/src/gnutls/lib/nettle/mac.c
Line | Count | Source |
1 | | /* |
2 | | * Copyright (C) 2008-2012 Free Software Foundation, Inc. |
3 | | * |
4 | | * Author: Nikos Mavrogiannopoulos |
5 | | * |
6 | | * This file is part of GNUTLS. |
7 | | * |
8 | | * The GNUTLS library is free software; you can redistribute it and/or |
9 | | * modify it under the terms of the GNU Lesser General Public License |
10 | | * as published by the Free Software Foundation; either version 2.1 of |
11 | | * the License, or (at your option) any later version. |
12 | | * |
13 | | * This library is distributed in the hope that it will be useful, but |
14 | | * WITHOUT ANY WARRANTY; without even the implied warranty of |
15 | | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU |
16 | | * Lesser General Public License for more details. |
17 | | * |
18 | | * You should have received a copy of the GNU Lesser General Public License |
19 | | * along with this program. If not, see <https://www.gnu.org/licenses/> |
20 | | * |
21 | | */ |
22 | | |
23 | | /* This file provides the backend hash/mac API for nettle. |
24 | | */ |
25 | | |
26 | | #include "gnutls_int.h" |
27 | | #include "hash_int.h" |
28 | | #include "errors.h" |
29 | | #include <nettle/md5.h> |
30 | | #include <nettle/md2.h> |
31 | | #include <nettle/ripemd160.h> |
32 | | #include <nettle/sha1.h> |
33 | | #include <nettle/sha2.h> |
34 | | #include <nettle/sha3.h> |
35 | | #include <nettle/hmac.h> |
36 | | #include <nettle/umac.h> |
37 | | #include <nettle/hkdf.h> |
38 | | #include <nettle/pbkdf2.h> |
39 | | #include <nettle/cmac.h> |
40 | | #if ENABLE_GOST |
41 | | #ifndef HAVE_NETTLE_GOST28147_SET_KEY |
42 | | #include "gost/gost28147.h" |
43 | | #endif |
44 | | #include "gost/cmac.h" |
45 | | #endif |
46 | | #include <nettle/gcm.h> |
47 | | #include <nettle/version.h> |
48 | | |
49 | | #if NETTLE_VERSION_MAJOR < 4 |
50 | | typedef void nettle_output_func(void *ctx, size_t length, uint8_t *dst); |
51 | | #endif |
52 | | |
53 | | /* Can't use nettle_set_key_func as it doesn't have the second argument */ |
54 | | typedef void (*set_key_func)(void *, size_t, const uint8_t *); |
55 | | typedef void (*set_nonce_func)(void *, size_t, const uint8_t *); |
56 | | typedef bool (*finished_func)(void *); |
57 | | |
58 | | static int wrap_nettle_hash_init(gnutls_digest_algorithm_t algo, void **_ctx); |
59 | | |
60 | | struct md5_sha1_ctx { |
61 | | struct md5_ctx md5; |
62 | | struct sha1_ctx sha1; |
63 | | }; |
64 | | |
65 | | struct gmac_ctx { |
66 | | unsigned int pos; |
67 | | uint8_t buffer[GCM_BLOCK_SIZE]; |
68 | | struct gcm_key key; |
69 | | struct gcm_ctx ctx; |
70 | | nettle_cipher_func *encrypt; |
71 | | union { |
72 | | struct aes128_ctx aes128; |
73 | | struct aes192_ctx aes192; |
74 | | struct aes256_ctx aes256; |
75 | | } cipher; |
76 | | }; |
77 | | |
78 | | struct nettle_hash_ctx { |
79 | | union { |
80 | | struct md5_ctx md5; |
81 | | struct sha224_ctx sha224; |
82 | | struct sha256_ctx sha256; |
83 | | struct sha384_ctx sha384; |
84 | | struct sha512_ctx sha512; |
