kris
/
boringssl
1
0
Форк 0
Код Проблеми 0 Запити на злиття 0 Релізи 0 Вікі Активність
Ви не можете вибрати більше 25 тем Теми мають розпочинатися з літери або цифри, можуть містити дефіси (-) і не повинні перевищувати 35 символів.
3598 Коміти
12 Гілки
38 MiB
Дерево: 97db926cf7
Гілки Теги
${ item.name }
Створити гілку ${ searchTerm }
з '97db926cf7'
${ noResults }
boringssl/crypto/hmac/hmac.c

hmac.c 7.5 KiB
Неформатований Звичайний вигляд Історія

Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Remove string.h from base.h. Including string.h in base.h causes any file that includes a BoringSSL header to include string.h. Generally this wouldn't be a problem, although string.h might slow down the compile if it wasn't otherwise needed. However, it also causes problems for ipsec-tools in Android because OpenSSL didn't have this behaviour. This change removes string.h from base.h and, instead, adds it to each .c file that requires it. Change-Id: I5968e50b0e230fd3adf9b72dd2836e6f52d6fb37 Reviewed-on: https://boringssl-review.googlesource.com/3200 Reviewed-by: David Benjamin <davidben@chromium.org> Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Reimplement PKCS#12 key derivation. This is avoids pulling in BIGNUM for doing a straight-forward addition on a block-sized value, and avoids a ton of mallocs. It's also -Wconversion-clean, unlike the old one. In doing so, this replaces the HMAC_MAX_MD_CBLOCK with EVP_MAX_MD_BLOCK_SIZE. By having the maximum block size available, most of the temporary values in the key derivation don't need to be malloc'd. BUG=22 Change-Id: I940a62bba4ea32bf82b1190098f3bf185d4cc7fe Reviewed-on: https://boringssl-review.googlesource.com/7688 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Properly handle key_len=0 for HMAC The expectation when calling HMAC with key=NULL and keylen=0 is to compute HMAC on the provided data with a key of length 0 instead of using the "previous" key, which in the case of HMAC() is whatever bytes happen to be left on the stack when the HMAC_CTX struct is allocated. Change-Id: I52a95e262ee4e15f1af3136cb9c07f42f40ce122 Reviewed-on: https://boringssl-review.googlesource.com/2660 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Use HMAC_Init_ex, not HMAC_Init, in HMAC. We've already initialized the context, HMAC_Init has questionable behavior around NULL keys, and this avoids a size_t truncation. Change-Id: Iab6bfc24fe22d46ca4c01be6129efe0630d553e6 Reviewed-on: https://boringssl-review.googlesource.com/3732 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Initialize HMAC keys to zero. In an attempt to assign a zero-length HMAC key, consumers might incorrectly call: HMAC_Init_ex(key=NULL, key_len=0) This does not work as expected since |key==NULL| has special semantics. This bug may consequently result in uninitialized memory being used for the HMAC key data. This workaround doesn't fix all the problems associated with this pattern, however by defaulting to a zero key the results are more predictable than before. BUG=http://crbug.com/449409 Change-Id: I777276d57c61f1c0cce80b18e28a9b063784733f Reviewed-on: https://boringssl-review.googlesource.com/3040 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Fix typo in |HMAC_CTX_cleanup|. This was part of https://boringssl-review.googlesource.com/#/c/2710, but that got lost because I was gumption-trapped by the number of changes in x509/ that I didn't really want to make. Change-Id: Iaf5bc8bcc2e3cfbb1b37aa477462ee8f824135db Reviewed-on: https://boringssl-review.googlesource.com/5440 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Reimplement PKCS#12 key derivation. This is avoids pulling in BIGNUM for doing a straight-forward addition on a block-sized value, and avoids a ton of mallocs. It's also -Wconversion-clean, unlike the old one. In doing so, this replaces the HMAC_MAX_MD_CBLOCK with EVP_MAX_MD_BLOCK_SIZE. By having the maximum block size available, most of the temporary values in the key derivation don't need to be malloc'd. BUG=22 Change-Id: I940a62bba4ea32bf82b1190098f3bf185d4cc7fe Reviewed-on: https://boringssl-review.googlesource.com/7688 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Remove gotos from HMAC code. Change-Id: Ic17257e65207ada658f781f4b35ec0cf75bb5474 Reviewed-on: https://boringssl-review.googlesource.com/4151 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Remove condition which always evaluates to true (size_t >= 0). Found with -Wtype-limits. Change-Id: I5580f179425bc6b09ff2a8559fce121b0cc8ae14 Signed-off-by: Piotr Sikora <piotrsikora@google.com> Reviewed-on: https://boringssl-review.googlesource.com/6463 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Reimplement PKCS#12 key derivation. This is avoids pulling in BIGNUM for doing a straight-forward addition on a block-sized value, and avoids a ton of mallocs. It's also -Wconversion-clean, unlike the old one. In doing so, this replaces the HMAC_MAX_MD_CBLOCK with EVP_MAX_MD_BLOCK_SIZE. By having the maximum block size available, most of the temporary values in the key derivation don't need to be malloc'd. BUG=22 Change-Id: I940a62bba4ea32bf82b1190098f3bf185d4cc7fe Reviewed-on: https://boringssl-review.googlesource.com/7688 Reviewed-by: Steven Valdez <svaldez@google.com> Reviewed-by: David Benjamin <davidben@google.com>
