diff options
author | Pauli <paul.dale@oracle.com> | 2020-01-14 12:11:50 +1000 |
---|---|---|
committer | Pauli <paul.dale@oracle.com> | 2020-01-29 19:49:23 +1000 |
commit | dbde4726889a19af0a718fe9c5542f39c81acbd3 (patch) | |
tree | 371afa179289e0ba48e5a5c99520b139fd0f325f /apps | |
parent | fd4d283e7527cb711a4ff42d5ddcbc40828077f5 (diff) |
Deprecate the low level HMAC functions
Use of the low level HMAC functions has been informally discouraged for a
long time. We now formally deprecate them.
Applications should instead use EVP_MAC_CTX_new(3), EVP_MAC_CTX_free(3),
EVP_MAC_init(3), EVP_MAC_update(3) and EVP_MAC_final(3).
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/10836)
Diffstat (limited to 'apps')
-rw-r--r-- | apps/lib/s_cb.c | 45 | ||||
-rw-r--r-- | apps/speed.c | 18 |
2 files changed, 58 insertions, 5 deletions
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c index 7b81d60fe7..42a82ca33c 100644 --- a/apps/lib/s_cb.c +++ b/apps/lib/s_cb.c @@ -12,6 +12,8 @@ #include <stdlib.h> #include <string.h> /* for memcpy() and strcmp() */ #include "apps.h" +#include <openssl/core_names.h> +#include <openssl/params.h> #include <openssl/err.h> #include <openssl/rand.h> #include <openssl/x509.h> @@ -729,10 +731,14 @@ void tlsext_cb(SSL *s, int client_server, int type, int generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) { - unsigned char *buffer; + unsigned char *buffer = NULL; size_t length = 0; unsigned short port; BIO_ADDR *lpeer = NULL, *peer = NULL; + int res = 0; + EVP_MAC *hmac = NULL; + EVP_MAC_CTX *ctx = NULL; + OSSL_PARAM params[3], *p = params; /* Initialize a random secret */ if (!cookie_initialized) { @@ -770,13 +776,42 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL); /* Calculate HMAC of buffer using the secret */ - HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, - buffer, length, cookie, cookie_len); - + hmac = EVP_MAC_fetch(NULL, "HMAC", NULL); + if (hmac == NULL) { + BIO_printf(bio_err, "HMAC not found\n"); + goto end; + } + ctx = EVP_MAC_CTX_new(hmac); + if (ctx == NULL) { + BIO_printf(bio_err, "HMAC context allocation failed\n"); + goto end; + } + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "SHA1", 0); + *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, cookie_secret, + COOKIE_SECRET_LENGTH); + *p = OSSL_PARAM_construct_end(); + if (!EVP_MAC_CTX_set_params(ctx, params)) { + BIO_printf(bio_err, "HMAC context parameter setting failed\n"); + goto end; + } + if (!EVP_MAC_init(ctx)) { + BIO_printf(bio_err, "HMAC context initialisation failed\n"); + goto end; + } + if (!EVP_MAC_update(ctx, buffer, length)) { + BIO_printf(bio_err, "HMAC context update failed\n"); + goto end; + } + if (!EVP_MAC_final(ctx, cookie, NULL, (size_t)cookie_len)) { + BIO_printf(bio_err, "HMAC context final failed\n"); + goto end; + } + res = 1; +end: OPENSSL_free(buffer); BIO_ADDR_free(lpeer); - return 1; + return res; } int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, diff --git a/apps/speed.c b/apps/speed.c index 40c8eacbae..a978bdf17a 100644 --- a/apps/speed.c +++ b/apps/speed.c @@ -279,7 +279,9 @@ const OPTIONS speed_options[] = { OPT_SECTION("Selection"), {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"}, +#ifndef OPENSSL_NO_DEPRECATED_3_0 {"hmac", OPT_HMAC, 's', "HMAC using EVP-named digest"}, +#endif #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"cmac", OPT_CMAC, 's', "CMAC using EVP-named cipher"}, #endif @@ -340,7 +342,9 @@ static const OPT_PAIR doit_choices[] = { #endif #if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0) {"md5", D_MD5}, +# ifndef OPENSSL_NO_DEPRECATED_3_0 {"hmac", D_HMAC}, +# endif #endif #ifndef OPENSSL_NO_DEPRECATED_3_0 {"sha1", D_SHA1}, @@ -558,7 +562,9 @@ typedef struct loopargs_st { size_t outlen[EC_NUM]; #endif EVP_CIPHER_CTX *ctx; +#ifndef OPENSSL_NO_DEPRECATED_3_0 HMAC_CTX *hctx; +#endif #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) CMAC_CTX *cmac_ctx; #endif @@ -635,6 +641,7 @@ static int MD5_loop(void *args) return count; } +# ifndef OPENSSL_NO_DEPRECATED_3_0 static int HMAC_loop(void *args) { loopargs_t *tempargs = *(loopargs_t **) args; @@ -650,6 +657,7 @@ static int HMAC_loop(void *args) } return count; } +# endif #endif #ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -970,6 +978,7 @@ static int EVP_Digest_loop(void *args) return count; } +#ifndef OPENSSL_NO_DEPRECATED_3_0 static const EVP_MD *evp_hmac_md = NULL; static char *evp_hmac_name = NULL; static int EVP_HMAC_loop(void *args) @@ -986,6 +995,7 @@ static int EVP_HMAC_loop(void *args) } return count; } +#endif #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) static const EVP_CIPHER *evp_cmac_cipher = NULL; @@ -1617,6 +1627,7 @@ int speed_main(int argc, char **argv) doit[D_EVP] = 1; break; case OPT_HMAC: +#ifndef OPENSSL_NO_DEPRECATED_3_0 evp_hmac_md = EVP_get_digestbyname(opt_arg()); if (evp_hmac_md == NULL) { BIO_printf(bio_err, "%s: %s is an unknown digest\n", @@ -1625,6 +1636,7 @@ int speed_main(int argc, char **argv) } doit[D_EVP_HMAC] = 1; break; +#endif case OPT_CMAC: #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) evp_cmac_cipher = EVP_get_cipherbyname(opt_arg()); @@ -2301,6 +2313,7 @@ int speed_main(int argc, char **argv) } } +# ifndef OPENSSL_NO_DEPRECATED_3_0 if (doit[D_HMAC]) { static const char hmac_key[] = "This is a key..."; int len = strlen(hmac_key); @@ -2325,6 +2338,7 @@ int speed_main(int argc, char **argv) for (i = 0; i < loopargs_len; i++) HMAC_CTX_free(loopargs[i].hctx); } +# endif #endif #ifndef OPENSSL_NO_DEPRECATED_3_0 if (doit[D_SHA1]) { @@ -2790,6 +2804,7 @@ int speed_main(int argc, char **argv) } } +#ifndef OPENSSL_NO_DEPRECATED_3_0 if (doit[D_EVP_HMAC] && evp_hmac_md != NULL) { const char *md_name = OBJ_nid2ln(EVP_MD_type(evp_hmac_md)); @@ -2807,6 +2822,7 @@ int speed_main(int argc, char **argv) print_result(D_EVP_HMAC, testnum, count, d); } } +#endif #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) if (doit[D_EVP_CMAC] && evp_cmac_cipher != NULL) { @@ -3709,7 +3725,9 @@ int speed_main(int argc, char **argv) OPENSSL_free(loopargs[i].secret_b); #endif } +#ifndef OPENSSL_NO_DEPRECATED_3_0 OPENSSL_free(evp_hmac_name); +#endif #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0) OPENSSL_free(evp_cmac_name); #endif |