From 85776f00699629186ffda92e68e8824d2246a7c9 Mon Sep 17 00:00:00 2001 From: Satoshi Yamaguchi Date: Wed, 31 Aug 2022 23:52:52 +0900 Subject: [PATCH 1/5] Add wolfSSL_EVP_PKEY_new_CMAC_key to OpenSSL compatible API --- tests/api.c | 31 +++++++++++++++++++++++++++ wolfcrypt/src/evp.c | 50 +++++++++++++++++++++++++++++++++++++++++++ wolfssl/openssl/evp.h | 7 ++++++ wolfssl/ssl.h | 6 ++++++ 4 files changed, 94 insertions(+) diff --git a/tests/api.c b/tests/api.c index 5bec3d5bc..88c61d5ad 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32935,6 +32935,36 @@ static int test_wolfSSL_EVP_PKEY_new_mac_key(void) return 0; } + + +static int test_wolfSSL_EVP_PKEY_new_CMAC_key(void) +{ +#ifdef OPENSSL_EXTRA +#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) + + const char *priv = "ABCDEFGHIJKLMNOP"; + int len = strlen(priv); + const WOLFSSL_EVP_CIPHER* cipher = EVP_aes_128_cbc(); + WOLFSSL_EVP_PKEY* key = NULL; + printf(testingFmt, "wolfSSL_EVP_PKEY_new_CMAC_key()"); + + AssertNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, NULL, len, cipher)); + AssertNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, (const unsigned char *)priv, 0, cipher)); + AssertNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, (const unsigned char *)priv, len, NULL)); + + AssertNotNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( + NULL, (const unsigned char *)priv, len, cipher)); + + printf(resultFmt, passed); +#endif /* defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) */ +#endif /* OPENSSL_EXTRA */ + + return 0; +} + static int test_wolfSSL_EVP_Digest(void) { #if defined(OPENSSL_EXTRA) && !defined(NO_SHA256) && !defined(NO_PWDBASED) @@ -57566,6 +57596,7 @@ TEST_CASE testCases[] = { TEST_DECL(test_wolfSSL_EVP_Digest), TEST_DECL(test_wolfSSL_EVP_Digest_all), TEST_DECL(test_wolfSSL_EVP_PKEY_new_mac_key), + TEST_DECL(test_wolfSSL_EVP_PKEY_new_CMAC_key), TEST_DECL(test_wolfSSL_EVP_MD_hmac_signing), TEST_DECL(test_wolfSSL_EVP_MD_rsa_signing), TEST_DECL(test_wolfSSL_EVP_MD_ecc_signing), diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 818dacac8..40d20418d 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -3397,6 +3397,56 @@ WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_mac_key(int type, WOLFSSL_ENGINE* e, } +#if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) +WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_CMAC_key(WOLFSSL_ENGINE* e, + const unsigned char* priv, size_t len, const WOLFSSL_EVP_CIPHER *cipher) +{ + WOLFSSL_EVP_PKEY* pkey; + WOLFSSL_CMAC_CTX* ctx; + int ret = 0; + + WOLFSSL_ENTER("wolfSSL_EVP_PKEY_new_CMAC_key"); + + if (priv == NULL || len == 0 || cipher == NULL) { + WOLFSSL_LEAVE("wolfSSL_EVP_PKEY_new_CMAC_key", BAD_FUNC_ARG); + return NULL; + } + + ctx = wolfSSL_CMAC_CTX_new(); + if (ctx == NULL) { + WOLFSSL_LEAVE("wolfSSL_EVP_PKEY_new_CMAC_key", 0); + return NULL; + } + + ret = wolfSSL_CMAC_Init(ctx, priv, len, cipher, e); + if (ret == WOLFSSL_FAILURE) { + WOLFSSL_LEAVE("wolfSSL_EVP_PKEY_new_CMAC_key", 0); + return NULL; + } + + pkey = wolfSSL_EVP_PKEY_new(); + if (pkey != NULL) { + pkey->pkey.ptr = (char*)XMALLOC(len, NULL, DYNAMIC_TYPE_PUBLIC_KEY); + if (pkey->pkey.ptr == NULL && len > 0) { + wolfSSL_EVP_PKEY_free(pkey); + pkey = NULL; + wolfSSL_CMAC_CTX_free(ctx); + } + else { + if (len) { + XMEMCPY(pkey->pkey.ptr, priv, len); + } + pkey->pkey_sz = len; + pkey->type = pkey->save_type = EVP_PKEY_CMAC; + pkey->cmacCtx = ctx; + } + } + + WOLFSSL_LEAVE("wolfSSL_EVP_PKEY_new_CMAC_key", 0); + return pkey; +} +#endif /* defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) */ + const unsigned char* wolfSSL_EVP_PKEY_get0_hmac(const WOLFSSL_EVP_PKEY* pkey, size_t* len) { diff --git a/wolfssl/openssl/evp.h b/wolfssl/openssl/evp.h index c6cab8496..233f46c84 100644 --- a/wolfssl/openssl/evp.h +++ b/wolfssl/openssl/evp.h @@ -265,6 +265,7 @@ enum { NID_cast5_ofb64 = 111, EVP_PKEY_DH = NID_dhKeyAgreement, EVP_PKEY_HMAC = NID_hmac, + EVP_PKEY_CMAC = NID_cmac, EVP_PKEY_HKDF = NID_hkdf, EVP_PKEY_FALCON = 300, /* Randomly picked value. */ EVP_PKEY_DILITHIUM= 301, /* Randomly picked value. */ @@ -776,6 +777,11 @@ WOLFSSL_API int wolfSSL_EVP_PKEY_CTX_hkdf_mode(WOLFSSL_EVP_PKEY_CTX* ctx, /* EVP ENGINE API's */ WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_mac_key(int type, WOLFSSL_ENGINE* e, const unsigned char* key, int keylen); + +WOLFSSL_API WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_CMAC_key(WOLFSSL_ENGINE* e, + const unsigned char* priv, size_t len, + const WOLFSSL_EVP_CIPHER* cipher); + WOLFSSL_API int wolfSSL_EVP_DigestInit_ex(WOLFSSL_EVP_MD_CTX* ctx, const WOLFSSL_EVP_MD* type, WOLFSSL_ENGINE *impl); @@ -992,6 +998,7 @@ WOLFSSL_API int wolfSSL_EVP_SignInit_ex(WOLFSSL_EVP_MD_CTX* ctx, #define EVP_PKEY_get0_EC_KEY wolfSSL_EVP_PKEY_get0_EC_KEY #define EVP_PKEY_get0_hmac wolfSSL_EVP_PKEY_get0_hmac #define EVP_PKEY_new_mac_key wolfSSL_EVP_PKEY_new_mac_key +#define EVP_PKEY_new_CMAC_key wolfSSL_EVP_PKEY_new_CMAC_key #define EVP_MD_CTX_copy wolfSSL_EVP_MD_CTX_copy #define EVP_MD_CTX_copy_ex wolfSSL_EVP_MD_CTX_copy_ex #define EVP_PKEY_sign_init wolfSSL_EVP_PKEY_sign_init diff --git a/wolfssl/ssl.h b/wolfssl/ssl.h index 2601feb86..efac56042 100644 --- a/wolfssl/ssl.h +++ b/wolfssl/ssl.h @@ -89,6 +89,9 @@ #ifndef WOLFCRYPT_ONLY #include #endif + #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) + #include + #endif /* We need the old SSL names */ #ifdef NO_OLD_SSL_NAMES @@ -411,6 +414,9 @@ struct WOLFSSL_EVP_PKEY { word32 hkdfInfoSz; int hkdfMode; #endif + #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) + WOLFSSL_CMAC_CTX* cmacCtx; + #endif #endif /* OPENSSL_EXTRA || OPENSSL_EXTRA_X509_SMALL */ #ifdef HAVE_ECC int pkey_curve; From b52d193ee36873cdc16b3801c4f4d9b8aacf603d Mon Sep 17 00:00:00 2001 From: Satoshi Yamaguchi Date: Sat, 3 Sep 2022 23:56:54 +0900 Subject: [PATCH 2/5] Fix an implicit type conversion --- wolfcrypt/src/evp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 40d20418d..db9712b5b 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -3436,7 +3436,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_CMAC_key(WOLFSSL_ENGINE* e, if (len) { XMEMCPY(pkey->pkey.ptr, priv, len); } - pkey->pkey_sz = len; + pkey->pkey_sz = (int)len; pkey->type = pkey->save_type = EVP_PKEY_CMAC; pkey->cmacCtx = ctx; } From 69ed2b56d46475c4629a69e4b3965114ba42d54a Mon Sep 17 00:00:00 2001 From: Satoshi Yamaguchi Date: Sun, 4 Sep 2022 13:30:33 +0900 Subject: [PATCH 3/5] Replace a variable of AES-128 key size to the constant AES_128_KEY_SIZE --- tests/api.