8 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Use C99 for size_t loops. This was done just by grepping for 'size_t i;' and 'size_t j;'. I left everything in crypto/x509 and friends alone. There's some instances in gcm.c that are non-trivial and pulled into a separate CL for ease of review. Change-Id: I6515804e3097f7e90855f1e7610868ee87117223 Reviewed-on: https://boringssl-review.googlesource.com/10801 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Remove gotos from HMAC code. Change-Id: Ic17257e65207ada658f781f4b35ec0cf75bb5474 Reviewed-on: https://boringssl-review.googlesource.com/4151 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Use C99 for size_t loops. This was done just by grepping for 'size_t i;' and 'size_t j;'. I left everything in crypto/x509 and friends alone. There's some instances in gcm.c that are non-trivial and pulled into a separate CL for ease of review. Change-Id: I6515804e3097f7e90855f1e7610868ee87117223 Reviewed-on: https://boringssl-review.googlesource.com/10801 Reviewed-by: Adam Langley <agl@google.com> Commit-Queue: Adam Langley <agl@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
8 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Remove gotos from HMAC code. Change-Id: Ic17257e65207ada658f781f4b35ec0cf75bb5474 Reviewed-on: https://boringssl-review.googlesource.com/4151 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Forbid reusing HMAC key without reusing the hash function. There's no good reason to do this, and it doesn't work; HMAC checks the length of the key and runs it through the hash function if too long. The reuse occurs after this check. This allows us to shave 132 bytes off HMAC_CTX as this was the only reason it ever stored the original key. It also slightly simplifies HMAC_Init_ex's logic. Change-Id: Ib56aabc3630b7178f1ee7c38ef6370c9638efbab Reviewed-on: https://boringssl-review.googlesource.com/3733 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Remove gotos from HMAC code. Change-Id: Ic17257e65207ada658f781f4b35ec0cf75bb5474 Reviewed-on: https://boringssl-review.googlesource.com/4151 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
EVP_Digest*Update, EVP_DigestFinal, and HMAC_Update can never fail. Enough code fails to check their return codes anyway. We ought to make it official. Change-Id: Ie646360fd7073ea943036f5e21bed13df7e1b77a Reviewed-on: https://boringssl-review.googlesource.com/4954 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Introduce HMAC_CTX_copy_ex and deprecate HMAC_CTX_copy. HMAC_CTX_copy's documentation is off. It actually follows the old copy functions which call FOO_init on dest first. Notably this means that they leak memory if dest is currently in use. Add HMAC_CTX_copy_ex as an analog of EVP_MD_CTX_copy and deprecate HMAC_CTX_copy. (EVP_CIPHER_CTX_copy, in contrast, was correct from the start.) Change-Id: I48566c858663d3f659bd356200cf862e196576c9 Reviewed-on: https://boringssl-review.googlesource.com/2694 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
Inital import. Initial fork from f2d678e6e89b6508147086610e985d4e8416e867 (1.0.2 beta). (This change contains substantial changes from the original and effectively starts a new history.)
10 роки тому
Introduce HMAC_CTX_copy_ex and deprecate HMAC_CTX_copy. HMAC_CTX_copy's documentation is off. It actually follows the old copy functions which call FOO_init on dest first. Notably this means that they leak memory if dest is currently in use. Add HMAC_CTX_copy_ex as an analog of EVP_MD_CTX_copy and deprecate HMAC_CTX_copy. (EVP_CIPHER_CTX_copy, in contrast, was correct from the start.) Change-Id: I48566c858663d3f659bd356200cf862e196576c9 Reviewed-on: https://boringssl-review.googlesource.com/2694 Reviewed-by: Adam Langley <agl@google.com>
9 роки тому
 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213 
  1. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)

  2.  * All rights reserved.

  3.  *

  4.  * This package is an SSL implementation written

  5.  * by Eric Young (eay@cryptsoft.com).

  6.  * The implementation was written so as to conform with Netscapes SSL.

  7.  *

  8.  * This library is free for commercial and non-commercial use as long as

  9.  * the following conditions are aheared to.  The following conditions

  10.  * apply to all code found in this distribution, be it the RC4, RSA,

  11.  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation

  12.  * included with this distribution is covered by the same copyright terms

  13.  * except that the holder is Tim Hudson (tjh@cryptsoft.com).

