diff options
| author | Matt Caswell <matt@openssl.org> | 2020-08-11 16:17:00 +0100 |
|---|---|---|
| committer | Pauli <paul.dale@oracle.com> | 2020-08-29 17:40:11 +1000 |
| commit | a540ef90f55c1e10feb709d09332dfa352d9f33e (patch) | |
| tree | 83e75d2fae109f51af8c0583e94f4252e9198412 /providers | |
| parent | 4db71d0175ed42586bcd4e6527caacbd18602adf (diff) | |
Extend the provider MAC bridge for CMAC
The previous commits added support for HMAC, SIPHASH and Poly1305 into
the provider MAC bridge. We now extend that for CMAC too.
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/12637)
Diffstat (limited to 'providers')
| -rw-r--r-- | providers/common/provider_util.c | 2 | ||||
| -rw-r--r-- | providers/defltprov.c | 6 | ||||
| -rw-r--r-- | providers/fips/fipsprov.c | 6 | ||||
| -rw-r--r-- | providers/implementations/include/prov/implementations.h | 2 | ||||
| -rw-r--r-- | providers/implementations/include/prov/macsignature.h | 5 | ||||
| -rw-r--r-- | providers/implementations/keymgmt/mac_legacy_kmgmt.c | 153 | ||||
| -rw-r--r-- | providers/implementations/signature/mac_legacy.c | 10 |
7 files changed, 173 insertions, 11 deletions
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index f6155e7dce..1b02d70b78 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -50,7 +50,7 @@ static int load_common(const OSSL_PARAM params[], const char **propquery, /* TODO legacy stuff, to be removed */ /* Inside the FIPS module, we don't support legacy ciphers */ #if !defined(FIPS_MODULE) && !defined(OPENSSL_NO_ENGINE) - p = OSSL_PARAM_locate_const(params, "engine"); + p = OSSL_PARAM_locate_const(params, OSSL_ALG_PARAM_ENGINE); if (p != NULL) { if (p->data_type != OSSL_PARAM_UTF8_STRING) return 0; diff --git a/providers/defltprov.c b/providers/defltprov.c index 34d2fb29f4..ff5768af74 100644 --- a/providers/defltprov.c +++ b/providers/defltprov.c @@ -369,6 +369,9 @@ static const OSSL_ALGORITHM deflt_signature[] = { #ifndef OPENSSL_NO_POLY1305 { "POLY1305", "provider=default", mac_poly1305_signature_functions }, #endif +#ifndef OPENSSL_NO_CMAC + { "CMAC", "provider=default", mac_cmac_signature_functions }, +#endif { NULL, NULL, NULL } }; @@ -402,6 +405,9 @@ static const OSSL_ALGORITHM deflt_keymgmt[] = { #ifndef OPENSSL_NO_POLY1305 { "POLY1305", "provider=default", mac_keymgmt_functions }, #endif +#ifndef OPENSSL_NO_CMAC + { "CMAC", "provider=default", cmac_keymgmt_functions }, +#endif { NULL, NULL, NULL } }; diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c index 745d5320ba..0ab24434ba 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -437,6 +437,9 @@ static const OSSL_ALGORITHM fips_signature[] = { { "ECDSA", FIPS_DEFAULT_PROPERTIES, ecdsa_signature_functions }, #endif { "HMAC", FIPS_DEFAULT_PROPERTIES, mac_hmac_signature_functions }, +#ifndef OPENSSL_NO_CMAC + { "CMAC", FIPS_DEFAULT_PROPERTIES, mac_cmac_signature_functions }, +#endif { NULL, NULL, NULL } }; @@ -466,6 +469,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { { "TLS1-PRF", FIPS_DEFAULT_PROPERTIES, kdf_keymgmt_functions }, { "HKDF", FIPS_DEFAULT_PROPERTIES, kdf_keymgmt_functions }, { "HMAC", FIPS_DEFAULT_PROPERTIES, mac_keymgmt_functions }, +#ifndef OPENSSL_NO_CMAC + { "CMAC", FIPS_DEFAULT_PROPERTIES, cmac_keymgmt_functions }, +#endif { NULL, NULL, NULL } }; diff --git a/providers/implementations/include/prov/implementations.h b/providers/implementations/include/prov/implementations.h index fe5fbef57a..e266bd7554 100644 --- a/providers/implementations/include/prov/implementations.h +++ b/providers/implementations/include/prov/implementations.h @@ -279,6 +279,7 @@ extern const OSSL_DISPATCH ed448_keymgmt_functions[]; extern const OSSL_DISPATCH ec_keymgmt_functions[]; extern const OSSL_DISPATCH kdf_keymgmt_functions[]; extern const OSSL_DISPATCH mac_keymgmt_functions[]; +extern