Packages

rabbit_common

3.7.14-rc.2
4.2.1 4.2.0 retired 4.2.0-rc.1 retired 4.1.6 4.1.5 retired 4.1.5-rc.2 retired 4.1.5-rc.1 4.0.3 4.0.3-rc.1 4.0.2 4.0.2-rc.2 4.0.2-rc.1 4.0.1 4.0.0 4.0.0-rc.2 4.0.0-rc.1 3.13.7 3.13.6 3.13.5 3.13.4 3.13.3 3.13.2 3.13.2-rc.1 3.13.1 3.13.0 3.13.0-rc.6 3.13.0-rc.5 3.13.0-rc.4 3.13.0-rc.3 3.13.0-rc.2 3.13.0-rc.1 3.12.14 3.12.13 3.12.12 3.12.11 3.12.10 3.12.9 3.12.8 3.12.7 3.12.6 3.12.5 3.12.4 3.12.3 3.12.2 3.12.1 3.12.0 3.12.0-rc.4 3.12.0-rc.3 3.12.0-rc.2 3.12.0-rc.1 3.11.28 3.11.27 3.11.26 3.11.25 3.11.24 3.11.23 3.11.22 3.11.21 3.11.20 3.11.19 3.11.18 3.11.17 3.11.16 3.11.15 3.11.14 3.11.13 3.11.12 3.11.11 3.11.10 3.11.9 3.11.8 3.11.7 3.11.6 3.11.5 3.11.4 3.11.3 3.11.2 3.11.1 3.11.0 3.11.0-rc.2 3.11.0-rc.1 3.11.0-1 3.10.25 3.10.24 3.10.23 3.10.22 3.10.21 3.10.20 3.10.19 3.10.18 3.10.17 3.10.16 3.10.15 3.10.14 3.10.13 3.10.12 3.10.11 3.10.10 3.10.9 3.10.8 3.10.7 3.10.6 3.10.5 3.10.4 3.10.3 3.10.2 3.10.1 3.10.0 3.10.0-rc.6 3.10.0-rc.5 3.9.29 3.9.28 3.9.27 3.9.26 3.9.25 3.9.24 3.9.23 3.9.22 3.9.21 3.9.20 3.9.19 3.9.18 3.9.17 3.9.16 3.9.15 3.9.11 3.9.10 3.9.9 3.9.8 3.9.7 3.9.6 3.9.5 3.9.4 3.9.3 3.9.2 3.9.1 3.8.35 3.8.34 3.8.33 3.8.32 3.8.31 3.8.30 3.8.26 3.8.25 3.8.24 3.8.23 3.8.22 3.8.21 3.8.20 3.8.19 3.8.14 3.8.12-rc.3 3.8.12-rc.2 3.8.12-rc.1 3.8.11 3.8.10 3.8.10-rc.6 3.8.10-rc.5 3.8.10-rc.1 3.8.9 3.8.8 3.8.7 3.8.6 3.8.6-rc.2 3.8.6-rc.1 3.8.5 3.8.5-rc.2 3.8.5-rc.1 3.8.4 3.8.4-rc.3 3.8.4-rc.1 3.8.3 3.8.3-rc.2 3.8.3-rc.1 3.8.2 3.8.2-rc.1 3.8.1 3.8.1-rc.1 3.8.0 3.8.0-rc.3 3.8.0-rc.2 3.8.0-rc.1 3.7.28 3.7.27 3.7.27-rc.2 3.7.27-rc.1 3.7.26 3.7.25 3.7.25-rc.1 3.7.24 3.7.24-rc.2 3.7.24-rc.1 3.7.23 3.7.23-rc.1 3.7.22 3.7.22-rc.2 3.7.22-rc.1 3.7.21 3.7.20 3.7.20-rc.2 3.7.20-rc.1 3.7.19 3.7.18 3.7.18-rc.1 3.7.17 3.7.17-rc.3 3.7.17-rc.2 3.7.17-rc.1 retired 3.7.16 retired 3.7.16-rc.4 retired 3.7.16-rc.3 retired 3.7.16-rc.2 retired 3.7.16-rc.1 retired 3.7.16-beta.1 3.7.15 3.7.14 3.7.14-rc.2 3.7.14-rc.1 3.7.13 3.7.13-rc.2 3.7.13-rc.1 3.7.12 3.7.12-rc.2 3.7.12-rc.1 3.7.11 3.7.11-rc.2 3.7.11-rc.1 3.7.10-rc.4 3.7.10-rc.3 3.7.10-rc.2 3.7.10-rc.1 3.7.9 3.7.9-rc.3 3.7.9-rc.2 3.7.8 3.7.8-rc.4 3.7.8-rc.3 3.7.8-rc.2 3.7.8-rc.1 3.7.7 3.7.7-rc.2 3.7.7-rc.1 3.7.6 3.7.6-rc.2 3.7.6-rc.1 3.7.5 3.7.5-rc.1 3.7.4 3.7.4-rc.4 3.7.4-rc.3 3.7.4-rc.2 3.7.4-rc.1 3.7.3 3.7.3-rc.2 3.7.3-rc.1 3.7.2 3.7.1 3.7.0-rc.2 3.7.0-alpha.544 3.7.0-alpha.542 3.6.16 3.6.16-rc.1 3.6.15 3.6.15-rc.1 3.6.14 3.6.13 3.6.12 3.6.11 3.6.10 3.6.9 3.6.8 3.6.7 3.6.7-pre.1 3.5.6 3.5.0 3.4.0 3.3.5 3.0.2 0.0.0-rc.1