85 | | struct sha3_128_ctx sha3_128; |
86 | | struct sha3_224_ctx sha3_224; |
87 | | struct sha3_256_ctx sha3_256; |
88 | | struct sha3_384_ctx sha3_384; |
89 | | struct sha3_512_ctx sha3_512; |
90 | | struct sha1_ctx sha1; |
91 | | struct md2_ctx md2; |
92 | | struct ripemd160_ctx ripemd160; |
93 | | struct md5_sha1_ctx md5_sha1; |
94 | | #if ENABLE_GOST |
95 | | struct gosthash94cp_ctx gosthash94cp; |
96 | | struct streebog256_ctx streebog256; |
97 | | struct streebog512_ctx streebog512; |
98 | | #endif |
99 | | } ctx; |
100 | | void *ctx_ptr; |
101 | | gnutls_digest_algorithm_t algo; |
102 | | size_t length; |
103 | | nettle_hash_update_func *update; |
104 | | nettle_hash_digest_func *digest; |
105 | | nettle_output_func *output; |
106 | | nettle_hash_init_func *init; |
107 | | finished_func finished; |
108 | | }; |
109 | | |
110 | | static bool _wrap_sha3_128_shake_finished(void *_ctx) |
111 | 0 | { |
112 | 0 | struct sha3_128_ctx *ctx = _ctx; |
113 | | |
114 | | /* Nettle uses one's complement of the index value to indicate |
115 | | * SHAKE is initialized. |
116 | | */ |
117 | 0 | return ctx->index >= sizeof(ctx->block); |
118 | 0 | } |
119 | | |
120 | | static bool _wrap_sha3_256_shake_finished(void *_ctx) |
121 | 0 | { |
122 | 0 | struct sha3_256_ctx *ctx = _ctx; |
123 | | |
124 | | /* Nettle uses one's complement of the index value to indicate |
125 | | * SHAKE is initialized. |
126 | | */ |
127 | 0 | return ctx->index >= sizeof(ctx->block); |
128 | 0 | } |
129 | | |
130 | | struct nettle_mac_ctx { |
131 | | union { |
132 | | struct hmac_md5_ctx md5; |
133 | | struct hmac_sha224_ctx sha224; |
134 | | struct hmac_sha256_ctx sha256; |
135 | | struct hmac_sha384_ctx sha384; |
136 | | struct hmac_sha512_ctx sha512; |
137 | | struct hmac_sha1_ctx sha1; |
138 | | #if ENABLE_GOST |
139 | | struct hmac_gosthash94cp_ctx gosthash94cp; |
140 | | struct hmac_streebog256_ctx streebog256; |
141 | | struct hmac_streebog512_ctx streebog512; |
142 | | struct gost28147_imit_ctx gost28147_imit; |
143 | | struct cmac_magma_ctx magma; |
144 | | struct cmac_kuznyechik_ctx kuznyechik; |
145 | | #endif |
146 | | struct umac96_ctx umac96; |
147 | | struct umac128_ctx umac128; |
148 | | struct cmac_aes128_ctx cmac128; |
149 | | struct cmac_aes256_ctx cmac256; |
150 | | struct gmac_ctx gmac; |
151 | | } ctx; |
152 | | |
153 | | void *ctx_ptr; |
154 | | gnutls_mac_algorithm_t algo; |
155 | | size_t length; |
156 | | nettle_hash_update_func *update; |
157 | | nettle_hash_digest_func *digest; |
158 | | set_key_func set_key; |
159 | | set_nonce_func set_nonce; |
160 | | }; |
161 | | |
162 | | #if ENABLE_GOST |
163 | | static void _wrap_gost28147_imit_set_key_tc26z(void *ctx, size_t len, |
164 | | const uint8_t *key) |
165 | 0 | { |
166 | 0 | gost28147_imit_set_param(ctx, &gost28147_param_TC26_Z); |
167 | 0 | gost28147_imit_set_key(ctx, len, key); |
168 | 0 | } |
169 | | |
170 | | static void _wrap_cmac_magma_set_key(void *ctx, size_t len, const uint8_t *key) |
171 | 0 | { |
172 | 0 | cmac_magma_set_key(ctx, key); |
173 | 0 | } |
174 | | |
