generic_unix: remove OpenSSL

Use Mbed-TLS based crypto:strong_rand_bytes/1 for generating random numbers rather than OpenSSL. Signed-off-by: Davide Bettio <davide@uninstall.it>
atomvm · Nov 20, 2023 · 5c9be88 · 5c9be88
1 parent 2914ad5
commit 5c9be88
Show file tree

Hide file tree

Showing 6 changed files with 23 additions and 52 deletions.
diff --git a/.github/workflows/build-and-test-macos.yaml b/.github/workflows/build-and-test-macos.yaml
@@ -65,7 +65,7 @@ jobs:
       working-directory: build
       run: |
         export PATH="/usr/local/opt/erlang@${{ matrix.otp }}/bin:$PATH"
-        cmake -G Ninja -DOPENSSL_ROOT_DIR=/usr/local/opt/openssl ..
+        cmake -G Ninja ..
 
     - name: "Build: run ninja"
       working-directory: build

diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
@@ -171,7 +171,7 @@ jobs:
           cflags: "-m32 -O3"
           otp: "23"
           elixir_version: "1.11"
-          cmake_opts_other: "-DOPENSSL_CRYPTO_LIBRARY=/usr/lib/i386-linux-gnu/libcrypto.so -DAVM_CREATE_STACKTRACES=off"
+          cmake_opts_other: "-DAVM_CREATE_STACKTRACES=off"
           arch: "i386"
           compiler_pkgs: "gcc-10 g++-10 gcc-10-multilib g++-10-multilib libc6-dev-i386
           libc6-dbg:i386 zlib1g-dev:i386 libssl-dev:i386 libmbedtls-dev:i386"

diff --git a/.github/workflows/run-tests-with-beam.yaml b/.github/workflows/run-tests-with-beam.yaml
@@ -64,17 +64,14 @@ jobs:
         - os: "macos-latest"
           otp: "23"
           path_prefix: "/usr/local/opt/erlang@23/bin:"
-          cmake_opts: "-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl"
 
         - os: "macos-latest"
           otp: "24"
           path_prefix: "/usr/local/opt/erlang@24/bin:"
-          cmake_opts: "-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl"
 
         - os: "macos-latest"
           otp: "25"
           path_prefix: "/usr/local/opt/erlang@25/bin:"
-          cmake_opts: "-DOPENSSL_ROOT_DIR=/usr/local/opt/openssl"
     steps:
     # Setup
     - name: "Checkout repo"
@@ -101,7 +98,7 @@ jobs:
 
     - name: "Install deps (macOS)"
       if: runner.os == 'macOS'
-      run: brew install gperf erlang@${{ matrix.otp }} ninja
+      run: brew install gperf erlang@${{ matrix.otp }} ninja mbedtls
 
     # Build
     - name: "Build: create build dir"

diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -21,6 +21,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Changed
 
 - Crypto functions on generic_unix platform now rely on MbedTLS instead of OpenSSL
+- Implement `atomvm:random/0` and `atomvm:rand_bytes/1` on top of `crypto:strong_rand_bytes/1`
 
 ### Added
 
@@ -37,6 +38,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 - Added STM32 cmake option `-DAVM_CFG_CONSOLE=` to select a different uart peripheral for the system console
 - Added `crypto:strong_rand_bytes/1` using Mbed-TLS
 
+### Removed
+
+- OpenSSL support, Mbed-TLS is required instead.
+
 ## [0.6.0-alpha.1] - 2023-10-09
 
 ### Added

diff --git a/src/platforms/generic_unix/lib/CMakeLists.txt b/src/platforms/generic_unix/lib/CMakeLists.txt
@@ -76,16 +76,6 @@ else()
     message("WARNING:  Could NOT find MbedTLS, ssl and crypto modules will not be supported. Install MbedTLS 3.x or try to set MBEDTLS_ROOT_DIR to installation prefix of MbedTLS 2.x")
 endif()
 
