/*
* Generates the mac for the Finished message. Returns the length of the MAC or
* 0 on error.
*/
size_t tls13_final_finish_mac(SSL *s, const char *str, size_t slen,
unsigned char *out)
{
const EVP_MD *md = ssl_handshake_md(s);
unsigned char hash[EVP_MAX_MD_SIZE];
size_t hashlen, ret = 0;
EVP_PKEY *key = NULL;
EVP_MD_CTX *ctx = EVP_MD_CTX_new();
if (!ssl_handshake_hash(s, hash, sizeof(hash), &hashlen)) {
/* SSLfatal() already called */
goto err;
}
if (str == s->method->ssl3_enc->server_finished_label) {
key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
s->server_finished_secret, hashlen);
} else if (SSL_IS_FIRST_HANDSHAKE(s)) {
key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL,
s->client_finished_secret, hashlen);
} else {
unsigned char finsecret[EVP_MAX_MD_SIZE];
if (!tls13_derive_finishedkey(s, ssl_handshake_md(s),
s->client_app_traffic_secret,
finsecret, hashlen))
goto err;
key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, finsecret,
hashlen);
OPENSSL_cleanse(finsecret, sizeof(finsecret));
}
if (key == NULL
|| ctx == NULL
|| EVP_DigestSignInit(ctx, NULL, md, NULL, key) <= 0
|| EVP_DigestSignUpdate(ctx, hash, hashlen) <= 0
|| EVP_DigestSignFinal(ctx, out, &hashlen) <= 0) {
SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS13_FINAL_FINISH_MAC,
ERR_R_INTERNAL_ERROR);
goto err;
}
ret = hashlen;
err:
EVP_PKEY_free(key);
EVP_MD_CTX_free(ctx);
return ret;
}
static int test_set_get_raw_keys_int(int tst, int pub)
{
int ret = 0;
unsigned char buf[80];
unsigned char *in;
size_t inlen, len = 0;
EVP_PKEY *pkey;
/* Check if this algorithm supports public keys */
if (keys[tst].pub == NULL)
return 1;
memset(buf, 0, sizeof(buf));
if (pub) {
inlen = strlen(keys[tst].pub);
in = (unsigned char *)keys[tst].pub;
pkey = EVP_PKEY_new_raw_public_key(keys[tst].type,
NULL,
in,
inlen);
} else {
inlen = strlen(keys[tst].priv);
in = (unsigned char *)keys[tst].priv;
pkey = EVP_PKEY_new_raw_private_key(keys[tst].type,
NULL,
in,
inlen);
}
if (!TEST_ptr(pkey)
|| (!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, NULL, &len)))
|| (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, NULL, &len)))
|| !TEST_true(len == inlen)
|| (!pub && !TEST_true(EVP_PKEY_get_raw_private_key(pkey, buf, &len)))
|| (pub && !TEST_true(EVP_PKEY_get_raw_public_key(pkey, buf, &len)))
|| !TEST_mem_eq(in, inlen, buf, len))
goto done;
ret = 1;
done:
EVP_PKEY_free(pkey);
return ret;
}
static int tls1_prf_P_hash(const EVP_MD *md,
const unsigned char *sec, size_t sec_len,
const unsigned char *seed, size_t seed_len,
unsigned char *out, size_t olen)
{
int chunk;
EVP_MD_CTX *ctx = NULL, *ctx_tmp = NULL, *ctx_init = NULL;
EVP_PKEY *mac_key = NULL;
unsigned char A1[EVP_MAX_MD_SIZE];
size_t A1_len;
int ret = 0;
chunk = EVP_MD_size(md);
if (!ossl_assert(chunk > 0))
goto err;
ctx = EVP_MD_CTX_new();
ctx_tmp = EVP_MD_CTX_new();