175 | | static void _wrap_cmac_kuznyechik_set_key(void *ctx, size_t len, |
176 | | const uint8_t *key) |
177 | 0 | { |
178 | 0 | cmac_kuznyechik_set_key(ctx, key); |
179 | 0 | } |
180 | | #endif |
181 | | |
182 | | static void _wrap_umac96_set_key(void *ctx, size_t len, const uint8_t *key) |
183 | 0 | { |
184 | 0 | if (unlikely(len != 16)) |
185 | 0 | abort(); |
186 | 0 | umac96_set_key(ctx, key); |
187 | 0 | } |
188 | | |
189 | | static void _wrap_umac128_set_key(void *ctx, size_t len, const uint8_t *key) |
190 | 0 | { |
191 | 0 | if (unlikely(len != 16)) |
192 | 0 | abort(); |
193 | 0 | umac128_set_key(ctx, key); |
194 | 0 | } |
195 | | |
196 | | static void _wrap_cmac128_set_key(void *ctx, size_t len, const uint8_t *key) |
197 | 0 | { |
198 | 0 | if (unlikely(len != 16)) |
199 | 0 | abort(); |
200 | 0 | cmac_aes128_set_key(ctx, key); |
201 | 0 | } |
202 | | |
203 | | static void _wrap_cmac256_set_key(void *ctx, size_t len, const uint8_t *key) |
204 | 0 | { |
205 | 0 | if (unlikely(len != 32)) |
206 | 0 | abort(); |
207 | 0 | cmac_aes256_set_key(ctx, key); |
208 | 0 | } |
209 | | |
210 | | static void _wrap_gmac_aes128_set_key(void *_ctx, size_t len, |
211 | | const uint8_t *key) |
212 | 0 | { |
213 | 0 | struct gmac_ctx *ctx = _ctx; |
214 | |
|
215 | 0 | if (unlikely(len != 16)) |
216 | 0 | abort(); |
217 | 0 | aes128_set_encrypt_key(&ctx->cipher.aes128, key); |
218 | 0 | gcm_set_key(&ctx->key, &ctx->cipher, ctx->encrypt); |
219 | 0 | ctx->pos = 0; |
220 | 0 | } |
221 | | |
222 | | static void _wrap_gmac_aes192_set_key(void *_ctx, size_t len, |
223 | | const uint8_t *key) |
224 | 0 | { |
225 | 0 | struct gmac_ctx *ctx = _ctx; |
226 | |
|
227 | 0 | if (unlikely(len != 24)) |
228 | 0 | abort(); |
229 | 0 | aes192_set_encrypt_key(&ctx->cipher.aes192, key); |
230 | 0 | gcm_set_key(&ctx->key, &ctx->cipher, ctx->encrypt); |
231 | 0 | ctx->pos = 0; |
232 | 0 | } |
233 | | |
234 | | static void _wrap_gmac_aes256_set_key(void *_ctx, size_t len, |
235 | | const uint8_t *key) |
236 | 0 | { |
237 | 0 | struct gmac_ctx *ctx = _ctx; |
238 | |
|
239 | 0 | if (unlikely(len != 32)) |
240 | 0 | abort(); |
241 | 0 | aes256_set_encrypt_key(&ctx->cipher.aes256, key); |
242 | 0 | gcm_set_key(&ctx->key, &ctx->cipher, ctx->encrypt); |
243 | 0 | ctx->pos = 0; |
244 | 0 | } |
245 | | |
246 | | static void _wrap_gmac_set_nonce(void *_ctx, size_t nonce_length, |
247 | | const uint8_t *nonce) |
248 | 0 | { |
249 | 0 | struct gmac_ctx *ctx = _ctx; |
250 | |
|
251 | 0 | gcm_set_iv(&ctx->ctx, &ctx->key, nonce_length, nonce); |
252 | 0 | } |
253 | | |
254 | | static void _wrap_gmac_update(void *_ctx, size_t length, const uint8_t *data) |
255 | 0 | { |
256 | 0 | struct gmac_ctx *ctx = _ctx; |
257 | |
|
258 | 0 | if (ctx->pos + length < GCM_BLOCK_SIZE) { |
259 | 0 | memcpy(&ctx->buffer[ctx->pos], data, length); |
260 | 0 | ctx->pos += length; |
261 | 0 | return; |
262 | 0 | } |
263 | | |
264 | 0 | if (ctx->pos) { |
265 | 0 | memcpy(&ctx->buffer[ctx->pos], data, GCM_BLOCK_SIZE - ctx->pos); |
266 | 0 | gcm_update(&ctx->ctx, &ctx->key, GCM_BLOCK_SIZE, ctx->buffer); |
