summaryrefslogtreecommitdiff
path: root/src/openssl/hmac.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/openssl/hmac.c')
-rw-r--r--src/openssl/hmac.c174
1 files changed, 62 insertions, 112 deletions
diff --git a/src/openssl/hmac.c b/src/openssl/hmac.c
index edfc3af4..d9c60cba 100644
--- a/src/openssl/hmac.c
+++ b/src/openssl/hmac.c
@@ -1,20 +1,29 @@
-/**
+/*
+ * XML Security Library (http://www.aleksey.com/xmlsec).
+ *
*
- * XMLSec library
+ * This is free software; see Copyright file in the source
+ * distribution for preciese wording.
+ *
+ * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved.
+ */
+/**
+ * SECTION:hmac
+ * @Short_description: HMAC transforms implementation for OpenSSL.
+ * @Stability: Private
*
- * HMAC Algorithm support (http://www.w3.org/TR/xmldsig-core/#sec-HMAC):
+ * [HMAC Algorithm support](http://www.w3.org/TR/xmldsig-core/#sec-HMAC):
* The HMAC algorithm (RFC2104 [HMAC]) takes the truncation length in bits
* as a parameter; if the parameter is not specified then all the bits of the
* hash are output. An example of an HMAC SignatureMethod element:
+ *
+ * |[<!-- language="XML" -->
* <SignatureMethod Algorithm="http://www.w3.org/2000/09/xmldsig#hmac-sha1">
* <HMACOutputLength>128</HMACOutputLength>
* </SignatureMethod>
- *
- * This is free software; see Copyright file in the source
- * distribution for preciese wording.
- *
- * Copyright (C) 2002-2016 Aleksey Sanin <aleksey@aleksey.com>. All Rights Reserved.
+ * |]
*/
+
#ifndef XMLSEC_NO_HMAC
#include "globals.h"
@@ -32,16 +41,7 @@
#include <xmlsec/errors.h>
#include <xmlsec/openssl/crypto.h>
-
-/* new API from OpenSSL 1.1.0 (https://www.openssl.org/docs/manmaster/crypto/hmac.html):
- *
- * HMAC_CTX_new() and HMAC_CTX_free() are new in OpenSSL version 1.1.
- */
-#if !defined(XMLSEC_OPENSSL_110)
-#define HMAC_CTX_new() ((HMAC_CTX*)calloc(1, sizeof(HMAC_CTX)))
-#define HMAC_CTX_free(x) { HMAC_CTX_cleanup((x)); free((x)); }
-#endif /* !defined(XMLSEC_OPENSSL_110) */
-
+#include "openssl_compat.h"
/* sizes in bits */
#define XMLSEC_OPENSSL_MIN_HMAC_SIZE 80
@@ -171,9 +171,6 @@ xmlSecOpenSSLHmacCheckId(xmlSecTransformPtr transform) {
{
return(0);
}
-
- /* just in case */
- return(0);
}
@@ -234,22 +231,15 @@ xmlSecOpenSSLHmacInitialize(xmlSecTransformPtr transform) {
#endif /* XMLSEC_NO_MD5 */
{
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- NULL,
- XMLSEC_ERRORS_R_INVALID_TRANSFORM,
- XMLSEC_ERRORS_NO_MESSAGE);
+ xmlSecInvalidTransfromError(transform)
return(-1);
}
/* create hmac CTX */
ctx->hmacCtx = HMAC_CTX_new();
if(ctx->hmacCtx == NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- "HMAC_CTX_new",
- XMLSEC_ERRORS_R_CRYPTO_FAILED,
- XMLSEC_ERRORS_NO_MESSAGE);
+ xmlSecOpenSSLError("HMAC_CTX_new",
+ xmlSecTransformGetName(transform));
return(-1);
}
@@ -302,11 +292,8 @@ xmlSecOpenSSLHmacNodeRead(xmlSecTransformPtr transform, xmlNodePtr node, xmlSecT
small value
*/
if((int)ctx->dgstSize < xmlSecOpenSSLHmacGetMinOutputLength()) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
- XMLSEC_ERRORS_R_INVALID_NODE_ATTRIBUTE,
- "HMAC output length is too small");
+ xmlSecInvalidNodeContentError(cur, xmlSecTransformGetName(transform),