  14.  *

  15.  * Copyright remains Eric Young's, and as such any Copyright notices in

  16.  * the code are not to be removed.

  17.  * If this package is used in a product, Eric Young should be given attribution

  18.  * as the author of the parts of the library used.

  19.  * This can be in the form of a textual message at program startup or

  20.  * in documentation (online or textual) provided with the package.

  21.  *

  22.  * Redistribution and use in source and binary forms, with or without

  23.  * modification, are permitted provided that the following conditions

  24.  * are met:

  25.  * 1. Redistributions of source code must retain the copyright

  26.  *    notice, this list of conditions and the following disclaimer.

  27.  * 2. Redistributions in binary form must reproduce the above copyright

  28.  *    notice, this list of conditions and the following disclaimer in the

  29.  *    documentation and/or other materials provided with the distribution.

  30.  * 3. All advertising materials mentioning features or use of this software

  31.  *    must display the following acknowledgement:

  32.  *    "This product includes cryptographic software written by

  33.  *     Eric Young (eay@cryptsoft.com)"

  34.  *    The word 'cryptographic' can be left out if the rouines from the library

  35.  *    being used are not cryptographic related :-).

  36.  * 4. If you include any Windows specific code (or a derivative thereof) from

  37.  *    the apps directory (application code) you must include an acknowledgement:

  38.  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"

  39.  *

  40.  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND

  41.  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

  42.  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE

  43.  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE

  44.  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL

  45.  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS

  46.  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)

  47.  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT

  48.  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

  49.  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF

  50.  * SUCH DAMAGE.

  51.  *

  52.  * The licence and distribution terms for any publically available version or

  53.  * derivative of this code cannot be changed.  i.e. this code cannot simply be

  54.  * copied and put under another distribution licence

  55.  * [including the GNU Public Licence.] */

  56. 

  57. #include <openssl/hmac.h>

  58. 

  59. #include <assert.h>

  60. #include <string.h>

  61. 

  62. #include <openssl/digest.h>

  63. #include <openssl/mem.h>

  64. 

  65. 

  66. uint8_t *HMAC(const EVP_MD *evp_md, const void *key, size_t key_len,

  67.               const uint8_t *data, size_t data_len, uint8_t *out,

  68.               unsigned int *out_len) {

  69.   HMAC_CTX ctx;

  70.   static uint8_t static_out_buffer[EVP_MAX_MD_SIZE];

  71. 

  72.   /* OpenSSL has traditionally supported using a static buffer if |out| is

  73.    * NULL. We maintain that but don't document it. This behaviour should be

  74.    * considered to be deprecated. */

  75.   if (out == NULL) {

  76.     out = static_out_buffer;

  77.   }

  78. 

  79.   HMAC_CTX_init(&ctx);

  80.   if (!HMAC_Init_ex(&ctx, key, key_len, evp_md, NULL) ||

  81.       !HMAC_Update(&ctx, data, data_len) ||

  82.       !HMAC_Final(&ctx, out, out_len)) {

  83.     out = NULL;

  84.   }

  85. 

  86.   HMAC_CTX_cleanup(&ctx);

  87.   return out;

  88. }

  89. 

  90. void HMAC_CTX_init(HMAC_CTX *ctx) {

  91.   ctx->md = NULL;

  92.   EVP_MD_CTX_init(&ctx->i_ctx);

  93.   EVP_MD_CTX_init(&ctx->o_ctx);

  94.   EVP_MD_CTX_init(&ctx->md_ctx);

  95. }

  96. 

  97. void HMAC_CTX_cleanup(HMAC_CTX *ctx) {

  98.   EVP_MD_CTX_cleanup(&ctx->i_ctx);

  99.   EVP_MD_CTX_cleanup(&ctx->o_ctx);

  100.   EVP_MD_CTX_cleanup(&ctx->md_ctx);

  101.   OPENSSL_cleanse(ctx, sizeof(HMAC_CTX));

  102. }

  103. 

  104. int HMAC_Init_ex(HMAC_CTX *ctx, const void *key, size_t key_len,

  105.                  const EVP_MD *md, ENGINE *impl) {

  106.   if (md == NULL) {

  107.     md = ctx->md;

  108.   }

  109. 

  110.   /* If either |key| is non-NULL or |md| has changed, initialize with a new key

  111.    * rather than rewinding the previous one.

  112.    *

  113.    * TODO(davidben,eroman): Passing the previous |md| with a NULL |key| is

  114.    * ambiguous between using the empty key and reusing the previous key. There

  115.    * exist callers which intend the latter, but the former is an awkward edge

  116.    * case. Fix to API to avoid this. */

  117.   if (md != ctx->md || key != NULL) {

  118.     uint8_t pad[EVP_MAX_MD_BLOCK_SIZE];

  119.     uint8_t key_block[EVP_MAX_MD_BLOCK_SIZE];

  120.     unsigned key_block_len;

  121. 