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/api.c b/tests/api.c index 88c61d5ad..2e6290f8a 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32943,20 +32943,19 @@ static int test_wolfSSL_EVP_PKEY_new_CMAC_key(void) #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) const char *priv = "ABCDEFGHIJKLMNOP"; - int len = strlen(priv); const WOLFSSL_EVP_CIPHER* cipher = EVP_aes_128_cbc(); WOLFSSL_EVP_PKEY* key = NULL; printf(testingFmt, "wolfSSL_EVP_PKEY_new_CMAC_key()"); AssertNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, NULL, len, cipher)); + NULL, NULL, AES_128_KEY_SIZE, cipher)); AssertNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( NULL, (const unsigned char *)priv, 0, cipher)); AssertNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, len, NULL)); + NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, NULL)); AssertNotNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( - NULL, (const unsigned char *)priv, len, cipher)); + NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, cipher)); printf(resultFmt, passed); #endif /* defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) */ From 64f2a0cafe7654de98e7b71b97a0ae78c71e46ac Mon Sep 17 00:00:00 2001 From: Satoshi Yamaguchi Date: Sat, 17 Sep 2022 14:38:38 +0900 Subject: [PATCH 4/5] Extend wolfSSL_EVP_PKEY_free for freing EVP_PKEY of CMAC. Fix EVP_PKEY not freed in unit test (test_wolfSSL_EVP_PKEY_new_CMAC_key). --- tests/api.c | 1 + wolfcrypt/src/evp.c | 10 ++++++++++ 2 files changed, 11 insertions(+) diff --git a/tests/api.c b/tests/api.c index 2e6290f8a..b9e0770fd 100644 --- a/tests/api.c +++ b/tests/api.c @@ -32956,6 +32956,7 @@ static int test_wolfSSL_EVP_PKEY_new_CMAC_key(void) AssertNotNull(key = wolfSSL_EVP_PKEY_new_CMAC_key( NULL, (const unsigned char *)priv, AES_128_KEY_SIZE, cipher)); + wolfSSL_EVP_PKEY_free(key); printf(resultFmt, passed); #endif /* defined(WOLFSSL_CMAC) && !defined(NO_AES) && defined(WOLFSSL_AES_DIRECT) */ diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index db9712b5b..84a4c369e 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -8868,6 +8868,16 @@ void wolfSSL_EVP_PKEY_free(WOLFSSL_EVP_PKEY* key) break; #endif /* HAVE_HKDF */ + #if defined(WOLFSSL_CMAC) && !defined(NO_AES) && \ + defined(WOLFSSL_AES_DIRECT) + case EVP_PKEY_CMAC: + if (key->cmacCtx != NULL) { + wolfSSL_CMAC_CTX_free(key->cmacCtx); + key->cmacCtx = NULL; + } + break; + #endif /* defined(WOLFSSL_CMAC) ... */ + default: break; } From c6ea68a1189a65fa7f25dfc6065b034ba268b9a9 Mon Sep 17 00:00:00 2001 From: Satoshi Yamaguchi Date: Tue, 20 Sep 2022 23:10:22 +0900 Subject: [PATCH 5/5] Fix two not freed WOLFSSL_CMAC_CTX. --- wolfcrypt/src/evp.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/wolfcrypt/src/evp.c b/wolfcrypt/src/evp.c index 84a4c369e..d86275084 100644 --- a/wolfcrypt/src/evp.c +++ b/wolfcrypt/src/evp.c @@ -3420,6 +3420,7 @@ WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_CMAC_key(WOLFSSL_ENGINE* e, ret = wolfSSL_CMAC_Init(ctx, priv, len, cipher, e); if (ret == WOLFSSL_FAILURE) { + wolfSSL_CMAC_CTX_free(ctx); WOLFSSL_LEAVE("wolfSSL_EVP_PKEY_new_CMAC_key", 0); return NULL; } @@ -3441,6 +3442,9 @@ WOLFSSL_EVP_PKEY* wolfSSL_EVP_PKEY_new_CMAC_key(WOLFSSL_ENGINE* e, pkey->cmacCtx = ctx; } } + else { + wolfSSL_CMAC_CTX_free(ctx); + } WOLFSSL_LEAVE("wolfSSL_EVP_PKEY_new_CMAC_key", 0); return pkey;