Deprecate the low level HMAC functions

Use of the low level HMAC functions has been informally discouraged for a long time. We now formally deprecate them. Applications should instead use EVP_MAC_CTX_new(3), EVP_MAC_CTX_free(3), EVP_MAC_init(3), EVP_MAC_update(3) and EVP_MAC_final(3). Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/10836)
author: Pauli <paul.dale@oracle.com> 2020-01-14 12:11:50 +1000
committer: Pauli <paul.dale@oracle.com> 2020-01-29 19:49:23 +1000
commit: dbde4726889a19af0a718fe9c5542f39c81acbd3 (patch)
tree: 371afa179289e0ba48e5a5c99520b139fd0f325f /apps
parent: fd4d283e7527cb711a4ff42d5ddcbc40828077f5 (diff)
2 files changed, 58 insertions, 5 deletions
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 7b81d60fe7..42a82ca33c 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -12,6 +12,8 @@
 #include <stdlib.h>
 #include <string.h> /* for memcpy() and strcmp() */
 #include "apps.h"
+#include <openssl/core_names.h>
+#include <openssl/params.h>
 #include <openssl/err.h>
 #include <openssl/rand.h>
 #include <openssl/x509.h>
@@ -729,10 +731,14 @@ void tlsext_cb(SSL *s, int client_server, int type,
 int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
                              unsigned int *cookie_len)
 {
-    unsigned char *buffer;
+    unsigned char *buffer = NULL;
     size_t length = 0;
     unsigned short port;
     BIO_ADDR *lpeer = NULL, *peer = NULL;
+    int res = 0;
+    EVP_MAC *hmac = NULL;
+    EVP_MAC_CTX *ctx = NULL;
+    OSSL_PARAM params[3], *p = params;
 
     /* Initialize a random secret */
     if (!cookie_initialized) {
@@ -770,13 +776,42 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
     BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL);
 
     /* Calculate HMAC of buffer using the secret */
-    HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
-         buffer, length, cookie, cookie_len);
-
+    hmac = EVP_MAC_fetch(NULL, "HMAC", NULL);
+    if (hmac == NULL) {
+            BIO_printf(bio_err, "HMAC not found\n");
+            goto end;
+    }
+    ctx = EVP_MAC_CTX_new(hmac);
+    if (ctx == NULL) {
+            BIO_printf(bio_err, "HMAC context allocation failed\n");
+            goto end;
+    }
+    *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, "SHA1", 0);
+    *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, cookie_secret,
+                                             COOKIE_SECRET_LENGTH);
+    *p = OSSL_PARAM_construct_end();
+    if (!EVP_MAC_CTX_set_params(ctx, params)) {
+            BIO_printf(bio_err, "HMAC context parameter setting failed\n");
+            goto end;
+    }
+    if (!EVP_MAC_init(ctx)) {
+            BIO_printf(bio_err, "HMAC context initialisation failed\n");
+            goto end;
+    }
+    if (!EVP_MAC_update(ctx, buffer, length)) {
+            BIO_printf(bio_err, "HMAC context update failed\n");
+            goto end;
+    }
+    if (!EVP_MAC_final(ctx, cookie, NULL, (size_t)cookie_len)) {
+            BIO_printf(bio_err, "HMAC context final failed\n");
+            goto end;
+    }
+    res = 1;
+end:
     OPENSSL_free(buffer);
     BIO_ADDR_free(lpeer);
 
-    return 1;
+    return res;
 }
 
 int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
diff --git a/apps/speed.c b/apps/speed.c
index 40c8eacbae..a978bdf17a 100644
--- a/apps/speed.c
+++ b/apps/speed.c
@@ -279,7 +279,9 @@ const OPTIONS speed_options[] = {
 
