From da36ecd6f25027c8767cd1132229450d699bd49f Mon Sep 17 00:00:00 2001 From: Dirkjan Bussink Date: Tue, 22 Dec 2020 19:23:13 +0100 Subject: [PATCH] Move HMAC implementation to EVP API Now that the minimum OpenSSL version is 1.0.1, we know that the EVP HMAC API is always available. This switches to this API. The existing API is deprecated for OpenSSL 3.0. Signed-off-by: Dirkjan Bussink Reviewed-by: Jakub Jelen --- include/libssh/libcrypto.h | 2 +- src/libcrypto-compat.c | 18 ------------ src/libcrypto-compat.h | 3 -- src/libcrypto.c | 57 +++++++++++++++++++++++++------------- 4 files changed, 38 insertions(+), 42 deletions(-) diff --git a/include/libssh/libcrypto.h b/include/libssh/libcrypto.h index a89cbd05..403c2d22 100644 --- a/include/libssh/libcrypto.h +++ b/include/libssh/libcrypto.h @@ -38,7 +38,7 @@ typedef EVP_MD_CTX* SHA256CTX; typedef EVP_MD_CTX* SHA384CTX; typedef EVP_MD_CTX* SHA512CTX; typedef EVP_MD_CTX* MD5CTX; -typedef HMAC_CTX* HMACCTX; +typedef EVP_MD_CTX* HMACCTX; #ifdef HAVE_ECC typedef EVP_MD_CTX *EVPCTX; #else diff --git a/src/libcrypto-compat.c b/src/libcrypto-compat.c index 169fca69..12051c85 100644 --- a/src/libcrypto-compat.c +++ b/src/libcrypto-compat.c @@ -242,24 +242,6 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx) return 1; } -HMAC_CTX *HMAC_CTX_new(void) -{ - HMAC_CTX *ctx = OPENSSL_malloc(sizeof(HMAC_CTX)); - - if (ctx != NULL) { - HMAC_CTX_init(ctx); - } - return ctx; -} - -void HMAC_CTX_free(HMAC_CTX *ctx) -{ - if (ctx != NULL) { - HMAC_CTX_cleanup(ctx); - OPENSSL_free(ctx); - } -} - #ifndef HAVE_OPENSSL_EVP_CIPHER_CTX_NEW EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) { diff --git a/src/libcrypto-compat.h b/src/libcrypto-compat.h index ced8af35..c584ed25 100644 --- a/src/libcrypto-compat.h +++ b/src/libcrypto-compat.h @@ -35,9 +35,6 @@ void EVP_MD_CTX_free(EVP_MD_CTX *ctx); int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *ctx); -HMAC_CTX *HMAC_CTX_new(void); -void HMAC_CTX_free(HMAC_CTX *ctx); - void DH_get0_pqg(const DH *dh, const BIGNUM **p, const BIGNUM **q, const BIGNUM **g); int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNUM *q, BIGNUM *g); diff --git a/src/libcrypto.c b/src/libcrypto.c index c82b4b5e..a9fecbe4 100644 --- a/src/libcrypto.c +++ b/src/libcrypto.c @@ -423,42 +423,59 @@ int ssh_kdf(struct ssh_crypto_struct *crypto, HMACCTX hmac_init(const void *key, int len, enum ssh_hmac_e type) { HMACCTX ctx = NULL; + EVP_PKEY *pkey = NULL; + int rc = -1; - ctx = HMAC_CTX_new(); + ctx = EVP_MD_CTX_new(); if (ctx == NULL) { return NULL; } - switch (type) { - case SSH_HMAC_SHA1: - HMAC_Init_ex(ctx, key, len, EVP_sha1(), NULL); - break; - case SSH_HMAC_SHA256: - HMAC_Init_ex(ctx, key, len, EVP_sha256(), NULL); - break; - case SSH_HMAC_SHA512: - HMAC_Init_ex(ctx, key, len, EVP_sha512(), NULL); - break; - case SSH_HMAC_MD5: - HMAC_Init_ex(ctx, key, len, EVP_md5(), NULL); - break; - default: - HMAC_CTX_free(ctx); - ctx = NULL; + pkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, key, len); + if (pkey == NULL) { + goto error; } + switch (type) { + case SSH_HMAC_SHA1: + rc = EVP_DigestSignInit(ctx, NULL, EVP_sha1(), NULL, pkey); + break; + case SSH_HMAC_SHA256: + rc = EVP_DigestSignInit(ctx, NULL, EVP_sha256(), NULL, pkey); + break; + case SSH_HMAC_SHA512: + rc = EVP_DigestSignInit(ctx, NULL, EVP_sha512(), NULL, pkey); + break; + case SSH_HMAC_MD5: + rc = EVP_DigestSignInit(ctx, NULL, EVP_md5(), NULL, pkey); + break; + default: + rc = -1; + break; + } + + EVP_PKEY_free(pkey); + if (rc != 1) { + goto error; + } return ctx; + +error: + EVP_MD_CTX_free(ctx); + return NULL; } void hmac_update(HMACCTX ctx, const void *data, unsigned long len) { - HMAC_Update(ctx, data, len); + EVP_DigestSignUpdate(ctx, data, len); } void hmac_final(HMACCTX ctx, unsigned char *hashmacbuf, unsigned int *len) { - HMAC_Final(ctx, hashmacbuf, len); - HMAC_CTX_free(ctx); + size_t res; + EVP_DigestSignFinal(ctx, hashmacbuf, &res); + EVP_MD_CTX_free(ctx); + *len = res; } static void evp_cipher_init(struct ssh_cipher_struct *cipher)