The branch master has been updated via 56adb7d93721a72bfae532845cbebc4a565ceb65 (commit) via b8d77c9bd675b4128aeeafb4a738938460477a2e (commit) via e74a435f58441c6f1f6b4558c762e17d0ab67b7f (commit) via f71faf2753cc1b1cbba0da0997b70e5a908ac24b (commit) from cf4eea12046445fc418507d2d5e14956b4353495 (commit)
- Log ----------------------------------------------------------------- commit 56adb7d93721a72bfae532845cbebc4a565ceb65 Author: Richard Levitte <levi...@openssl.org> Date: Wed Oct 24 22:47:28 2018 +0200 Make sure at least one CMAC test still uses the EVP_PKEY method Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7484) commit b8d77c9bd675b4128aeeafb4a738938460477a2e Author: Richard Levitte <levi...@openssl.org> Date: Wed Oct 24 21:40:00 2018 +0200 Adapt other EVP code to use EVP_MAC instead of direct implementation calls The EVP_PKEY methods for CMAC and HMAC needed a rework, although it wasn't much change apart from name changes. This also meant that EVP_PKEY_new_CMAC_key() needed an adjustment. (the possibility to rewrite this function to work with any MAC is yet to be explored) Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7484) commit e74a435f58441c6f1f6b4558c762e17d0ab67b7f Author: Richard Levitte <levi...@openssl.org> Date: Wed Oct 24 21:35:00 2018 +0200 EVP_MAC: Integrate CMAC EVP_PKEY_METHOD into generic MAC EVP_PKEY_METHOD Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7484) commit f71faf2753cc1b1cbba0da0997b70e5a908ac24b Author: Richard Levitte <levi...@openssl.org> Date: Wed Oct 24 21:30:00 2018 +0200 EVP_MAC: Add CMAC implementation Reviewed-by: Paul Dale <paul.d...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/7484) ----------------------------------------------------------------------- Summary of changes: crypto/cmac/build.info | 2 +- crypto/cmac/cm_ameth.c | 7 +- crypto/cmac/cm_meth.c | 164 +++++++++++++++++++++++++++++++ crypto/cmac/cm_pmeth.c | 161 ------------------------------ crypto/evp/c_allm.c | 3 + crypto/evp/p_lib.c | 8 +- crypto/evp/pkey_mac.c | 11 +-- crypto/include/internal/evp_int.h | 2 + doc/man3/EVP_MAC.pod | 8 -- doc/man7/EVP_MAC_CMAC.pod | 65 ++++++++++++ include/openssl/evp.h | 2 + test/recipes/30-test_evp_data/evpmac.txt | 2 +- 12 files changed, 248 insertions(+), 187 deletions(-) create mode 100644 crypto/cmac/cm_meth.c delete mode 100644 crypto/cmac/cm_pmeth.c create mode 100644 doc/man7/EVP_MAC_CMAC.pod diff --git a/crypto/cmac/build.info b/crypto/cmac/build.info index c8a4949..c460598 100644 --- a/crypto/cmac/build.info +++ b/crypto/cmac/build.info @@ -1,2 +1,2 @@ LIBS=../../libcrypto -SOURCE[../../libcrypto]=cmac.c cm_ameth.c cm_pmeth.c +SOURCE[../../libcrypto]=cmac.c cm_ameth.c cm_meth.c diff --git a/crypto/cmac/cm_ameth.c b/crypto/cmac/cm_ameth.c index a58454a..7126584 100644 --- a/crypto/cmac/cm_ameth.c +++ b/crypto/cmac/cm_ameth.c @@ -1,5 +1,5 @@ /* - * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2010-2018 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -10,7 +10,6 @@ #include <stdio.h> #include "internal/cryptlib.h" #include <openssl/evp.h> -#include <openssl/cmac.h> #include "internal/asn1_int.h" /* @@ -25,8 +24,8 @@ static int cmac_size(const EVP_PKEY *pkey) static void cmac_key_free(EVP_PKEY *pkey) { - CMAC_CTX *cmctx = EVP_PKEY_get0(pkey); - CMAC_CTX_free(cmctx); + EVP_MAC_CTX *cmctx = EVP_PKEY_get0(pkey); + EVP_MAC_CTX_free(cmctx); } const EVP_PKEY_ASN1_METHOD cmac_asn1_meth = { diff --git a/crypto/cmac/cm_meth.c b/crypto/cmac/cm_meth.c new file mode 100644 index 0000000..7089936 --- /dev/null +++ b/crypto/cmac/cm_meth.c @@ -0,0 +1,164 @@ +/* + * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html + */ + +#include <stdio.h> +#include "internal/cryptlib.h" +#include <openssl/x509.h> +#include <openssl/x509v3.h> +#include <openssl/evp.h> +#include <openssl/cmac.h> +#include "internal/evp_int.h" + +/* local CMAC pkey structure */ + +/* typedef EVP_MAC_IMPL */ +struct evp_mac_impl_st { + /* tmpcipher and tmpengine are set to NULL after a CMAC_Init call */ + const EVP_CIPHER *tmpcipher; /* cached CMAC cipher */ + const ENGINE *tmpengine; /* cached CMAC cipher engine */ + CMAC_CTX *ctx; +}; + +static EVP_MAC_IMPL *cmac_new(void) +{ + EVP_MAC_IMPL *cctx; + + if ((cctx = OPENSSL_zalloc(sizeof(*cctx))) == NULL + || (cctx->ctx = CMAC_CTX_new()) == NULL) { + OPENSSL_free(cctx); + cctx = NULL; + } + + return cctx; +} + +static void cmac_free(EVP_MAC_IMPL *cctx) +{ + if (cctx != NULL) { + CMAC_CTX_free(cctx->ctx); + OPENSSL_free(cctx); + } +} + +static int cmac_copy(EVP_MAC_IMPL *cdst, EVP_MAC_IMPL *csrc) +{ + if (!CMAC_CTX_copy(cdst->ctx, csrc->ctx)) + return 0; + + cdst->tmpengine = csrc->tmpengine; + cdst->tmpcipher = csrc->tmpcipher; + return 1; +} + +static size_t cmac_size(EVP_MAC_IMPL *cctx) +{ + return EVP_CIPHER_CTX_block_size(CMAC_CTX_get0_cipher_ctx(cctx->ctx)); +} + +static int cmac_init(EVP_MAC_IMPL *cctx) +{ + int rv = CMAC_Init(cctx->ctx, NULL, 0, cctx->tmpcipher, + (ENGINE *)cctx->tmpengine); + cctx->tmpcipher = NULL; + cctx->tmpengine = NULL; + + return rv; +} + +static int cmac_update(EVP_MAC_IMPL *cctx, const unsigned char *data, + size_t datalen) +{ + return CMAC_Update(cctx->ctx, data, datalen); +} + +static int cmac_final(EVP_MAC_IMPL *cctx, unsigned char *out) +{ + size_t hlen; + + return CMAC_Final(cctx->ctx, out, &hlen); +} + +static int cmac_ctrl(EVP_MAC_IMPL *cctx, int cmd, va_list args) +{ + switch (cmd) { + case EVP_MAC_CTRL_SET_KEY: + { + const unsigned char *key = va_arg(args, const unsigned char *); + size_t keylen = va_arg(args, size_t); + int rv = CMAC_Init(cctx->ctx, key, keylen, cctx->tmpcipher, + (ENGINE *)cctx->tmpengine); + + cctx->tmpcipher = NULL; + cctx->tmpengine = NULL; + + return rv; + } + break; + case EVP_MAC_CTRL_SET_CIPHER: + cctx->tmpcipher = va_arg(args, const EVP_CIPHER *); + break; + case EVP_MAC_CTRL_SET_ENGINE: + cctx->tmpengine = va_arg(args, const ENGINE *); + break; + default: + return -2; + } + return 1; +} + +static int cmac_ctrl_int(EVP_MAC_IMPL *hctx, int cmd, ...) +{ + int rv; + va_list args; + + va_start(args, cmd); + rv = cmac_ctrl(hctx, cmd, args); + va_end(args); + + return rv; +} + +static int cmac_ctrl_str_cb(void *hctx, int cmd, void *buf, size_t buflen) +{ + return