+ "HMAC output length is too small");
return(-1);
}
@@ -314,11 +301,7 @@ xmlSecOpenSSLHmacNodeRead(xmlSecTransformPtr transform, xmlNodePtr node, xmlSecT
}
if(cur != NULL) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- xmlSecErrorsSafeString(xmlSecNodeGetName(cur)),
- XMLSEC_ERRORS_R_UNEXPECTED_NODE,
- XMLSEC_ERRORS_NO_MESSAGE);
+ xmlSecUnexpectedNodeError(cur, xmlSecTransformGetName(transform));
return(-1);
}
return(0);
@@ -327,7 +310,8 @@ xmlSecOpenSSLHmacNodeRead(xmlSecTransformPtr transform, xmlNodePtr node, xmlSecT
static int
xmlSecOpenSSLHmacSetKeyReq(xmlSecTransformPtr transform, xmlSecKeyReqPtr keyReq) {
xmlSecAssert2(xmlSecOpenSSLHmacCheckId(transform), -1);
- xmlSecAssert2((transform->operation == xmlSecTransformOperationSign) || (transform->operation == xmlSecTransformOperationVerify), -1);
+ xmlSecAssert2((transform->operation == xmlSecTransformOperationSign)
+ || (transform->operation == xmlSecTransformOperationVerify), -1);
xmlSecAssert2(xmlSecTransformCheckSize(transform, xmlSecOpenSSLHmacSize), -1);
xmlSecAssert2(keyReq != NULL, -1);
@@ -367,38 +351,20 @@ xmlSecOpenSSLHmacSetKey(xmlSecTransformPtr transform, xmlSecKeyPtr key) {
xmlSecAssert2(buffer != NULL, -1);
if(xmlSecBufferGetSize(buffer) == 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- NULL,
- XMLSEC_ERRORS_R_INVALID_KEY_DATA_SIZE,
- "keySize=0");
+ xmlSecInvalidZeroKeyDataSizeError(xmlSecTransformGetName(transform));
return(-1);
}
xmlSecAssert2(xmlSecBufferGetData(buffer) != NULL, -1);
-#if (defined(XMLSEC_OPENSSL_098))
- /* no return value in 0.9.8 */
- HMAC_Init_ex(ctx->hmacCtx,
- xmlSecBufferGetData(buffer),
- xmlSecBufferGetSize(buffer),
- ctx->hmacDgst,
- NULL);
- ret = 1;
-#else /* (defined(XMLSEC_OPENSSL_098)) */
ret = HMAC_Init_ex(ctx->hmacCtx,
xmlSecBufferGetData(buffer),
xmlSecBufferGetSize(buffer),
ctx->hmacDgst,
NULL);
-#endif /* (defined(XMLSEC_OPENSSL_098)) */
-
if(ret != 1) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- "HMAC_Init_ex",
- XMLSEC_ERRORS_R_CRYPTO_FAILED,
- NULL);
+ xmlSecOpenSSLError("HMAC_Init_ex",
+ xmlSecTransformGetName(transform));
return(-1);
}
@@ -429,44 +395,29 @@ xmlSecOpenSSLHmacVerify(xmlSecTransformPtr transform,
/* compare the digest size in bytes */
if(dataSize != ((ctx->dgstSize + 7) / 8)){
- /* NO COMMIT */
- xmlChar* a;
- mask = last_byte_masks[ctx->dgstSize % 8];
- ctx->dgst[dataSize - 1] &= mask;
- a = xmlSecBase64Encode(ctx->dgst, (ctx->dgstSize + 7) / 8, -1);
- fprintf(stderr, "%s\n", a);
- xmlFree(a);
-
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- NULL,
- XMLSEC_ERRORS_R_INVALID_SIZE,
- "data=%d;dgst=%d",
- dataSize, ((ctx->dgstSize + 7) / 8));
+ xmlSecInvalidSizeError("HMAC digest",
+ dataSize, ((ctx->dgstSize + 7) / 8),
+ xmlSecTransformGetName(transform));
transform->status = xmlSecTransformStatusFail;
return(0);
}
- /* we check the last byte separatelly */
+ /* we check the last byte separately */
xmlSecAssert2(dataSize > 0, -1);
mask = last_byte_masks[ctx->dgstSize % 8];
if((ctx->dgst[dataSize - 1] & mask) != (data[dataSize - 1] & mask)) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- NULL,
- XMLSEC_ERRORS_R_DATA_NOT_MATCH,
- "data and digest do not match (last byte)");