267 | 0 | data += GCM_BLOCK_SIZE - ctx->pos; |
268 | 0 | length -= GCM_BLOCK_SIZE - ctx->pos; |
269 | 0 | } |
270 | |
|
271 | 0 | if (length >= GCM_BLOCK_SIZE) { |
272 | 0 | gcm_update(&ctx->ctx, &ctx->key, |
273 | 0 | length / GCM_BLOCK_SIZE * GCM_BLOCK_SIZE, data); |
274 | 0 | data += length / GCM_BLOCK_SIZE * GCM_BLOCK_SIZE; |
275 | 0 | length %= GCM_BLOCK_SIZE; |
276 | 0 | } |
277 | |
|
278 | 0 | memcpy(ctx->buffer, data, length); |
279 | 0 | ctx->pos = length; |
280 | 0 | } |
281 | | |
282 | | #if NETTLE_VERSION_MAJOR >= 4 |
283 | | static void _wrap_gmac_digest(void *_ctx, uint8_t *digest) |
284 | | { |
285 | | struct gmac_ctx *ctx = _ctx; |
286 | | |
287 | | if (ctx->pos) |
288 | | gcm_update(&ctx->ctx, &ctx->key, ctx->pos, ctx->buffer); |
289 | | |
290 | | gcm_digest(&ctx->ctx, &ctx->key, &ctx->cipher, ctx->encrypt, digest); |
291 | | |
292 | | ctx->pos = 0; |
293 | | } |
294 | | #else |
295 | | static void _wrap_gmac_digest(void *_ctx, size_t length, uint8_t *digest) |
296 | 0 | { |
297 | 0 | struct gmac_ctx *ctx = _ctx; |
298 | |
|
299 | 0 | if (ctx->pos) |
300 | 0 | gcm_update(&ctx->ctx, &ctx->key, ctx->pos, ctx->buffer); |
301 | |
|
302 | 0 | gcm_digest(&ctx->ctx, &ctx->key, &ctx->cipher, ctx->encrypt, length, |
303 | 0 | digest); |
304 | |
|
305 | 0 | ctx->pos = 0; |
306 | 0 | } |
307 | | #endif |
308 | | |
309 | | static int _mac_ctx_init(gnutls_mac_algorithm_t algo, |
310 | | struct nettle_mac_ctx *ctx) |
311 | 0 | { |
312 | | /* Any FIPS140-2 related enforcement is performed on |
313 | | * gnutls_hash_init() and gnutls_hmac_init() */ |
314 | |
|
315 | 0 | ctx->set_nonce = NULL; |
316 | 0 | switch (algo) { |
317 | 0 | case GNUTLS_MAC_MD5: |
318 | 0 | ctx->update = (nettle_hash_update_func *)hmac_md5_update; |
319 | 0 | ctx->digest = (nettle_hash_digest_func *)hmac_md5_digest; |
320 | 0 | ctx->set_key = (set_key_func)hmac_md5_set_key; |
321 | 0 | ctx->ctx_ptr = &ctx->ctx.md5; |
322 | 0 | ctx->length = MD5_DIGEST_SIZE; |
323 | 0 | break; |
324 | 0 | case GNUTLS_MAC_SHA1: |
325 | 0 | ctx->update = (nettle_hash_update_func *)hmac_sha1_update; |
326 | 0 | ctx->digest = (nettle_hash_digest_func *)hmac_sha1_digest; |
327 | 0 | ctx->set_key = (set_key_func)hmac_sha1_set_key; |
328 | 0 | ctx->ctx_ptr = &ctx->ctx.sha1; |
329 | 0 | ctx->length = SHA1_DIGEST_SIZE; |
330 | 0 | break; |
331 | 0 | case GNUTLS_MAC_SHA224: |
332 | 0 | ctx->update = (nettle_hash_update_func *)hmac_sha224_update; |
333 | 0 | ctx->digest = (nettle_hash_digest_func *)hmac_sha224_digest; |
334 | 0 | ctx->set_key = (set_key_func)hmac_sha224_set_key; |
335 | 0 | ctx->ctx_ptr = &ctx->ctx.sha224; |
336 | 0 | ctx->length = SHA224_DIGEST_SIZE; |
337 | 0 | break; |
338 | 0 | case GNUTLS_MAC_SHA256: |
339 | 0 | ctx->update = (nettle_hash_update_func *)hmac_sha256_update; |
340 | 0 | ctx->digest = (nettle_hash_digest_func *)hmac_sha256_digest; |
341 | 0 | ctx->set_key = (set_key_func)hmac_sha256_set_key; |
342 | 0 | ctx->ctx_ptr = &ctx->ctx.sha256; |
343 | 0 | ctx->length = SHA256_DIGEST_SIZE; |
344 | 0 | break; |