     OPT_SECTION("Selection"),
     {"evp", OPT_EVP, 's', "Use EVP-named cipher or digest"},
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     {"hmac", OPT_HMAC, 's', "HMAC using EVP-named digest"},
+#endif
 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"cmac", OPT_CMAC, 's', "CMAC using EVP-named cipher"},
 #endif
@@ -340,7 +342,9 @@ static const OPT_PAIR doit_choices[] = {
 #endif
 #if !defined(OPENSSL_NO_MD5) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     {"md5", D_MD5},
+# ifndef OPENSSL_NO_DEPRECATED_3_0
     {"hmac", D_HMAC},
+# endif
 #endif
 #ifndef OPENSSL_NO_DEPRECATED_3_0
     {"sha1", D_SHA1},
@@ -558,7 +562,9 @@ typedef struct loopargs_st {
     size_t outlen[EC_NUM];
 #endif
     EVP_CIPHER_CTX *ctx;
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     HMAC_CTX *hctx;
+#endif
 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     CMAC_CTX *cmac_ctx;
 #endif
@@ -635,6 +641,7 @@ static int MD5_loop(void *args)
     return count;
 }
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
 static int HMAC_loop(void *args)
 {
     loopargs_t *tempargs = *(loopargs_t **) args;
@@ -650,6 +657,7 @@ static int HMAC_loop(void *args)
     }
     return count;
 }
+# endif
 #endif
 
 #ifndef OPENSSL_NO_DEPRECATED_3_0
@@ -970,6 +978,7 @@ static int EVP_Digest_loop(void *args)
     return count;
 }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_0
 static const EVP_MD *evp_hmac_md = NULL;
 static char *evp_hmac_name = NULL;
 static int EVP_HMAC_loop(void *args)
@@ -986,6 +995,7 @@ static int EVP_HMAC_loop(void *args)
     }
     return count;
 }
+#endif
 
 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
 static const EVP_CIPHER *evp_cmac_cipher = NULL;
@@ -1617,6 +1627,7 @@ int speed_main(int argc, char **argv)
             doit[D_EVP] = 1;
             break;
         case OPT_HMAC:
+#ifndef OPENSSL_NO_DEPRECATED_3_0
             evp_hmac_md = EVP_get_digestbyname(opt_arg());
             if (evp_hmac_md == NULL) {
                 BIO_printf(bio_err, "%s: %s is an unknown digest\n",
@@ -1625,6 +1636,7 @@ int speed_main(int argc, char **argv)
             }
             doit[D_EVP_HMAC] = 1;
             break;
+#endif
         case OPT_CMAC:
 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
             evp_cmac_cipher = EVP_get_cipherbyname(opt_arg());
@@ -2301,6 +2313,7 @@ int speed_main(int argc, char **argv)
         }
     }
 
+# ifndef OPENSSL_NO_DEPRECATED_3_0
     if (doit[D_HMAC]) {
         static const char hmac_key[] = "This is a key...";
         int len = strlen(hmac_key);
@@ -2325,6 +2338,7 @@ int speed_main(int argc, char **argv)
         for (i = 0; i < loopargs_len; i++)
             HMAC_CTX_free(loopargs[i].hctx);
     }
+# endif
 #endif
 #ifndef OPENSSL_NO_DEPRECATED_3_0
     if (doit[D_SHA1]) {
@@ -2790,6 +2804,7 @@ int speed_main(int argc, char **argv)
         }
     }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     if (doit[D_EVP_HMAC] && evp_hmac_md != NULL) {
         const char *md_name = OBJ_nid2ln(EVP_MD_type(evp_hmac_md));
 
@@ -2807,6 +2822,7 @@ int speed_main(int argc, char **argv)
             print_result(D_EVP_HMAC, testnum, count, d);
         }
     }
+#endif
 
 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     if (doit[D_EVP_CMAC] && evp_cmac_cipher != NULL) {
@@ -3709,7 +3725,9 @@ int speed_main(int argc, char **argv)
         OPENSSL_free(loopargs[i].secret_b);
 #endif
     }
+#ifndef OPENSSL_NO_DEPRECATED_3_0
     OPENSSL_free(evp_hmac_name);
+#endif
 #if !defined(OPENSSL_NO_CMAC) && !defined(OPENSSL_NO_DEPRECATED_3_0)
     OPENSSL_free(evp_cmac_name);
 #endif
author	Pauli <paul.dale@oracle.com>	2020-01-14 12:11:50 +1000
committer	Pauli <paul.dale@oracle.com>	2020-01-29 19:49:23 +1000
commit	dbde4726889a19af0a718fe9c5542f39c81acbd3 (patch)
tree	371afa179289e0ba48e5a5c99520b139fd0f325f /apps
parent	fd4d283e7527cb711a4ff42d5ddcbc40828077f5 (diff)