cflags: ""
@@ -167,7 +153,7 @@ jobs:
             apt update &&
             apt install -y -t stretch-backports-sloppy libarchive13 &&
             apt install -y -t stretch-backports cmake &&
-            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libssl-dev
+            apt install -y file gcc g++ binutils make doxygen gperf zlib1g-dev libmbedtls-dev
 
     steps:
     - name: Checkout repo
@@ -201,7 +187,7 @@ jobs:
             ${{ matrix.install_deps }}
         else
             apt update &&
-            apt install -y file gcc g++ binutils cmake make doxygen gperf zlib1g-dev libssl-dev tzdata
+            apt install -y file gcc g++ binutils cmake make doxygen gperf zlib1g-dev libmbedtls-dev tzdata
         fi &&
         file /bin/bash &&
         uname -a &&

diff --git a/.github/workflows/run-tests-with-beam.yaml b/.github/workflows/run-tests-with-beam.yaml
@@ -64,17 +64,14 @@ jobs:
         - os: "macos-latest"
           otp: "23"
           path_prefix: "/usr/local/opt/erlang@23/bin:"
-          cmake_opts: "-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl"
 
         - os: "macos-latest"
           otp: "24"
           path_prefix: "/usr/local/opt/erlang@24/bin:"
-          cmake_opts: "-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl"
 
         - os: "macos-latest"
           otp: "25"
           path_prefix: "/usr/local/opt/erlang@25/bin:"
-          cmake_opts: "-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl"
     steps:
     # Setup
     - name: "Checkout repo"
@@ -101,7 +98,7 @@ jobs:
 
     - name: "Install deps (macOS)"
       if: runner.os == 'macOS'
-      run: brew install gperf erlang@${{ matrix.otp }} ninja
+      run: brew install gperf erlang@${{ matrix.otp }} ninja mbedtls
 
     # Build
     - name: "Build: create build dir"

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -25,6 +25,8 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 - Crypto functions on generic_unix platform now rely on MbedTLS instead of OpenSSL
 - Platform function providing time used by timers was changed from `sys_monotonic_millis` to `sys_monotonic_time_u64`, `sys_monotonic_time_u64_to_ms` and `sys_monotonic_time_ms_to_u64`.
+- Implement `atomvm:random/0` and `atomvm:rand_bytes/1` on top of `crypto:strong_rand_bytes/1` on
+  generic_unix, ESP32 and RP2040 platforms.
 
 ### Added
 
@@ -39,6 +41,12 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added support for `crypto:one_time/4,5` on Unix and Pico as well as for `crypto:hash/2` on Pico
 - Added ability to configure STM32 Nucleo boards onboard UART->USB-COM using the `-DBOARD=nucleo` cmake option
 - Added STM32 cmake option `-DAVM_CFG_CONSOLE=` to select a different uart peripheral for the system console
+- Added `crypto:strong_rand_bytes/1` using Mbed-TLS (only on generic_unix, ESP32 and RP2040
+  platforms)
+
+### Removed
+
+- OpenSSL support, Mbed-TLS is required instead.
 
 ## [0.6.0-alpha.1] - 2023-10-09
 

diff --git a/libs/eavmlib/src/atomvm.erl b/libs/eavmlib/src/atomvm.erl
@@ -48,6 +48,10 @@
     posix_open_flag/0
 ]).
 
+-deprecated([
+    {random, 0, next_version}
+]).
+
 -type platform_name() ::
     generic_unix
     | emscripten
@@ -109,6 +113,7 @@ random() ->
 %%          Supplying a negative value will result in a badarg error.
 %%          This function will use a cryptographically strong RNG if available.
 %%          Otherwise, the random value is generated using a PRNG.
+%% @deprecated Use crypto:strong_rand_bytes/1 instead.
 %% @end
 %%-----------------------------------------------------------------------------
 -spec rand_bytes(Len :: non_neg_integer()) -> binary().

diff --git a/src/libAtomVM/otp_crypto.c b/src/libAtomVM/otp_crypto.c
@@ -26,10 +26,13 @@
 #include <globalcontext.h>
 #include <interop.h>
 #include <nifs.h>
+#include <sys_mbedtls.h>
 #include <term.h>
 #include <term_typedef.h>
 
 #include <mbedtls/cipher.h>
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
 #include <mbedtls/md5.h>
 #include <mbedtls/sha1.h>
 #include <mbedtls/sha256.h>
@@ -561,6 +564,40 @@ static term nif_crypto_crypto_one_time(Context *ctx, int argc, term argv[])
     RAISE_ERROR(make_crypto_error(__FILE__, source_line, err_msg, ctx));
 }
 