345 | 0 | case GNUTLS_MAC_SHA384: |
346 | 0 | ctx->update = (nettle_hash_update_func *)hmac_sha384_update; |
347 | 0 | ctx->digest = (nettle_hash_digest_func *)hmac_sha384_digest; |
348 | 0 | ctx->set_key = (set_key_func)hmac_sha384_set_key; |
349 | 0 | ctx->ctx_ptr = &ctx->ctx.sha384; |
350 | 0 | ctx->length = SHA384_DIGEST_SIZE; |
351 | 0 | break; |
352 | 0 | case GNUTLS_MAC_SHA512: |
353 | 0 | ctx->update = (nettle_hash_update_func *)hmac_sha512_update; |
354 | 0 | ctx->digest = (nettle_hash_digest_func *)hmac_sha512_digest; |
355 | 0 | ctx->set_key = (set_key_func)hmac_sha512_set_key; |
356 | 0 | ctx->ctx_ptr = &ctx->ctx.sha512; |
357 | 0 | ctx->length = SHA512_DIGEST_SIZE; |
358 | 0 | break; |
359 | 0 | #if ENABLE_GOST |
360 | 0 | case GNUTLS_MAC_GOSTR_94: |
361 | 0 | ctx->update = |
362 | 0 | (nettle_hash_update_func *)hmac_gosthash94cp_update; |
363 | 0 | ctx->digest = |
364 | 0 | (nettle_hash_digest_func *)hmac_gosthash94cp_digest; |
365 | 0 | ctx->set_key = (set_key_func)hmac_gosthash94cp_set_key; |
366 | 0 | ctx->ctx_ptr = &ctx->ctx.gosthash94cp; |
367 | 0 | ctx->length = GOSTHASH94CP_DIGEST_SIZE; |
368 | 0 | break; |
369 | 0 | case GNUTLS_MAC_STREEBOG_256: |
370 | 0 | ctx->update = |
371 | 0 | (nettle_hash_update_func *)hmac_streebog256_update; |
372 | 0 | ctx->digest = |
373 | 0 | (nettle_hash_digest_func *)hmac_streebog256_digest; |
374 | 0 | ctx->set_key = (set_key_func)hmac_streebog256_set_key; |
375 | 0 | ctx->ctx_ptr = &ctx->ctx.streebog256; |
376 | 0 | ctx->length = STREEBOG256_DIGEST_SIZE; |
377 | 0 | break; |
378 | 0 | case GNUTLS_MAC_STREEBOG_512: |
379 | 0 | ctx->update = |
380 | 0 | (nettle_hash_update_func *)hmac_streebog512_update; |
381 | 0 | ctx->digest = |
382 | 0 | (nettle_hash_digest_func *)hmac_streebog512_digest; |
383 | 0 | ctx->set_key = (set_key_func)hmac_streebog512_set_key; |
384 | 0 | ctx->ctx_ptr = &ctx->ctx.streebog512; |
385 | 0 | ctx->length = STREEBOG512_DIGEST_SIZE; |
386 | 0 | break; |
387 | 0 | case GNUTLS_MAC_GOST28147_TC26Z_IMIT: |
388 | 0 | ctx->update = (nettle_hash_update_func *)gost28147_imit_update; |
389 | 0 | ctx->digest = (nettle_hash_digest_func *)gost28147_imit_digest; |
390 | 0 | ctx->set_key = _wrap_gost28147_imit_set_key_tc26z; |
391 | 0 | ctx->ctx_ptr = &ctx->ctx.gost28147_imit; |
392 | 0 | ctx->length = GOST28147_IMIT_DIGEST_SIZE; |
393 | 0 | break; |
394 | 0 | case GNUTLS_MAC_MAGMA_OMAC: |
395 | 0 | ctx->update = (nettle_hash_update_func *)cmac_magma_update; |
396 | 0 | ctx->digest = (nettle_hash_digest_func *)cmac_magma_digest; |
397 | 0 | ctx->set_key = _wrap_cmac_magma_set_key; |
398 | 0 | ctx->ctx_ptr = &ctx->ctx.magma; |
399 | 0 | ctx->length = CMAC64_DIGEST_SIZE; |
400 | 0 | break; |
401 | 0 | case GNUTLS_MAC_KUZNYECHIK_OMAC: |
402 | 0 | ctx->update = (nettle_hash_update_func *)cmac_kuznyechik_update; |
403 | 0 | ctx->digest = (nettle_hash_digest_func *)cmac_kuznyechik_digest; |
404 | 0 | ctx->set_key = _wrap_cmac_kuznyechik_set_key; |
405 | 0 | ctx->ctx_ptr = &ctx->ctx.kuznyechik; |
406 | 0 | ctx->length = CMAC128_DIGEST_SIZE; |
407 | 0 | break; |