const OSSL_DISPATCH cmac_keymgmt_functions[]; /* Key Exchange */ extern const OSSL_DISPATCH dh_keyexch_functions[]; @@ -298,6 +299,7 @@ extern const OSSL_DISPATCH ecdsa_signature_functions[]; extern const OSSL_DISPATCH mac_hmac_signature_functions[]; extern const OSSL_DISPATCH mac_siphash_signature_functions[]; extern const OSSL_DISPATCH mac_poly1305_signature_functions[]; +extern const OSSL_DISPATCH mac_cmac_signature_functions[]; /* Asym Cipher */ extern const OSSL_DISPATCH rsa_asym_cipher_functions[]; diff --git a/providers/implementations/include/prov/macsignature.h b/providers/implementations/include/prov/macsignature.h index 39a57416c8..57adf7d7ba 100644 --- a/providers/implementations/include/prov/macsignature.h +++ b/providers/implementations/include/prov/macsignature.h @@ -17,10 +17,13 @@ struct mac_key_st { CRYPTO_REF_COUNT refcnt; unsigned char *priv_key; size_t priv_key_len; + char *cipher_name; + char *engine_name; + int cmac; }; typedef struct mac_key_st MAC_KEY; -MAC_KEY *mac_key_new(OPENSSL_CTX *libctx); +MAC_KEY *mac_key_new(OPENSSL_CTX *libctx, int cmac); void mac_key_free(MAC_KEY *mackey); int mac_key_up_ref(MAC_KEY *mackey); diff --git a/providers/implementations/keymgmt/mac_legacy_kmgmt.c b/providers/implementations/keymgmt/mac_legacy_kmgmt.c index 246a6bc890..fadf379f67 100644 --- a/providers/implementations/keymgmt/mac_legacy_kmgmt.c +++ b/providers/implementations/keymgmt/mac_legacy_kmgmt.c @@ -19,7 +19,7 @@ #include "prov/providercommon.h" #include "prov/provider_ctx.h" #include "prov/macsignature.h" - +#include "e_os.h" /* strcasecmp */ static OSSL_FUNC_keymgmt_new_fn mac_new; static OSSL_FUNC_keymgmt_free_fn mac_free; @@ -42,9 +42,10 @@ struct mac_gen_ctx { int selection; unsigned char *priv_key; size_t priv_key_len; + char *cipher_name; }; -MAC_KEY *mac_key_new(OPENSSL_CTX *libctx) +MAC_KEY *mac_key_new(OPENSSL_CTX *libctx, int cmac) { MAC_KEY *mackey = OPENSSL_zalloc(sizeof(*mackey)); @@ -58,6 +59,7 @@ MAC_KEY *mac_key_new(OPENSSL_CTX *libctx) } mackey->libctx = libctx; mackey->refcnt = 1; + mackey->cmac = cmac; return mackey; } @@ -74,6 +76,8 @@ void mac_key_free(MAC_KEY *mackey) return; OPENSSL_secure_clear_free(mackey->priv_key, mackey->priv_key_len); + OPENSSL_free(mackey->cipher_name); + OPENSSL_free(mackey->engine_name); CRYPTO_THREAD_lock_free(mackey->lock); OPENSSL_free(mackey); } @@ -88,7 +92,12 @@ int mac_key_up_ref(MAC_KEY *mackey) static void *mac_new(void *provctx) { - return mac_key_new(PROV_LIBRARY_CONTEXT_OF(provctx)); + return mac_key_new(PROV_LIBRARY_CONTEXT_OF(provctx), 0); +} + +static void *mac_new_cmac(void *provctx) +{ + return mac_key_new(PROV_LIBRARY_CONTEXT_OF(provctx), 1); } static void mac_free(void *mackey) @@ -124,12 +133,16 @@ static int mac_match(const void *keydata1, const void *keydata2, int selection) if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) { if ((key1->priv_key == NULL && key2->priv_key != NULL) || (key1->priv_key != NULL && key2->priv_key == NULL) - || key1->priv_key_len != key2->priv_key_len) + || key1->priv_key_len != key2->priv_key_len + || (key1->cipher_name == NULL && key2->cipher_name != NULL) + || (key1->cipher_name != NULL && key2->cipher_name == NULL)) ok = 0; else ok = ok && (key1->priv_key == NULL /* implies key2->privkey == NULL */ || CRYPTO_memcmp(key1->priv_key, key2->priv_key, key1->priv_key_len) == 0); + if (key1->cipher_name != NULL) + ok = ok && (strcasecmp(key1->cipher_name, key2->cipher_name) == 0); } return ok; } @@ -152,9 +165,38 @@ static int mac_key_fromdata(MAC_KEY *key, const OSSL_PARAM params[]) } memcpy(key->priv_key, p->data, p->data_size); key->priv_key_len = p->data_size; + } - return 1; + if (key->cmac) { + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_CIPHER); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_UTF8_STRING) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + key->cipher_name = OPENSSL_strdup(p->data); + if (key->cipher_name == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + } + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_ENGINE); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_UTF8_STRING) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + key->engine_name = OPENSSL_strdup(p->data); + if (key->engine_name == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + } } + + if (key->priv_key != NULL && (!key->cmac || key->cipher_name != NULL)) + return 1; + return 0; } @@ -183,6 +225,18 @@ static int key_to_params(MAC_KEY *key, OSSL_PARAM_BLD *tmpl, key->priv_key, key->priv_key_len)) return 0; + if (key->cipher_name != NULL + && !ossl_param_build_set_utf8_string(tmpl, params, + OSSL_PKEY_PARAM_CIPHER, + key->cipher_name)) + return 0; + + if (key->engine_name != NULL + && !ossl_param_build_set_utf8_string(tmpl, params, + OSSL_PKEY_PARAM_ENGINE, + key->engine_name)) + return 0; + return 1; } @@ -227,6 +281,19 @@ static const OSSL_PARAM *mac_imexport_types(int selection) return NULL; } +static const OSSL_PARAM cmac_key_types[] = { + OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_CIPHER, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_ENGINE, NULL, 0), + OSSL_PARAM_END +}; +static const OSSL_PARAM *cmac_imexport_types(int selection) +{ + if ((selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) != 0) + return cmac_key_types; + return NULL; +} + static int mac_get_params(void *key, OSSL_PARAM params[]) { return key_to_params(key, NULL, params); @@ -241,6 +308,18 @@ static const OSSL_PARAM *mac_gettable_params(void *provctx) return gettable_params; } +static const OSSL_PARAM *cmac_gettable_params(void *provctx) +{ + static const OSSL_PARAM gettable_params[] = { + OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_CIPHER, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_ENGINE, NULL, 0), + OSSL_PARAM_END + }; + return gettable_params; +} + + static int mac_set_params(void *keydata, const OSSL_PARAM params[]) { MAC_KEY *key = keydata; @@ -270,14 +349,13 @@ static void *mac_gen_init(void *provctx, int selection) OPENSSL_CTX *libctx = PROV_LIBRARY_CONTEXT_OF(provctx); struct mac_gen_ctx *gctx = NULL; - if ((gctx = OPENSSL_malloc(sizeof(*gctx))) != NULL) { + if ((gctx = OPENSSL_zalloc(sizeof(*gctx))) != NULL) { gctx->libctx = libctx; gctx->selection = selection; } return gctx; } - static int mac_gen_set_params(void *genctx, const OSSL_PARAM params[]) { struct mac_gen_ctx *gctx = genctx; @@ -304,6 +382,30 @@ static int mac_gen_set_params(void *genctx, const OSSL_PARAM params[]) return 1; } +static int cmac_gen_set_params(void *genctx, const OSSL_PARAM params[]) +{ + struct mac_gen_ctx *gctx = genctx; + const OSSL_PARAM *p; + + if (!mac_gen_set_params(genctx, params)) + return 0; + + p = OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_CIPHER); + if (p != NULL) { + if (p->data_type != OSSL_PARAM_UTF8_STRING) { + ERR_raise(ERR_LIB_PROV, ERR_R_PASSED_INVALID_ARGUMENT); + return 0; + } + gctx->cipher_name = OPENSSL_strdup(p->data); + if (gctx->cipher_name == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); + return 0; + } + } + + return 1; +} + static const OSSL_PARAM *mac_gen_settable_params(void *provctx) { static OSSL_PARAM settable[] = { @@ -313,6 +415,16 @@ static const OSSL_PARAM *mac_gen_settable_params(void *provctx) return settable; } +static const OSSL_PARAM *cmac_gen_settable_params(void *provctx) +{ + static OSSL_PARAM settable[] = { + OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_PKEY_PARAM_CIPHER, NULL, 0), + OSSL_PARAM_END + }; + return settable; +} + static void *mac_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg) { struct mac_gen_ctx *gctx = genctx; @@ -321,7 +433,7 @@ static void *mac_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg) if (gctx == NULL) return NULL; - if ((key = mac_key_new(gctx->libctx)) == NULL) { + if ((key = mac_key_new(gctx->libctx, 0)) == NULL) { ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); return NULL; } @@ -344,8 +456,10 @@ static void *mac_gen(void *genctx, OSSL_CALLBACK *cb, void *cbarg) */ key->priv_key = gctx->priv_key; key->priv_key_len = gctx->priv_key_len; + key->cipher_name = gctx->cipher_name; gctx->priv_key_len = 0; gctx->priv_key = NULL; + gctx->cipher_name = NULL; return key; } @@ -355,6 +469,7 @@ static void mac_gen_cleanup(void *genctx) struct mac_gen_ctx *gctx = genctx; OPENSSL_secure_clear_free(gctx->priv_key, gctx->priv_key_len); + OPENSSL_free(gctx->cipher_name); OPENSSL_free(gctx); } @@ -379,3 +494,25 @@ const OSSL_DISPATCH mac_keymgmt_functions[] = { { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))mac_gen_cleanup }, { 0, NULL } }; + +const OSSL_DISPATCH cmac_keymgmt_functions[] = { + { OSSL_FUNC_KEYMGMT_NEW, (void (*)(void))mac_new_cmac }, + { OSSL_FUNC_KEYMGMT_FREE, (void (*)(void))mac_free }, + { OSSL_FUNC_KEYMGMT_GET_PARAMS, (void (*) (void))mac_get_params }, + { OSSL_FUNC_KEYMGMT_GETTABLE_PARAMS, (void (*) (void))cmac_gettable_params }, + { OSSL_FUNC_KEYMGMT_SET_PARAMS, (void (*) (void))mac_set_params }, + { OSSL_FUNC_KEYMGMT_SETTABLE_PARAMS, (void (*) (void))mac_settable_params }, + { OSSL_FUNC_KEYMGMT_HAS, (void (*)(void))mac_has }, + { OSSL_FUNC_KEYMGMT_MATCH, (void (*)(void))mac_match }, + { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))mac_import }, + { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, (void (*)(void))cmac_imexport_types }, + { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))mac_export }, + { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, (void (*)(void))cmac_imexport_types }, + { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))mac_gen_init }, + { OSSL_FUNC_KEYMGMT_GEN_SET_PARAMS, (void (*)(void))cmac_gen_set_params }, + { OSSL_FUNC_KEYMGMT_GEN_SETTABLE_PARAMS, + (void (*)(void))cmac_gen_settable_params }, + { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))mac_gen }, + { OSSL_FUNC_KEYMGMT_GEN_CLEANUP, (void (*)(void))mac_gen_cleanup }, + { 0, NULL } +}; diff --git a/providers/implementations/signature/mac_legacy.c b/providers/implementations/signature/mac_legacy.c index cf440efc05..eaf2c7566b 100644 --- a/providers/implementations/signature/mac_legacy.c +++ b/providers/implementations/signature/mac_legacy.c @@ -72,11 +72,12 @@ static void *mac_newctx(void *provctx, const char *propq, const char *macname) MAC_NEWCTX(hmac, "HMAC") MAC_NEWCTX(siphash, "SIPHASH") MAC_NEWCTX(poly1305, "POLY1305") +MAC_NEWCTX(cmac, "CMAC") static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey) { PROV_MAC_CTX *pmacctx = (PROV_MAC_CTX *)vpmacctx; - OSSL_PARAM params[4], *p = params; + OSSL_PARAM params[5], *p = params; if (pmacctx == NULL || vkey == NULL || !mac_key_up_ref(vkey)) return 0; @@ -89,6 +90,12 @@ static int mac_digest_sign_init(void *vpmacctx, const char *mdname, void *vkey) if (mdname != NULL) *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_DIGEST, (char *)mdname, 0); + if (pmacctx->key->cipher_name != NULL) + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_MAC_PARAM_CIPHER, + pmacctx->key->cipher_name, 0); + if (pmacctx->key->engine_name != NULL) + *p++ = OSSL_PARAM_construct_utf8_string(OSSL_ALG_PARAM_ENGINE, + pmacctx->key->engine_name, 0); *p++ = OSSL_PARAM_construct_octet_string(OSSL_MAC_PARAM_KEY, pmacctx->key->priv_key, pmacctx->key->priv_key_len); @@ -181,3 +188,4 @@ static void *mac_dupctx(void *vpmacctx) MAC_SIGNATURE_FUNCTIONS(hmac) MAC_SIGNATURE_FUNCTIONS(siphash) MAC_SIGNATURE_FUNCTIONS(poly1305) +MAC_SIGNATURE_FUNCTIONS(cmac) |