+// not static since we are using it elsewhere to provide backward compatibility
+term nif_crypto_strong_rand_bytes(Context *ctx, int argc, term argv[])
+{
+    UNUSED(argc);
+
+    term count_term = argv[0];
+    VALIDATE_VALUE(count_term, term_is_integer);
+    avm_int_t out_len = term_to_int(count_term);
+    if (out_len < 0) {
+        RAISE_ERROR(BADARG_ATOM);
+    }
+
+    int ensure_size = term_binary_heap_size(out_len);
+    if (UNLIKELY(memory_ensure_free(ctx, ensure_size) != MEMORY_GC_OK)) {
+        RAISE_ERROR(OUT_OF_MEMORY_ATOM);
+    }
+
+    mbedtls_ctr_drbg_context *rnd_ctx = sys_mbedtls_get_ctr_drbg_context_lock(ctx->global);
+    if (IS_NULL_PTR(rnd_ctx)) {
+        RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "Failed CTR_DRBG init", ctx));
+    }
+
+    term out_bin = term_create_uninitialized_binary(out_len, &ctx->heap, ctx->global);
+    unsigned char *out = (unsigned char *) term_binary_data(out_bin);
+
+    int err = mbedtls_ctr_drbg_random(rnd_ctx, out, out_len);
+    sys_mbedtls_ctr_drbg_context_unlock(ctx->global);
+    if (UNLIKELY(err != 0)) {
+        RAISE_ERROR(make_crypto_error(__FILE__, __LINE__, "Failed random", ctx));
+    }
+
+    return out_bin;
+}
+
 static const struct Nif crypto_hash_nif = {
     .base.type = NIFFunctionType,
     .nif_ptr = nif_crypto_hash
@@ -569,6 +606,10 @@ static const struct Nif crypto_crypto_one_time_nif = {
     .base.type = NIFFunctionType,
     .nif_ptr = nif_crypto_crypto_one_time
 };
+static const struct Nif crypto_strong_rand_bytes_nif = {
+    .base.type = NIFFunctionType,
+    .nif_ptr = nif_crypto_strong_rand_bytes
+};
 
 //
 // Entrypoints
@@ -590,6 +631,10 @@ const struct Nif *otp_crypto_nif_get_nif(const char *nifname)
             TRACE("Resolved platform nif %s ...\n", nifname);
             return &crypto_crypto_one_time_nif;
         }
+        if (strcmp("strong_rand_bytes/1", rest) == 0) {
+            TRACE("Resolved platform nif %s ...\n", nifname);
+            return &crypto_strong_rand_bytes_nif;
+        }
     }
     return NULL;
 }
diff --git a/src/libAtomVM/sys_mbedtls.h b/src/libAtomVM/sys_mbedtls.h
@@ -0,0 +1,38 @@
+/*
+ * This file is part of AtomVM.
+ *
+ * Copyright 2023 Davide Bettio <davide@uninstall.it>
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * SPDX-License-Identifier: Apache-2.0 OR LGPL-2.1-or-later
+ */
+
+#ifndef _SYS_MBEDTLS_H_
+#define _SYS_MBEDTLS_H_
+
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+
+mbedtls_entropy_context *sys_mbedtls_get_entropy_context_lock(GlobalContext *global);
+void sys_mbedtls_entropy_context_unlock(GlobalContext *global);
+int sys_mbedtls_entropy_func(void *entropy, unsigned char *buf, size_t size);
+
+mbedtls_ctr_drbg_context *sys_mbedtls_get_ctr_drbg_context_lock(GlobalContext *global);
+
+/**
+ * @warning do not call this function when already owning the entropy context
+ */
+void sys_mbedtls_ctr_drbg_context_unlock(GlobalContext *global);
+
+#endif
diff --git a/src/platforms/esp32/components/avm_sys/include/esp32_sys.h b/src/platforms/esp32/components/avm_sys/include/esp32_sys.h
@@ -30,9 +30,17 @@
 #include <spi_flash_mmap.h>
 #endif
 
+#include <mbedtls/ctr_drbg.h>
+#include <mbedtls/entropy.h>
+
 #include <sys/poll.h>
+#include <stdbool.h>
 #include <time.h>
 
+#ifndef AVM_NO_SMP
+#include "smp.h"
+#endif
+
 #include "sys.h"
 
 #define REGISTER_PORT_DRIVER(NAME, INIT_CB, DESTROY_CB, CREATE_CB)    \
@@ -94,6 +102,18 @@ struct ESP32PlatformData
     EventListener *socket_listener;
     struct SyncList sockets;
     struct ListHead ready_connections;
+
+#ifndef AVM_NO_SMP
+    Mutex *entropy_mutex;
+#endif
+    mbedtls_entropy_context entropy_ctx;
+    bool entropy_is_initialized;
+
+#ifndef AVM_NO_SMP
+    Mutex *random_mutex;
+#endif
+    mbedtls_ctr_drbg_context random_ctx;
+    bool random_is_initialized;
 };
 
 typedef void (*port_driver_init_t)(GlobalContext *global);