408 | 0 | #endif |
409 | 0 | case GNUTLS_MAC_UMAC_96: |
410 | 0 | ctx->update = (nettle_hash_update_func *)umac96_update; |
411 | 0 | ctx->digest = (nettle_hash_digest_func *)umac96_digest; |
412 | 0 | ctx->set_key = _wrap_umac96_set_key; |
413 | 0 | ctx->set_nonce = (set_nonce_func)umac96_set_nonce; |
414 | 0 | ctx->ctx_ptr = &ctx->ctx.umac96; |
415 | 0 | ctx->length = 12; |
416 | 0 | break; |
417 | 0 | case GNUTLS_MAC_UMAC_128: |
418 | 0 | ctx->update = (nettle_hash_update_func *)umac128_update; |
419 | 0 | ctx->digest = (nettle_hash_digest_func *)umac128_digest; |
420 | 0 | ctx->set_key = _wrap_umac128_set_key; |
421 | 0 | ctx->set_nonce = (set_nonce_func)umac128_set_nonce; |
422 | 0 | ctx->ctx_ptr = &ctx->ctx.umac128; |
423 | 0 | ctx->length = 16; |
424 | 0 | break; |
425 | 0 | case GNUTLS_MAC_AES_CMAC_128: |
426 | 0 | ctx->update = (nettle_hash_update_func *)cmac_aes128_update; |
427 | 0 | ctx->digest = (nettle_hash_digest_func *)cmac_aes128_digest; |
428 | 0 | ctx->set_key = _wrap_cmac128_set_key; |
429 | 0 | ctx->ctx_ptr = &ctx->ctx.cmac128; |
430 | 0 | ctx->length = CMAC128_DIGEST_SIZE; |
431 | 0 | break; |
432 | 0 | case GNUTLS_MAC_AES_CMAC_256: |
433 | 0 | ctx->update = (nettle_hash_update_func *)cmac_aes256_update; |
434 | 0 | ctx->digest = (nettle_hash_digest_func *)cmac_aes256_digest; |
435 | 0 | ctx->set_key = _wrap_cmac256_set_key; |
436 | 0 | ctx->ctx_ptr = &ctx->ctx.cmac256; |
437 | 0 | ctx->length = CMAC128_DIGEST_SIZE; |
438 | 0 | break; |
439 | 0 | case GNUTLS_MAC_AES_GMAC_128: |
440 | 0 | ctx->set_key = _wrap_gmac_aes128_set_key; |
441 | 0 | ctx->set_nonce = _wrap_gmac_set_nonce; |
442 | 0 | ctx->update = _wrap_gmac_update; |
443 | 0 | ctx->digest = _wrap_gmac_digest; |
444 | 0 | ctx->ctx_ptr = &ctx->ctx.gmac; |
445 | 0 | ctx->length = GCM_DIGEST_SIZE; |
446 | 0 | ctx->ctx.gmac.encrypt = (nettle_cipher_func *)aes128_encrypt; |
447 | 0 | break; |
448 | 0 | case GNUTLS_MAC_AES_GMAC_192: |
449 | 0 | ctx->set_key = _wrap_gmac_aes192_set_key; |
450 | 0 | ctx->set_nonce = _wrap_gmac_set_nonce; |
451 | 0 | ctx->update = _wrap_gmac_update; |
452 | 0 | ctx->digest = _wrap_gmac_digest; |
453 | 0 | ctx->ctx_ptr = &ctx->ctx.gmac; |
454 | 0 | ctx->length = GCM_DIGEST_SIZE; |
455 | 0 | ctx->ctx.gmac.encrypt = (nettle_cipher_func *)aes192_encrypt; |
456 | 0 | break; |
457 | 0 | case GNUTLS_MAC_AES_GMAC_256: |
458 | 0 | ctx->set_key = _wrap_gmac_aes256_set_key; |
459 | 0 | ctx->set_nonce = _wrap_gmac_set_nonce; |
460 | 0 | ctx->update = _wrap_gmac_update; |
461 | 0 | ctx->digest = _wrap_gmac_digest; |
462 | 0 | ctx->ctx_ptr = &ctx->ctx.gmac; |
463 | 0 | ctx->length = GCM_DIGEST_SIZE; |
464 | 0 | ctx->ctx.gmac.encrypt = (nettle_cipher_func *)aes256_encrypt; |
465 | 0 | break; |
466 | 0 | default: |
467 | 0 | gnutls_assert(); |
468 | 0 | return GNUTLS_E_INVALID_REQUEST; |
469 | 0 | } |
470 | | |
471 | 0 | return 0; |
472 | 0 | } |
473 | | |
474 | | static int wrap_nettle_mac_fast(gnutls_mac_algorithm_t algo, const void *nonce, |
475 | | size_t nonce_size, const void *key, |
476 | | size_t key_size, const void *text, |