Modules shared by rabbitmq-server and rabbitmq-erlang-client

Security advisory: This version has known vulnerabilities. View advisories

Current section

Files

Jump to
rabbit_common src rabbit_pbe.erl
Raw

src/rabbit_pbe.erl

%% The contents of this file are subject to the Mozilla Public License
%% Version 1.1 (the "License"); you may not use this file except in
%% compliance with the License. You may obtain a copy of the License
%% at https://www.mozilla.org/MPL/
%%
%% Software distributed under the License is distributed on an "AS IS"
%% basis, WITHOUT WARRANTY OF ANY KIND, either express or implied. See
%% the License for the specific language governing rights and
%% limitations under the License.
%%
%% The Original Code is RabbitMQ.
%%
%% The Initial Developer of the Original Code is GoPivotal, Inc.
%% Copyright (c) 2007-2017 Pivotal Software, Inc. All rights reserved.
%%
-module(rabbit_pbe).
-export([supported_ciphers/0, supported_hashes/0, default_cipher/0, default_hash/0, default_iterations/0]).
-export([encrypt_term/5, decrypt_term/5]).
-export([encrypt/5, decrypt/5]).
%% Supported ciphers and hashes
supported_ciphers() ->
NotSupportedByUs = [%% These ciphers should be supported in a future version.
aes_128_ccm, aes_192_ccm, aes_256_ccm,
aes_128_ctr, aes_192_ctr, aes_256_ctr,
aes_128_gcm, aes_192_gcm, aes_256_gcm,
chacha20, chacha20_poly1305,
%% These are aliases that correspond to multiple ciphers.
aes_ccm, aes_ctr, aes_gcm,
%% These ciphers will never be supported.
aes_ecb, blowfish_ecb, des_ecb, rc4],
SupportedByCrypto = proplists:get_value(ciphers, crypto:supports()),
lists:filter(fun(Cipher) ->
not lists:member(Cipher, NotSupportedByUs)
end,
SupportedByCrypto).
supported_hashes() ->
NotSupportedByUs = [md4, ripemd160],
SupportedByCrypto = proplists:get_value(hashs, crypto:supports()),
lists:filter(fun(Hash) ->
not lists:member(Hash, NotSupportedByUs)
end,
SupportedByCrypto).
%% Default encryption parameters (keep those in sync with rabbit.app.src)
default_cipher() ->
aes_cbc256.
default_hash() ->
sha512.
default_iterations() ->
1000.
%% Encryption/decryption of arbitrary Erlang terms.
encrypt_term(Cipher, Hash, Iterations, PassPhrase, Term) ->
encrypt(Cipher, Hash, Iterations, PassPhrase, term_to_binary(Term)).
decrypt_term(Cipher, Hash, Iterations, PassPhrase, Base64Binary) ->
binary_to_term(decrypt(Cipher, Hash, Iterations, PassPhrase, Base64Binary)).
%% The cipher for encryption is from the list of supported ciphers.
%% The hash for generating the key from the passphrase is from the list
%% of supported hashes. See crypto:supports/0 to obtain both lists.
%% The key is generated by applying the hash N times with N >= 1.
%%
%% The encrypt/5 function returns a base64 binary and the decrypt/5
%% function accepts that same base64 binary.