ctx_init = EVP_MD_CTX_new();
if (ctx == NULL || ctx_tmp == NULL || ctx_init == NULL)
goto err;
EVP_MD_CTX_set_flags(ctx_init, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW);
mac_key = EVP_PKEY_new_raw_private_key(EVP_PKEY_HMAC, NULL, sec, sec_len);
if (mac_key == NULL)
goto err;
if (!EVP_DigestSignInit(ctx_init, NULL, md, NULL, mac_key))
goto err;
if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
goto err;
if (seed != NULL && !EVP_DigestSignUpdate(ctx, seed, seed_len))
goto err;
if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
goto err;
for (;;) {
/* Reinit mac contexts */
if (!EVP_MD_CTX_copy_ex(ctx, ctx_init))
goto err;
if (!EVP_DigestSignUpdate(ctx, A1, A1_len))
goto err;
if (olen > (size_t)chunk && !EVP_MD_CTX_copy_ex(ctx_tmp, ctx))
goto err;
if (seed && !EVP_DigestSignUpdate(ctx, seed, seed_len))
goto err;
if (olen > (size_t)chunk) {
size_t mac_len;
if (!EVP_DigestSignFinal(ctx, out, &mac_len))
goto err;
out += mac_len;
olen -= mac_len;
/* calc the next A1 value */
if (!EVP_DigestSignFinal(ctx_tmp, A1, &A1_len))
goto err;
} else { /* last one */
if (!EVP_DigestSignFinal(ctx, A1, &A1_len))
goto err;
memcpy(out, A1, olen);
break;
}
}
ret = 1;
err:
EVP_PKEY_free(mac_key);
EVP_MD_CTX_free(ctx);
EVP_MD_CTX_free(ctx_tmp);
EVP_MD_CTX_free(ctx_init);
OPENSSL_cleanse(A1, sizeof(A1));
return ret;
}
/* For OpenSSL >= 1.1.1 the hmac_nif and cmac_nif could be integrated into poly1305 (with 'type' as parameter) */
ERL_NIF_TERM poly1305_nif(ErlNifEnv* env, int argc, const ERL_NIF_TERM argv[])
{/* (Key, Text) */
#ifdef HAVE_POLY1305
ErlNifBinary key_bin, text, ret_bin;
ERL_NIF_TERM ret;
EVP_PKEY *key = NULL;
EVP_MD_CTX *mctx = NULL;
EVP_PKEY_CTX *pctx = NULL;
const EVP_MD *md = NULL;
size_t size;
int ret_bin_alloc = 0;
ASSERT(argc == 2);
if (!enif_inspect_binary(env, argv[0], &key_bin))
goto bad_arg;
if (key_bin.size != 32)
goto bad_arg;
if (!enif_inspect_binary(env, argv[1], &text))
goto bad_arg;
if ((key = EVP_PKEY_new_raw_private_key(EVP_PKEY_POLY1305, /*engine*/ NULL, key_bin.data, key_bin.size)) == NULL)
goto err;
if ((mctx = EVP_MD_CTX_new()) == NULL)
goto err;
if (EVP_DigestSignInit(mctx, &pctx, md, /*engine*/ NULL, key) != 1)
goto err;
if (EVP_DigestSignUpdate(mctx, text.data, text.size) != 1)
goto err;
if (EVP_DigestSignFinal(mctx, NULL, &size) != 1)
goto err;
if (!enif_alloc_binary(size, &ret_bin))
goto err;
ret_bin_alloc = 1;
if (EVP_DigestSignFinal(mctx, ret_bin.data, &size) != 1)
goto err;
if (size != ret_bin.size) {
if (!enif_realloc_binary(&ret_bin, size))
goto err;
}
ret = enif_make_binary(env, &ret_bin);
ret_bin_alloc = 0;
goto done;
bad_arg:
return enif_make_badarg(env);
err:
if (ret_bin_alloc)
enif_release_binary(&ret_bin);
ret = atom_error;
done:
if (mctx)
EVP_MD_CTX_free(mctx);
if (key)
EVP_PKEY_free(key);
return ret;
#else
return enif_raise_exception(env, atom_notsup);
#endif
}