477 | | size_t text_size, void *digest) |
478 | 0 | { |
479 | 0 | struct nettle_mac_ctx ctx; |
480 | 0 | int ret; |
481 | |
|
482 | 0 | ret = _mac_ctx_init(algo, &ctx); |
483 | 0 | if (ret < 0) |
484 | 0 | return gnutls_assert_val(ret); |
485 | | |
486 | 0 | ctx.set_key(&ctx, key_size, key); |
487 | 0 | if (ctx.set_nonce) { |
488 | 0 | if (nonce == NULL || nonce_size == 0) |
489 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
490 | | |
491 | 0 | ctx.set_nonce(&ctx, nonce_size, nonce); |
492 | 0 | } |
493 | 0 | ctx.update(&ctx, text_size, text); |
494 | | #if NETTLE_VERSION_MAJOR >= 4 |
495 | | ctx.digest(&ctx, digest); |
496 | | #else |
497 | 0 | ctx.digest(&ctx, ctx.length, digest); |
498 | 0 | #endif |
499 | |
|
500 | 0 | zeroize_key(&ctx, sizeof(ctx)); |
501 | |
|
502 | 0 | return 0; |
503 | 0 | } |
504 | | |
505 | | static int wrap_nettle_mac_exists(gnutls_mac_algorithm_t algo) |
506 | 0 | { |
507 | 0 | switch (algo) { |
508 | 0 | case GNUTLS_MAC_MD5: |
509 | 0 | case GNUTLS_MAC_SHA1: |
510 | 0 | case GNUTLS_MAC_SHA224: |
511 | 0 | case GNUTLS_MAC_SHA256: |
512 | 0 | case GNUTLS_MAC_SHA384: |
513 | 0 | case GNUTLS_MAC_SHA512: |
514 | 0 | case GNUTLS_MAC_UMAC_96: |
515 | 0 | case GNUTLS_MAC_UMAC_128: |
516 | 0 | case GNUTLS_MAC_AES_CMAC_128: |
517 | 0 | case GNUTLS_MAC_AES_CMAC_256: |
518 | 0 | case GNUTLS_MAC_AES_GMAC_128: |
519 | 0 | case GNUTLS_MAC_AES_GMAC_192: |
520 | 0 | case GNUTLS_MAC_AES_GMAC_256: |
521 | 0 | #if ENABLE_GOST |
522 | 0 | case GNUTLS_MAC_GOSTR_94: |
523 | 0 | case GNUTLS_MAC_STREEBOG_256: |
524 | 0 | case GNUTLS_MAC_STREEBOG_512: |
525 | 0 | case GNUTLS_MAC_GOST28147_TC26Z_IMIT: |
526 | 0 | case GNUTLS_MAC_MAGMA_OMAC: |
527 | 0 | case GNUTLS_MAC_KUZNYECHIK_OMAC: |
528 | 0 | #endif |
529 | 0 | return 1; |
530 | 0 | default: |
531 | 0 | return 0; |
532 | 0 | } |
533 | 0 | } |
534 | | |
535 | | static int wrap_nettle_mac_init(gnutls_mac_algorithm_t algo, void **_ctx) |
536 | 0 | { |
537 | 0 | struct nettle_mac_ctx *ctx; |
538 | 0 | int ret; |
539 | |
|
540 | 0 | ctx = gnutls_calloc(1, sizeof(struct nettle_mac_ctx)); |
541 | 0 | if (ctx == NULL) { |
542 | 0 | gnutls_assert(); |
543 | 0 | return GNUTLS_E_MEMORY_ERROR; |
544 | 0 | } |
545 | | |
546 | 0 | ctx->algo = algo; |
547 | |
|
548 | 0 | ret = _mac_ctx_init(algo, ctx); |
549 | 0 | if (ret < 0) { |
550 | 0 | gnutls_free(ctx); |
551 | 0 | return gnutls_assert_val(ret); |
552 | 0 | } |
553 | | |
554 | 0 | *_ctx = ctx; |
555 | |
|
556 | 0 | return 0; |
557 | 0 | } |
558 | | |
559 | | static void *wrap_nettle_mac_copy(const void *_ctx) |
560 | 0 | { |
561 | 0 | const struct nettle_mac_ctx *ctx = _ctx; |
562 | 0 | struct nettle_mac_ctx *new_ctx; |
563 | 0 | ptrdiff_t off = (uint8_t *)ctx->ctx_ptr - (uint8_t *)(&ctx->ctx); |
564 | |
|
565 | 0 | new_ctx = gnutls_calloc(1, sizeof(struct nettle_mac_ctx)); |
566 | 0 | if (new_ctx == NULL) |
567 | 0 | return NULL; |
568 | | |
569 | 0 | memcpy(new_ctx, ctx, sizeof(*ctx)); |
570 | 0 | new_ctx->ctx_ptr = (uint8_t *)&new_ctx->ctx + off; |
571 | |
|
572 | 0 | return new_ctx; |
573 | 0 | } |