-spec encrypt(crypto:block_cipher(), crypto:hash_algorithms(),
pos_integer(), iodata(), binary()) -> binary().
encrypt(Cipher, Hash, Iterations, PassPhrase, ClearText) ->
Salt = crypto:strong_rand_bytes(16),
Ivec = crypto:strong_rand_bytes(iv_length(Cipher)),
Key = make_key(Cipher, Hash, Iterations, PassPhrase, Salt),
Binary = crypto:block_encrypt(Cipher, Key, Ivec, pad(Cipher, ClearText)),
base64:encode(<< Salt/binary, Ivec/binary, Binary/binary >>).
-spec decrypt(crypto:block_cipher(), crypto:hash_algorithms(),
pos_integer(), iodata(), binary()) -> binary().
decrypt(Cipher, Hash, Iterations, PassPhrase, Base64Binary) ->
IvLength = iv_length(Cipher),
<< Salt:16/binary, Ivec:IvLength/binary, Binary/bits >> = base64:decode(Base64Binary),
Key = make_key(Cipher, Hash, Iterations, PassPhrase, Salt),
unpad(crypto:block_decrypt(Cipher, Key, Ivec, Binary)).
%% Generate a key from a passphrase.
make_key(Cipher, Hash, Iterations, PassPhrase, Salt) ->
Key = pbdkdf2(PassPhrase, Salt, Iterations, key_length(Cipher),
fun crypto:hmac/4, Hash, hash_length(Hash)),
if
Cipher =:= des3_cbc; Cipher =:= des3_cbf; Cipher =:= des3_cfb;
Cipher =:= des_ede3; Cipher =:= des_ede3_cbc;
Cipher =:= des_ede3_cbf; Cipher =:= des_ede3_cfb ->
<< A:8/binary, B:8/binary, C:8/binary >> = Key,
[A, B, C];
true ->
Key
end.
%% Functions to pad/unpad input to a multiplier of block size.
pad(Cipher, Data) ->
BlockSize = block_size(Cipher),
N = BlockSize - (byte_size(Data) rem BlockSize),
Pad = list_to_binary(lists:duplicate(N, N)),
<<Data/binary, Pad/binary>>.
unpad(Data) ->
N = binary:last(Data),
binary:part(Data, 0, byte_size(Data) - N).
%% These functions are necessary because the current Erlang crypto interface
%% is lacking interfaces to the following OpenSSL functions:
%%
%% * int EVP_MD_size(const EVP_MD *md);
%% * int EVP_CIPHER_iv_length(const EVP_CIPHER *e);
%% * int EVP_CIPHER_key_length(const EVP_CIPHER *e);
%% * int EVP_CIPHER_block_size(const EVP_CIPHER *e);
hash_length(md4) -> 16;
hash_length(md5) -> 16;
hash_length(sha) -> 20;
hash_length(sha224) -> 28;
hash_length(sha3_224) -> 28;
hash_length(sha256) -> 32;
hash_length(sha3_256) -> 32;
hash_length(sha384) -> 48;
hash_length(sha3_384) -> 48;
hash_length(sha512) -> 64;
hash_length(sha3_512) -> 64;
hash_length(blake2b) -> 64;
hash_length(blake2s) -> 32.
iv_length(des_cbc) -> 8;
iv_length(des_cfb) -> 8;
iv_length(des3_cbc) -> 8;
iv_length(des3_cbf) -> 8;
iv_length(des3_cfb) -> 8;
iv_length(des_ede3) -> 8;
iv_length(des_ede3_cbf) -> 8;
iv_length(des_ede3_cfb) -> 8;
iv_length(des_ede3_cbc) -> 8;
iv_length(blowfish_cbc) -> 8;
iv_length(blowfish_cfb64) -> 8;
iv_length(blowfish_ofb64) -> 8;
iv_length(rc2_cbc) -> 8;
iv_length(aes_cbc) -> 16;
iv_length(aes_cbc128) -> 16;
iv_length(aes_cfb8) -> 16;
iv_length(aes_cfb128) -> 16;
iv_length(aes_cbc256) -> 16;
iv_length(aes_128_cbc) -> 16;