+ xmlSecOtherError(XMLSEC_ERRORS_R_DATA_NOT_MATCH,
+ xmlSecTransformGetName(transform),
+ "data and digest do not match (last byte)");
transform->status = xmlSecTransformStatusFail;
return(0);
}
/* now check the rest of the digest */
if((dataSize > 1) && (memcmp(ctx->dgst, data, dataSize - 1) != 0)) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- NULL,
- XMLSEC_ERRORS_R_DATA_NOT_MATCH,
- "data and digest do not match");
+ xmlSecOtherError(XMLSEC_ERRORS_R_DATA_NOT_MATCH,
+ xmlSecTransformGetName(transform),
+ "data and digest do not match");
transform->status = xmlSecTransformStatusFail;
return(0);
}
@@ -504,23 +455,31 @@ xmlSecOpenSSLHmacExecute(xmlSecTransformPtr transform, int last, xmlSecTransform
inSize = xmlSecBufferGetSize(in);
if(inSize > 0) {
- HMAC_Update(ctx->hmacCtx, xmlSecBufferGetData(in), inSize);
+ ret = HMAC_Update(ctx->hmacCtx, xmlSecBufferGetData(in), inSize);
+ if(ret != 1) {
+ xmlSecOpenSSLError("HMAC_Update",
+ xmlSecTransformGetName(transform));
+ return(-1);
+ }
ret = xmlSecBufferRemoveHead(in, inSize);
if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- "xmlSecBufferRemoveHead",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "size=%d", inSize);
+ xmlSecInternalError2("xmlSecBufferRemoveHead",
+ xmlSecTransformGetName(transform),
+ "size=%d", inSize);
return(-1);
}
}
if(last) {
- unsigned int dgstSize;
+ unsigned int dgstSize = 0;
- HMAC_Final(ctx->hmacCtx, ctx->dgst, &dgstSize);
+ ret = HMAC_Final(ctx->hmacCtx, ctx->dgst, &dgstSize);
+ if(ret != 1) {
+ xmlSecOpenSSLError("HMAC_Final",
+ xmlSecTransformGetName(transform));
+ return(-1);
+ }
xmlSecAssert2(dgstSize > 0, -1);
/* check/set the result digest size */
@@ -529,12 +488,9 @@ xmlSecOpenSSLHmacExecute(xmlSecTransformPtr transform, int last, xmlSecTransform
} else if(ctx->dgstSize <= XMLSEC_SIZE_BAD_CAST(8 * dgstSize)) {
dgstSize = ((ctx->dgstSize + 7) / 8); /* we need to truncate result digest */
} else {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- NULL,
- XMLSEC_ERRORS_R_INVALID_SIZE,
- "result-bits=%d;required-bits=%d",
- 8 * dgstSize, ctx->dgstSize);
+ xmlSecInvalidSizeLessThanError("HMAC digest (bits)",
+ 8 * dgstSize, ctx->dgstSize,
+ xmlSecTransformGetName(transform));
return(-1);
}
@@ -542,11 +498,9 @@ xmlSecOpenSSLHmacExecute(xmlSecTransformPtr transform, int last, xmlSecTransform
if(transform->operation == xmlSecTransformOperationSign) {
ret = xmlSecBufferAppend(out, ctx->dgst, dgstSize);
if(ret < 0) {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- "xmlSecBufferAppend",
- XMLSEC_ERRORS_R_XMLSEC_FAILED,
- "size=%d", dgstSize);
+ xmlSecInternalError2("xmlSecBufferAppend",
+ xmlSecTransformGetName(transform),
+ "size=%d", dgstSize);
return(-1);
}
}
@@ -556,11 +510,7 @@ xmlSecOpenSSLHmacExecute(xmlSecTransformPtr transform, int last, xmlSecTransform
/* the only way we can get here is if there is no input */
xmlSecAssert2(xmlSecBufferGetSize(in) == 0, -1);
} else {
- xmlSecError(XMLSEC_ERRORS_HERE,
- xmlSecErrorsSafeString(xmlSecTransformGetName(transform)),
- NULL,
- XMLSEC_ERRORS_R_INVALID_STATUS,
- "status=%d", transform->status);
+ xmlSecInvalidTransfromStatusError(transform);
return(-1);
}