-# For now we still use OpenSSL for random
-find_package(OpenSSL)
-if (${OPENSSL_FOUND} STREQUAL TRUE)
-    target_include_directories(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC ${OPENSSL_INCLUDE_DIR})
-    target_compile_definitions(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC ATOMVM_HAS_OPENSSL)
-    target_link_libraries(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC ${OPENSSL_CRYPTO_LIBRARY})
-else()
-    message("WARNING:  atomvm:random/0 and atomvm:rand_bytes/1 will not be supported.")
-endif()
-
 # enable by default dynamic loading on unix
 target_compile_definitions(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC DYNLOAD_PORT_DRIVERS)
 target_link_libraries(libAtomVM${PLATFORM_LIB_SUFFIX} PUBLIC ${CMAKE_DL_LIBS})

diff --git a/src/platforms/generic_unix/lib/platform_nifs.c b/src/platforms/generic_unix/lib/platform_nifs.c
@@ -33,10 +33,6 @@
 #include "term.h"
 #include <stdlib.h>
 
-#if defined ATOMVM_HAS_OPENSSL
-#include <openssl/rand.h>
-#endif
-
 //#define ENABLE_TRACE
 #include "trace.h"
 
@@ -52,40 +48,23 @@
     ctx->x[1] = (error_type_atom);   \
     return term_invalid_term();
 
-#if defined ATOMVM_HAS_OPENSSL
-static term nif_openssl_rand_bytes(Context *ctx, int argc, term argv[])
-{
-    UNUSED(argc);
-    term t = argv[0];
-    VALIDATE_VALUE(t, term_is_any_integer);
-    avm_int_t n = term_maybe_unbox_int(t);
+#if ATOMVM_HAS_MBEDTLS
 
-    char *buf = malloc(n);
-    if (IS_NULL_PTR(buf)) {
-        RAISE_ERROR(OUT_OF_MEMORY_ATOM);
-    }
+// declared in otp_crypt
+term nif_crypto_strong_rand_bytes(Context *ctx, int argc, term argv[]);
 
-    int status = RAND_bytes((unsigned char *) buf, n);
-    if (UNLIKELY(status != 1)) {
-        free(buf);
-        RAISE_ERROR(LOW_ENTROPY_ATOM);
-    }
-
-    if (UNLIKELY(memory_ensure_free(ctx, term_binary_heap_size(n)) != MEMORY_GC_OK)) {
-        RAISE_ERROR(OUT_OF_MEMORY_ATOM);
-    }
-    term ret = term_from_literal_binary(buf, n, &ctx->heap, ctx->global);
-    free(buf);
-    return ret;
+static term nif_atomvm_rand_bytes(Context *ctx, int argc, term argv[])
+{
+    return nif_crypto_strong_rand_bytes(ctx, argc, argv);
 }
 
-static term nif_openssl_random(Context *ctx, int argc, term argv[])
+static term nif_atomvm_random(Context *ctx, int argc, term argv[])
 {
     UNUSED(ctx);
     UNUSED(argc);
     UNUSED(argv);
     term ra[1] = { term_from_int(4) };
-    term t = nif_openssl_rand_bytes(ctx, 1, ra);
+    term t = nif_atomvm_rand_bytes(ctx, 1, ra);
     if (term_is_invalid_term(t)) {
         return t;
     }
@@ -97,15 +76,15 @@ static term nif_openssl_random(Context *ctx, int argc, term argv[])
     return term_make_boxed_int(value, &ctx->heap);
 }
 
-static const struct Nif openssl_rand_bytes_nif =
+static const struct Nif atomvm_rand_bytes_nif =
 {
     .base.type = NIFFunctionType,
-    .nif_ptr = nif_openssl_rand_bytes
+    .nif_ptr = nif_atomvm_rand_bytes
 };
-static const struct Nif openssl_random_nif =
+static const struct Nif atomvm_random_nif =
 {
     .base.type = NIFFunctionType,
-    .nif_ptr = nif_openssl_random
+    .nif_ptr = nif_atomvm_random
 };
 #endif
 
@@ -126,14 +105,14 @@ static const struct Nif atomvm_platform_nif =
 
 const struct Nif *platform_nifs_get_nif(const char *nifname)
 {
-#if defined ATOMVM_HAS_OPENSSL
+#if ATOMVM_HAS_MBEDTLS
     if (strcmp("atomvm:rand_bytes/1", nifname) == 0) {
         TRACE("Resolved platform nif %s ...\n", nifname);
-        return &openssl_rand_bytes_nif;
+        return &atomvm_rand_bytes_nif;
     }
     if (strcmp("atomvm:random/0", nifname) == 0) {
         TRACE("Resolved platform nif %s ...\n", nifname);
-        return &openssl_random_nif;
+        return &atomvm_random_nif;
     }
 #endif
     if (strcmp("atomvm:platform/0", nifname) == 0) {