wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add support for setting raw private HMAC keys

Browse source 
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5520)
This commit is contained in:
Matt Caswell 2018-03-05 15:13:43 +00:00
parent cc8b15c7e1
commit e32b52a27e
9 changed files with 59 additions and 19 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

4
apps/dgst.c
View file

@ -277,8 +277,8 @@ int dgst_main(int argc, char **argv)
}
if (hmac_key != NULL) {
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, impl,
(unsigned char *)hmac_key, -1);
sigkey = EVP_PKEY_new_private_key(EVP_PKEY_HMAC, impl,
(unsigned char *)hmac_key, -1);
if (sigkey == NULL)
goto end;
}

6
crypto/evp/p_lib.c
View file

@ -219,7 +219,8 @@ static int pkey_set_type(EVP_PKEY *pkey, ENGINE *e, int type, const char *str,
return 1;
}
EVP_PKEY *EVP_PKEY_new_private_key(int type, ENGINE *e, unsigned char *priv,
EVP_PKEY *EVP_PKEY_new_private_key(int type, ENGINE *e,
const unsigned char *priv,
size_t len)
{
EVP_PKEY *ret = EVP_PKEY_new();
@ -248,7 +249,8 @@ EVP_PKEY *EVP_PKEY_new_private_key(int type, ENGINE *e, unsigned char *priv,
return NULL;
}
EVP_PKEY *EVP_PKEY_new_public_key(int type, ENGINE *e, unsigned char *pub,
EVP_PKEY *EVP_PKEY_new_public_key(int type, ENGINE *e,
const unsigned char *pub,
size_t len)
{
EVP_PKEY *ret = EVP_PKEY_new();

37
crypto/hmac/hm_ameth.c
View file

@ -11,6 +11,7 @@
#include "internal/cryptlib.h"
#include <openssl/evp.h>
#include "internal/asn1_int.h"
#include "internal/evp_int.h"
/*
* HMAC "ASN1" method. This is just here to indicate the maximum HMAC output
@ -49,6 +50,28 @@ static int hmac_pkey_public_cmp(const EVP_PKEY *a, const EVP_PKEY *b)
return ASN1_OCTET_STRING_cmp(EVP_PKEY_get0(a), EVP_PKEY_get0(b));
}
static int hmac_set_priv_key(EVP_PKEY *pkey, const unsigned char *priv,
size_t len)
{
ASN1_OCTET_STRING *os;
if (pkey->pkey.ptr != NULL)
return 0;
os = ASN1_OCTET_STRING_new();
if (os == NULL)
return 0;
if (!ASN1_OCTET_STRING_set(os, priv, len)) {
ASN1_OCTET_STRING_free(os);
return 0;
}
pkey->pkey.ptr = os;
return 1;
}
const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = {
EVP_PKEY_HMAC,
EVP_PKEY_HMAC,
@ -67,5 +90,17 @@ const EVP_PKEY_ASN1_METHOD hmac_asn1_meth = {
hmac_key_free,
hmac_pkey_ctrl,
0, 0
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
hmac_set_priv_key,
NULL,
};

2
crypto/kdf/tls1_prf.c
View file

@ -193,7 +193,7 @@ static int tls1_prf_P_hash(const EVP_MD *md,
if (ctx == NULL || ctx_tmp == NULL || ctx_init == NULL)
goto err;
EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
mac_key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
mac_key = EVP_PKEY_new_private_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
if (mac_key == NULL)
goto err;
if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))

6
include/openssl/evp.h
View file

@ -1337,9 +1337,11 @@ void EVP_PKEY_CTX_set0_keygen_info(EVP_PKEY_CTX *ctx, int *dat, int datlen);
EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e,
const unsigned char *key, int keylen);
EVP_PKEY *EVP_PKEY_new_private_key(int type, ENGINE *e, unsigned char *priv,
EVP_PKEY *EVP_PKEY_new_private_key(int type, ENGINE *e,
const unsigned char *priv,
size_t len);
EVP_PKEY *EVP_PKEY_new_public_key(int type, ENGINE *e, unsigned char *pub,
EVP_PKEY *EVP_PKEY_new_public_key(int type, ENGINE *e,
const unsigned char *pub,
size_t len);
void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data);

3
ssl/statem/extensions.c
View file

@ -1559,7 +1559,8 @@ int tls_psk_do_binder(SSL *s, const EVP_MD *md, const unsigned char *msgstart,
goto err;
}
mackey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, finishedkey, hashsize);
mackey = EVP_PKEY_new_private_key(EVP_PKEY_HMAC, NULL, finishedkey,
hashsize);
if (mackey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PSK_DO_BINDER,
ERR_R_INTERNAL_ERROR);

12
ssl/statem/extensions_srvr.c
View file

@ -752,9 +752,9 @@ int tls_parse_ctos_cookie(SSL *s, PACKET *pkt, unsigned int context, X509 *x,
/* Verify the HMAC of the cookie */
hctx = EVP_MD_CTX_create();
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
s->session_ctx->ext.cookie_hmac_key,
sizeof(s->session_ctx->ext.cookie_hmac_key));
pkey = EVP_PKEY_new_private_key(EVP_PKEY_HMAC, NULL,
s->session_ctx->ext.cookie_hmac_key,
sizeof(s->session_ctx->ext.cookie_hmac_key));
if (hctx == NULL || pkey == NULL) {
EVP_MD_CTX_free(hctx);
EVP_PKEY_free(pkey);
@ -1762,9 +1762,9 @@ EXT_RETURN tls_construct_stoc_cookie(SSL *s, WPACKET *pkt, unsigned int context,
/* HMAC the cookie */
hctx = EVP_MD_CTX_create();
pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
s->session_ctx->ext.cookie_hmac_key,
sizeof(s->session_ctx->ext.cookie_hmac_key));
pkey = EVP_PKEY_new_private_key(EVP_PKEY_HMAC, NULL,
s->session_ctx->ext.cookie_hmac_key,
sizeof(s->session_ctx->ext.cookie_hmac_key));
if (hctx == NULL || pkey == NULL) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_CONSTRUCT_STOC_COOKIE,
ERR_R_MALLOC_FAILURE);

4
ssl/t1_enc.c
View file

@ -257,8 +257,8 @@ int tls1_change_cipher_state(SSL *s, int which)
if (!(EVP_CIPHER_flags(c) & EVP_CIPH_FLAG_AEAD_CIPHER)) {
/* TODO(size_t): Convert this function */
mac_key = EVP_PKEY_new_mac_key(mac_type, NULL,
mac_secret, (int)*mac_secret_size);
mac_key = EVP_PKEY_new_private_key(mac_type, NULL,
mac_secret, (int)*mac_secret_size);
if (mac_key == NULL
|| EVP_DigestSignInit(mac_ctx, NULL, m, NULL, mac_key) <= 0) {
EVP_PKEY_free(mac_key);

4
ssl/tls13_enc.c
View file

@ -248,10 +248,10 @@ size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
}
if (str == s->method->ssl3_enc->server_finished_label)
key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
key = EVP_PKEY_new_private_key(EVP_PKEY_HMAC, NULL,
s->server_finished_secret, hashlen);
else
key = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL,
key = EVP_PKEY_new_private_key(EVP_PKEY_HMAC, NULL,
s->client_finished_secret, hashlen);
if (key == NULL