Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Provide CMAC high level API replacement #81

Merged
merged 2 commits into from
Mar 14, 2024
Merged

Provide CMAC high level API replacement #81

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
01a3904
Provide CMAC high level API replacement
wumiaont Mar 12, 2024
8521d4a
Fix a port issue
wumiaont Mar 13, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
38 changes: 38 additions & 0 deletions src/crypto/crypto_openssl.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1218,6 +1218,43 @@ int crypto_get_random(void *buf, size_t len)
int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
const u8 *addr[], const size_t *len, u8 *mac)
{
#if OPENSSL_VERSION_NUMBER >= 0x30000000L
EVP_MAC_CTX *ctx = NULL;
EVP_MAC *emac;
int ret = -1;
size_t outlen, i;
OSSL_PARAM params[2];
char *cipher = NULL;
if (TEST_FAIL())
return -1;
emac = EVP_MAC_fetch(NULL, "CMAC", NULL);

if (key_len == 32)
cipher = "aes-256-cbc";
else if (key_len == 24)
cipher = "aes-192-cbc";
else if (key_len == 16)
cipher = "aes-128-cbc";

params[0] = OSSL_PARAM_construct_utf8_string("cipher", cipher, 0);
params[1] = OSSL_PARAM_construct_end();

if (!emac || !cipher ||
!(ctx = EVP_MAC_CTX_new(emac)) ||
EVP_MAC_init(ctx, key, key_len, params) != 1)
goto fail;

for (i = 0; i < num_elem; i++) {
if (!EVP_MAC_update(ctx, addr[i], len[i]))
goto fail;
}
if (EVP_MAC_final(ctx, mac, &outlen, 16) != 1 || outlen != 16)
goto fail;
ret = 0;
fail:
EVP_MAC_CTX_free(ctx);
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are we missing EVP_MAC_free(mac); here?

reference: Example in https://www.openssl.org/docs/man3.1/man3/EVP_MAC_init.htm

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@wumiaont , can you check this comment?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes. That does seem to be missing. I will double check and verify that fix. Thanks for finding this out.

Copy link
Collaborator

@xumia xumia Mar 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The mac parameter is an input variable, it may be a little different with the sample code. Is the caller to free it? Is it safe to free mac?

aes_siv_encrypt --> aes_s2v --> omac1_aes_vector
See https://github.com/sonic-net/sonic-wpa-supplicant/blob/413704a6ccef8321667712c518e595878ff02251/src/crypto/aes-siv.c#L127C2-L127C23

	u8 v[AES_BLOCK_SIZE];

@r12f , @wumiaont , please double check if necessary.

If needed, do we need to similar action in line1288?

Copy link

@r12f r12f Mar 16, 2024
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@xumia , maybe I am reading the wrong code... this is what I am seeing. The mac is allocated using EVP_MAC_fetch in this function:

image

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

From openssl WIKI example code there it's needed to free mac object created by fetch. https://www.openssl.org/docs/man3.0/man3/EVP_MAC_fetch.html. Fixed in #82

return ret;
#else /* OpenSSL version >= 3.0 */
CMAC_CTX *ctx;
int ret = -1;
size_t outlen, i;
Expand Down Expand Up @@ -1249,6 +1286,7 @@ int omac1_aes_vector(const u8 *key, size_t key_len, size_t num_elem,
fail:
CMAC_CTX_free(ctx);
return ret;
#endif /* OpenSSL version >= 3.0 */
}


Expand Down
Loading