  122.     size_t block_size = EVP_MD_block_size(md);

  123.     assert(block_size <= sizeof(key_block));

  124.     if (block_size < key_len) {

  125.       /* Long keys are hashed. */

  126.       if (!EVP_DigestInit_ex(&ctx->md_ctx, md, impl) ||

  127.           !EVP_DigestUpdate(&ctx->md_ctx, key, key_len) ||

  128.           !EVP_DigestFinal_ex(&ctx->md_ctx, key_block, &key_block_len)) {

  129.         return 0;

  130.       }

  131.     } else {

  132.       assert(key_len <= sizeof(key_block));

  133.       memcpy(key_block, key, key_len);

  134.       key_block_len = (unsigned)key_len;

  135.     }

  136.     /* Keys are then padded with zeros. */

  137.     if (key_block_len != EVP_MAX_MD_BLOCK_SIZE) {

  138.       memset(&key_block[key_block_len], 0, sizeof(key_block) - key_block_len);

  139.     }

  140. 

  141.     for (size_t i = 0; i < EVP_MAX_MD_BLOCK_SIZE; i++) {

  142.       pad[i] = 0x36 ^ key_block[i];

  143.     }

  144.     if (!EVP_DigestInit_ex(&ctx->i_ctx, md, impl) ||

  145.         !EVP_DigestUpdate(&ctx->i_ctx, pad, EVP_MD_block_size(md))) {

  146.       return 0;

  147.     }

  148. 

  149.     for (size_t i = 0; i < EVP_MAX_MD_BLOCK_SIZE; i++) {

  150.       pad[i] = 0x5c ^ key_block[i];

  151.     }

  152.     if (!EVP_DigestInit_ex(&ctx->o_ctx, md, impl) ||

  153.         !EVP_DigestUpdate(&ctx->o_ctx, pad, EVP_MD_block_size(md))) {

  154.       return 0;

  155.     }

  156. 

  157.     ctx->md = md;

  158.   }

  159. 

  160.   if (!EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->i_ctx)) {

  161.     return 0;

  162.   }

  163. 

  164.   return 1;

  165. }

  166. 

  167. int HMAC_Update(HMAC_CTX *ctx, const uint8_t *data, size_t data_len) {

  168.   return EVP_DigestUpdate(&ctx->md_ctx, data, data_len);

  169. }

  170. 

  171. int HMAC_Final(HMAC_CTX *ctx, uint8_t *out, unsigned int *out_len) {

  172.   unsigned int i;

  173.   uint8_t buf[EVP_MAX_MD_SIZE];

  174. 

  175.   /* TODO(davidben): The only thing that can officially fail here is

  176.    * |EVP_MD_CTX_copy_ex|, but even that should be impossible in this case. */

  177.   if (!EVP_DigestFinal_ex(&ctx->md_ctx, buf, &i) ||

  178.       !EVP_MD_CTX_copy_ex(&ctx->md_ctx, &ctx->o_ctx) ||

  179.       !EVP_DigestUpdate(&ctx->md_ctx, buf, i) ||

  180.       !EVP_DigestFinal_ex(&ctx->md_ctx, out, out_len)) {

  181.     *out_len = 0;

  182.     return 0;

  183.   }

  184. 

  185.   return 1;

  186. }

  187. 

  188. size_t HMAC_size(const HMAC_CTX *ctx) {

  189.   return EVP_MD_size(ctx->md);

  190. }

  191. 

  192. int HMAC_CTX_copy_ex(HMAC_CTX *dest, const HMAC_CTX *src) {

  193.   if (!EVP_MD_CTX_copy_ex(&dest->i_ctx, &src->i_ctx) ||

  194.       !EVP_MD_CTX_copy_ex(&dest->o_ctx, &src->o_ctx) ||

  195.       !EVP_MD_CTX_copy_ex(&dest->md_ctx, &src->md_ctx)) {

  196.     return 0;

  197.   }

  198. 

  199.   dest->md = src->md;

  200.   return 1;

  201. }

  202. 

  203. int HMAC_Init(HMAC_CTX *ctx, const void *key, int key_len, const EVP_MD *md) {

  204.   if (key && md) {

  205.     HMAC_CTX_init(ctx);

  206.   }

  207.   return HMAC_Init_ex(ctx, key, key_len, md, NULL);

  208. }

  209. 

  210. int HMAC_CTX_copy(HMAC_CTX *dest, const HMAC_CTX *src) {

  211.   HMAC_CTX_init(dest);

  212.   return HMAC_CTX_copy_ex(dest, src);

  213. }