X-Git-Url: https://www.tinc-vpn.org/git/browse?a=blobdiff_plain;f=src%2Fopenssl%2Fdigest.c;h=5778c5235818a60a7b8fc83d61a85382e4b49471;hb=cfc9fee931c70554353ce6c4acc3407baac08745;hp=d51dcaa971842e47a62defcdfc7dae31e8da91c1;hpb=b0b4a2f1eb3bef0141d817cbf3b575a5dd28f241;p=tinc

diff --git a/src/openssl/digest.c b/src/openssl/digest.c
index d51dcaa9..5778c523 100644
--- a/src/openssl/digest.c
+++ b/src/openssl/digest.c
@@ -18,32 +18,32 @@
 */
 
 #include "../system.h"
-#include "../utils.h"
-#include "../xalloc.h"
 
 #include <openssl/err.h>
 #include <openssl/hmac.h>
 
+#if OPENSSL_VERSION_MAJOR >= 3
+#include <openssl/core_names.h>
+#endif
+
 #include "digest.h"
 #include "../digest.h"
 #include "../logger.h"
+#include "log.h"
 
-static digest_t *digest_open(const EVP_MD *evp_md, int maclength) {
-	digest_t *digest = xzalloc(sizeof(*digest));
+static void digest_open(digest_t *digest, const EVP_MD *evp_md, size_t maclength) {
 	digest->digest = evp_md;
 
-	int digestlen = EVP_MD_size(digest->digest);
+	size_t digestlen = EVP_MD_size(digest->digest);
 
-	if(maclength > digestlen || maclength < 0) {
+	if(maclength == DIGEST_ALGO_SIZE || maclength > digestlen) {
 		digest->maclength = digestlen;
 	} else {
 		digest->maclength = maclength;
 	}
-
-	return digest;
 }
 
-digest_t *digest_open_by_name(const char *name, int maclength) {
+bool digest_open_by_name(digest_t *digest, const char *name, size_t maclength) {
 	const EVP_MD *evp_md = EVP_get_digestbyname(name);
 
 	if(!evp_md) {
@@ -51,10 +51,11 @@ digest_t *digest_open_by_name(const char *name, int maclength) {
 		return false;
 	}
 
-	return digest_open(evp_md, maclength);
+	digest_open(digest, evp_md, maclength);
+	return true;
 }
 
-digest_t *digest_open_by_nid(int nid, int maclength) {
+bool digest_open_by_nid(digest_t *digest, int nid, size_t maclength) {
 	const EVP_MD *evp_md = EVP_get_digestbynid(nid);
 
 	if(!evp_md) {
@@ -62,17 +63,56 @@ digest_t *digest_open_by_nid(int nid, int maclength) {
 		return false;
 	}
 
-	return digest_open(evp_md, maclength);
+	digest_open(digest, evp_md, maclength);
+	return true;
 }
 
 bool digest_set_key(digest_t *digest, const void *key, size_t len) {
+#if OPENSSL_VERSION_MAJOR < 3
 	digest->hmac_ctx = HMAC_CTX_new();
-	HMAC_Init_ex(digest->hmac_ctx, key, len, digest->digest, NULL);
 
 	if(!digest->hmac_ctx) {
 		abort();
 	}
 
+	HMAC_Init_ex(digest->hmac_ctx, key, (int)len, digest->digest, NULL);
+#else
+	EVP_MAC *mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_HMAC, NULL);
+
+	if(!mac) {
+		openssl_err("fetch MAC");
+		return false;
+	}
+
+	digest->hmac_ctx = EVP_MAC_CTX_new(mac);
+	EVP_MAC_free(mac);
+
+	if(!digest->hmac_ctx) {
+		openssl_err("create MAC context");
+		return false;
+	}
+
+	const char *hmac_algo = EVP_MD_get0_name(digest->digest);
+
+	if(!hmac_algo) {
+		openssl_err("get HMAC algorithm name");
+		return false;
+	}
+
+	// The casts are okay, the parameters are not going to change. For example, see:
+	// https://github.com/openssl/openssl/blob/31b7f23d2f958491d46c8a8e61c2b77b1b546f3e/crypto/ec/ecdh_kdf.c#L37-L38
+	const OSSL_PARAM params[] = {
+		OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, (void *)key, len),
+		OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_DIGEST, (void *)hmac_algo, 0),
+		OSSL_PARAM_END,
+	};
+
+	if(!EVP_MAC_init(digest->hmac_ctx, NULL, 0, params)) {
+		openssl_err("set MAC context params");
+		return false;
+	}
+
+#endif
 	return true;
 }
 
@@ -86,21 +126,39 @@ void digest_close(digest_t *digest) {
 	}
 
 	if(digest->hmac_ctx) {
+#if OPENSSL_VERSION_MAJOR < 3
 		HMAC_CTX_free(digest->hmac_ctx);
+#else
+		EVP_MAC_CTX_free(digest->hmac_ctx);
+#endif
 	}
 
-	free(digest);
+	memset(digest, 0, sizeof(*digest));
 }
 
 bool digest_create(digest_t *digest, const void *indata, size_t inlen, void *outdata) {
 	size_t len = EVP_MD_size(digest->digest);
-	unsigned char tmpdata[len];
+	unsigned char *tmpdata = alloca(len);
 
 	if(digest->hmac_ctx) {
-		if(!HMAC_Init_ex(digest->hmac_ctx, NULL, 0, NULL, NULL)
-		                || !HMAC_Update(digest->hmac_ctx, indata, inlen)
-		                || !HMAC_Final(digest->hmac_ctx, tmpdata, NULL)) {
-			logger(DEBUG_ALWAYS, LOG_DEBUG, "Error creating digest: %s", ERR_error_string(ERR_get_error(), NULL));
+		bool ok;
+
+#if OPENSSL_VERSION_MAJOR < 3
+		ok = HMAC_Init_ex(digest->hmac_ctx, NULL, 0, NULL, NULL)
+		     && HMAC_Update(digest->hmac_ctx, indata, inlen)
+		     && HMAC_Final(digest->hmac_ctx, tmpdata, NULL);
+#else
+		EVP_MAC_CTX *mac_ctx = EVP_MAC_CTX_dup(digest->hmac_ctx);
+
+		ok = mac_ctx
+		     && EVP_MAC_update(mac_ctx, indata, inlen)
+		     && EVP_MAC_final(mac_ctx, tmpdata, NULL, len);
+
+		EVP_MAC_CTX_free(mac_ctx);
+#endif
+
+		if(!ok) {
+			openssl_err("create HMAC");
 			return false;
 		}
 	} else {
@@ -115,7 +173,7 @@ bool digest_create(digest_t *digest, const void *indata, size_t inlen, void *out
 		if(!EVP_DigestInit(digest->md_ctx, digest->digest)
 		                || !EVP_DigestUpdate(digest->md_ctx, indata, inlen)
 		                || !EVP_DigestFinal(digest->md_ctx, tmpdata, NULL)) {
-			logger(DEBUG_ALWAYS, LOG_DEBUG, "Error creating digest: %s", ERR_error_string(ERR_get_error(), NULL));
+			openssl_err("create digest");
 			return false;
 		}
 	}
@@ -126,7 +184,7 @@ bool digest_create(digest_t *digest, const void *indata, size_t inlen, void *out
 
 bool digest_verify(digest_t *digest, const void *indata, size_t inlen, const void *cmpdata) {
 	size_t len = digest->maclength;
-	unsigned char outdata[len];
+	unsigned char *outdata = alloca(len);
 
 	return digest_create(digest, indata, inlen, outdata) && !memcmp(cmpdata, outdata, digest->maclength);
 }