cmac_ctrl_int(hctx, cmd, buf, buflen); +} + +static int cmac_ctrl_str(EVP_MAC_IMPL *cctx, const char *type, + const char *value) +{ + if (!value) + return 0; + if (strcmp(type, "cipher") == 0) { + const EVP_CIPHER *c = EVP_get_cipherbyname(value); + + if (c == NULL) + return 0; + return cmac_ctrl_int(cctx, EVP_MAC_CTRL_SET_CIPHER, c); + } + if (strcmp(type, "key") == 0) + return EVP_str2ctrl(cmac_ctrl_str_cb, cctx, EVP_MAC_CTRL_SET_KEY, + value); + if (strcmp(type, "hexkey") == 0) + return EVP_hex2ctrl(cmac_ctrl_str_cb, cctx, EVP_MAC_CTRL_SET_KEY, + value); + return -2; +} + +const EVP_MAC cmac_meth = { + EVP_MAC_CMAC, + cmac_new, + cmac_copy, + cmac_free, + cmac_size, + cmac_init, + cmac_update, + cmac_final, + cmac_ctrl, + cmac_ctrl_str +}; diff --git a/crypto/cmac/cm_pmeth.c b/crypto/cmac/cm_pmeth.c deleted file mode 100644 index 10748f1..0000000 --- a/crypto/cmac/cm_pmeth.c +++ /dev/null @@ -1,161 +0,0 @@ -/* - * Copyright 2010-2016 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include <stdio.h> -#include "internal/cryptlib.h" -#include <openssl/x509.h> -#include <openssl/x509v3.h> -#include <openssl/evp.h> -#include <openssl/cmac.h> -#include "internal/evp_int.h" - -/* The context structure and "key" is simply a CMAC_CTX */ - -static int pkey_cmac_init(EVP_PKEY_CTX *ctx) -{ - ctx->data = CMAC_CTX_new(); - if (ctx->data == NULL) - return 0; - ctx->keygen_info_count = 0; - return 1; -} - -static int pkey_cmac_copy(EVP_PKEY_CTX *dst, EVP_PKEY_CTX *src) -{ - if (!pkey_cmac_init(dst)) - return 0; - if (!CMAC_CTX_copy(dst->data, src->data)) - return 0; - return 1; -} - -static void pkey_cmac_cleanup(EVP_PKEY_CTX *ctx) -{ - CMAC_CTX_free(ctx->data); -} - -static int pkey_cmac_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) -{ - CMAC_CTX *cmkey = CMAC_CTX_new(); - CMAC_CTX *cmctx = ctx->data; - if (cmkey == NULL) - return 0; - if (!CMAC_CTX_copy(cmkey, cmctx)) { - CMAC_CTX_free(cmkey); - return 0; - } - EVP_PKEY_assign(pkey, EVP_PKEY_CMAC, cmkey); - - return 1; -} - -static int int_update(EVP_MD_CTX *ctx, const void *data, size_t count) -{ - if (!CMAC_Update(EVP_MD_CTX_pkey_ctx(ctx)->data, data, count)) - return 0; - return 1; -} - -static int cmac_signctx_init(EVP_PKEY_CTX *ctx, EVP_MD_CTX *mctx) -{ - EVP_MD_CTX_set_flags(mctx, EVP_MD_CTX_FLAG_NO_INIT); - EVP_MD_CTX_set_update_fn(mctx, int_update); - return 1; -} - -static int cmac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, - EVP_MD_CTX *mctx) -{ - return CMAC_Final(ctx->data, sig, siglen); -} - -static int pkey_cmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) -{ - CMAC_CTX *cmctx = ctx->data; - switch (type) { - - case EVP_PKEY_CTRL_SET_MAC_KEY: - if (!p2 || p1 < 0) - return 0; - if (!CMAC_Init(cmctx, p2, p1, NULL, NULL)) - return 0; - break; - - case EVP_PKEY_CTRL_CIPHER: - if (!CMAC_Init(cmctx, NULL, 0, p2, ctx->engine)) - return 0; - break; - - case EVP_PKEY_CTRL_MD: - if (ctx->pkey && !CMAC_CTX_copy(ctx->data, - (CMAC_CTX *)ctx->pkey->pkey.ptr)) - return 0; - if (!CMAC_Init(cmctx, NULL, 0, NULL, NULL)) - return 0; - break; - - default: - return -2; - - } - return 1; -} - -static int