iv_length(aes_192_cbc) -> 16;
iv_length(aes_256_cbc) -> 16;
iv_length(aes_ige256) -> 32.
key_length(des_cbc) -> 8;
key_length(des_cfb) -> 8;
key_length(des3_cbc) -> 24;
key_length(des3_cbf) -> 24;
key_length(des3_cfb) -> 24;
key_length(des_ede3) -> 24;
key_length(des_ede3_cbf) -> 24;
key_length(des_ede3_cfb) -> 24;
key_length(des_ede3_cbc) -> 24;
key_length(blowfish_cbc) -> 16;
key_length(blowfish_cfb64) -> 16;
key_length(blowfish_ofb64) -> 16;
key_length(rc2_cbc) -> 16;
key_length(aes_cbc) -> 16;
key_length(aes_cbc128) -> 16;
key_length(aes_cfb8) -> 16;
key_length(aes_cfb128) -> 16;
key_length(aes_cbc256) -> 32;
key_length(aes_128_cbc) -> 16;
key_length(aes_192_cbc) -> 24;
key_length(aes_256_cbc) -> 32;
key_length(aes_ige256) -> 16.
block_size(aes_cbc) -> 32;
block_size(aes_cbc256) -> 32;
block_size(aes_cbc128) -> 32;
block_size(aes_128_cbc) -> 32;
block_size(aes_192_cbc) -> 32;
block_size(aes_256_cbc) -> 32;
block_size(aes_ige256) -> 32;
block_size(_) -> 8.
%% The following was taken from OTP's lib/public_key/src/pubkey_pbe.erl
%%
%% This is an undocumented interface to password-based encryption algorithms.
%% These functions have been copied here to stay compatible with R16B03.
%%--------------------------------------------------------------------
-spec pbdkdf2(iodata(), iodata(), integer(), integer(), fun(), atom(), integer())
-> binary().
%%
%% Description: Implements password based decryption key derive function 2.
%% Exported mainly for testing purposes.
%%--------------------------------------------------------------------
pbdkdf2(Password, Salt, Count, DerivedKeyLen, Prf, PrfHash, PrfOutputLen)->
NumBlocks = ceiling(DerivedKeyLen / PrfOutputLen),
NumLastBlockOctets = DerivedKeyLen - (NumBlocks - 1) * PrfOutputLen ,
blocks(NumBlocks, NumLastBlockOctets, 1, Password, Salt,
Count, Prf, PrfHash, PrfOutputLen, <<>>).
blocks(1, N, Index, Password, Salt, Count, Prf, PrfHash, PrfLen, Acc) ->
<<XorSum:N/binary, _/binary>> = xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen),
<<Acc/binary, XorSum/binary>>;
blocks(NumBlocks, N, Index, Password, Salt, Count, Prf, PrfHash, PrfLen, Acc) ->
XorSum = xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen),
blocks(NumBlocks -1, N, Index +1, Password, Salt, Count, Prf, PrfHash,
PrfLen, <<Acc/binary, XorSum/binary>>).
xor_sum(Password, Salt, Count, Index, Prf, PrfHash, PrfLen) ->
Result = Prf(PrfHash, Password, [Salt,<<Index:32/unsigned-big-integer>>], PrfLen),
do_xor_sum(Prf, PrfHash, PrfLen, Result, Password, Count-1, Result).
do_xor_sum(_, _, _, _, _, 0, Acc) ->
Acc;
do_xor_sum(Prf, PrfHash, PrfLen, Prev, Password, Count, Acc) ->
Result = Prf(PrfHash, Password, Prev, PrfLen),
do_xor_sum(Prf, PrfHash, PrfLen, Result, Password, Count-1, crypto:exor(Acc, Result)).
ceiling(Float) ->
erlang:round(Float + 0.5).