pkey_cmac_ctrl_str(EVP_PKEY_CTX *ctx, - const char *type, const char *value) -{ - if (!value) { - return 0; - } - if (strcmp(type, "cipher") == 0) { - const EVP_CIPHER *c; - c = EVP_get_cipherbyname(value); - if (!c) - return 0; - return pkey_cmac_ctrl(ctx, EVP_PKEY_CTRL_CIPHER, -1, (void *)c); - } - if (strcmp(type, "key") == 0) - return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value); - if (strcmp(type, "hexkey") == 0) - return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SET_MAC_KEY, value); - return -2; -} - -const EVP_PKEY_METHOD cmac_pkey_meth = { - EVP_PKEY_CMAC, - EVP_PKEY_FLAG_SIGCTX_CUSTOM, - pkey_cmac_init, - pkey_cmac_copy, - pkey_cmac_cleanup, - - 0, 0, - - 0, - pkey_cmac_keygen, - - 0, 0, - - 0, 0, - - 0, 0, - - cmac_signctx_init, - cmac_signctx, - - 0, 0, - - 0, 0, - - 0, 0, - - 0, 0, - - pkey_cmac_ctrl, - pkey_cmac_ctrl_str -}; diff --git a/crypto/evp/c_allm.c b/crypto/evp/c_allm.c index d5eb858..862b639 100644 --- a/crypto/evp/c_allm.c +++ b/crypto/evp/c_allm.c @@ -12,4 +12,7 @@ void openssl_add_all_macs_int(void) { +#ifndef OPENSSL_NO_CMAC + EVP_add_mac(&cmac_meth); +#endif } diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c index 9429be9..154ef78 100644 --- a/crypto/evp/p_lib.c +++ b/crypto/evp/p_lib.c @@ -319,7 +319,7 @@ EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, { #ifndef OPENSSL_NO_CMAC EVP_PKEY *ret = EVP_PKEY_new(); - CMAC_CTX *cmctx = CMAC_CTX_new(); + EVP_MAC_CTX *cmctx = EVP_MAC_CTX_new_id(EVP_MAC_CMAC); if (ret == NULL || cmctx == NULL @@ -328,7 +328,9 @@ EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, goto err; } - if (!CMAC_Init(cmctx, priv, len, cipher, e)) { + if (EVP_MAC_ctrl(cmctx, EVP_MAC_CTRL_SET_ENGINE, e) <= 0 + || EVP_MAC_ctrl(cmctx, EVP_MAC_CTRL_SET_CIPHER, cipher) <= 0 + || EVP_MAC_ctrl(cmctx, EVP_MAC_CTRL_SET_KEY, priv, len) <= 0) { EVPerr(EVP_F_EVP_PKEY_NEW_CMAC_KEY, EVP_R_KEY_SETUP_FAILED); goto err; } @@ -338,7 +340,7 @@ EVP_PKEY *EVP_PKEY_new_CMAC_key(ENGINE *e, const unsigned char *priv, err: EVP_PKEY_free(ret); - CMAC_CTX_free(cmctx); + EVP_MAC_CTX_free(cmctx); return NULL; #else EVPerr(EVP_F_EVP_PKEY_NEW_CMAC_KEY, diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c index d4aa585..ecf70bb 100644 --- a/crypto/evp/pkey_mac.c +++ b/crypto/evp/pkey_mac.c @@ -327,15 +327,8 @@ static int pkey_mac_ctrl_str(EVP_PKEY_CTX *ctx, return EVP_MAC_ctrl_str(hctx->ctx, type, value); } -/* - * When this is actually used, the following will be replaced with real - * EVP_PKEY_METHODs, all exactly the same apart from the type and possibly - * the flags. - */ - -extern const EVP_PKEY_METHOD FAKE_pkey_meth; -const EVP_PKEY_METHOD FAKE_pkey_meth = { - 20870442 /* EVP_PKEY_FAKE, a beast times 31337 (you do the math) */, +const EVP_PKEY_METHOD cmac_pkey_meth = { + EVP_PKEY_CMAC, EVP_PKEY_FLAG_SIGCTX_CUSTOM, pkey_mac_init, pkey_mac_copy, diff --git a/crypto/include/internal/evp_int.h b/crypto/include/internal/evp_int.h index dadade3..8bbc23b 100644 --- a/crypto/include/internal/evp_int.h +++ b/crypto/include/internal/evp_int.h @@ -128,6 +128,8 @@ struct evp_mac_st { int (*ctrl_str) (EVP_MAC_IMPL *macctx, const char *type, const char *value); }; +extern const EVP_MAC cmac_meth; + /* * This function is internal for now, but can be made external when needed. * The documentation would read: diff --git a/doc/man3/EVP_MAC.pod b/doc/man3/EVP_MAC.pod index a30f3fa..2b48940 100644 --- a/doc/man3/EVP_MAC.pod +++ b/doc/man3/EVP_MAC.pod @@ -326,16 +326,8 @@ F<./foo>) =head1 SEE ALSO -=begin comment - -Add links to existing implementations in this form: - L<EVP_MAC_CMAC(7)> -Make sure the documentation exists in doc/man7/ - -=end comment - =head1 COPYRIGHT Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. diff --git a/doc/man7/EVP_MAC_CMAC.pod b/doc/man7/EVP_MAC_CMAC.pod new file mode 100644 index 0000000..bb37472 --- /dev/null +++ b/doc/man7/EVP_MAC_CMAC.pod @@ -0,0 +1,65 @@ +=pod + +=head1 NAME + +EVP_MAC_CMAC - The CMAC EVP_MAC implementation + +=head1 DESCRIPTION + +Support for computing CMAC MACs through the B<EVP_MAC> API. + +=head2 Numeric identity + +B<EVP_MAC_CMAC> is the numeric identity for this implementation, and +can be used in functions like EVP_MAC_CTX_new_id() and +EVP_get_macbynid(). + +=head2 Supported controls + +The supported controls are: + +=over 4 + +=item B<EVP_MAC_CTRL_SET_KEY> + +EVP_MAC_ctrl_str() takes to type string for this control: + +=over 4 + +=item "key" + +The value string is used as is. + +=item "hexkey" + +The value string is expected to be a hexadecimal number, which will be +decoded before passing on as control value. + +=back + +=item B<EVP_MAC_CTRL_SET_ENGINE> + +=item B<EVP_MAC_CTRL_SET_CIPHER> + +These work as described in L<EVP_MAC(3)/CONTROLS>. + +EVP_MAC_ctrl_str() type string for B<EVP_MAC_CTRL_SET_CIPHER>: "cipher" + +The value is expected to be the name of a cipher. + +=back + +=head1 SEE ALSO + +L<EVP_MAC_ctrl(3)>, L<EVP_MAC(3)/CONTROLS> + +=head1 COPYRIGHT + +Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. + +Licensed under the OpenSSL license (the "License"). You may not use +this file except in compliance with the License. You can obtain a copy +in the file LICENSE in the source distribution or at +L<https://www.openssl.org/source/license.html>. + +=cut diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 4b4c956..5e6c039 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h @@ -987,6 +987,8 @@ void EVP_MD_do_all_sorted(void (*fn) /* MAC stuff */ +# define EVP_MAC_CMAC NID_cmac + EVP_MAC_CTX *EVP_MAC_CTX_new(const EVP_MAC *mac); EVP_MAC_CTX *EVP_MAC_CTX_new_id(int nid); void EVP_MAC_CTX_free(EVP_MAC_CTX *ctx); diff --git a/test/recipes/30-test_evp_data/evpmac.txt b/test/recipes/30-test_evp_data/evpmac.txt index 4ec5fa4..2506e7d 100644 --- a/test/recipes/30-test_evp_data/evpmac.txt +++ b/test/recipes/30-test_evp_data/evpmac.txt @@ -360,7 +360,7 @@ Key = 77A77FAF290C1FA30C683DF16BA7A77B Input = 020683E1F0392F4CAC54318B6029259E9C553DBC4B6AD998E64D58E4E7DC2E13 Output = FBFEA41BF9740CB501F1292C21CEBB40 -MAC = CMAC +MAC = CMAC by EVP_PKEY Algorithm = AES-192-CBC Key = 7B32391369AA4CA97558095BE3C3EC862BD057CEF1E32D62 Input = _____ openssl-commits mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-commits