574 | | |
575 | | static int wrap_nettle_mac_set_key(void *_ctx, const void *key, size_t keylen) |
576 | 0 | { |
577 | 0 | struct nettle_mac_ctx *ctx = _ctx; |
578 | |
|
579 | 0 | ctx->set_key(ctx->ctx_ptr, keylen, key); |
580 | 0 | return 0; |
581 | 0 | } |
582 | | |
583 | | static int wrap_nettle_mac_set_nonce(void *_ctx, const void *nonce, |
584 | | size_t noncelen) |
585 | 0 | { |
586 | 0 | struct nettle_mac_ctx *ctx = _ctx; |
587 | |
|
588 | 0 | if (ctx->set_nonce == NULL) |
589 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
590 | | |
591 | 0 | if (nonce == NULL || noncelen == 0) |
592 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
593 | | |
594 | 0 | ctx->set_nonce(ctx->ctx_ptr, noncelen, nonce); |
595 | |
|
596 | 0 | return GNUTLS_E_SUCCESS; |
597 | 0 | } |
598 | | |
599 | | static int wrap_nettle_mac_update(void *_ctx, const void *text, size_t textsize) |
600 | 0 | { |
601 | 0 | struct nettle_mac_ctx *ctx = _ctx; |
602 | |
|
603 | 0 | ctx->update(ctx->ctx_ptr, textsize, text); |
604 | |
|
605 | 0 | return GNUTLS_E_SUCCESS; |
606 | 0 | } |
607 | | |
608 | | static int wrap_nettle_mac_output(void *src_ctx, void *digest, |
609 | | size_t digestsize) |
610 | 0 | { |
611 | 0 | struct nettle_mac_ctx *ctx = src_ctx; |
612 | |
|
613 | 0 | if (digestsize < ctx->length) { |
614 | 0 | gnutls_assert(); |
615 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
616 | 0 | } |
617 | | |
618 | | #if NETTLE_VERSION_MAJOR >= 4 |
619 | | if (digestsize != ctx->length) { |
620 | | gnutls_assert(); |
621 | | return GNUTLS_E_INVALID_REQUEST; |
622 | | } |
623 | | ctx->digest(ctx->ctx_ptr, digest); |
624 | | #else |
625 | 0 | ctx->digest(ctx->ctx_ptr, digestsize, digest); |
626 | 0 | #endif |
627 | |
|
628 | 0 | return 0; |
629 | 0 | } |
630 | | |
631 | | static void wrap_nettle_mac_deinit(void *hd) |
632 | 0 | { |
633 | 0 | struct nettle_mac_ctx *ctx = hd; |
634 | |
|
635 | 0 | zeroize_key(ctx, sizeof(*ctx)); |
636 | 0 | gnutls_free(ctx); |
637 | 0 | } |
638 | | |
639 | | /* Hash functions |
640 | | */ |
641 | | static int wrap_nettle_hash_update(void *_ctx, const void *text, |
642 | | size_t textsize) |
643 | 0 | { |
644 | 0 | struct nettle_hash_ctx *ctx = _ctx; |
645 | |
|
646 | 0 | if (ctx->finished && ctx->finished(ctx->ctx_ptr)) |
647 | 0 | return GNUTLS_E_INVALID_REQUEST; |
648 | | |
649 | 0 | ctx->update(ctx->ctx_ptr, textsize, text); |
650 | |
|
651 | 0 | return GNUTLS_E_SUCCESS; |
652 | 0 | } |
653 | | |
654 | | static void wrap_nettle_hash_deinit(void *hd) |
655 | 0 | { |
656 | 0 | gnutls_free(hd); |
657 | 0 | } |
658 | | |
659 | | static int wrap_nettle_hash_exists(gnutls_digest_algorithm_t algo) |
660 | 0 | { |
661 | 0 | switch (algo) { |
662 | 0 | case GNUTLS_DIG_MD5: |
663 | 0 | case GNUTLS_DIG_SHA1: |
664 | 0 | case GNUTLS_DIG_MD5_SHA1: |
665 | |
|
666 | 0 | case GNUTLS_DIG_SHA224: |
667 | 0 | case GNUTLS_DIG_SHA256: |
668 | 0 | case GNUTLS_DIG_SHA384: |
669 | 0 | case GNUTLS_DIG_SHA512: |
670 | |
|
671 | 0 | #ifdef NETTLE_SHA3_FIPS202 |
672 | 0 | case GNUTLS_DIG_SHA3_224: |
673 | 0 | case GNUTLS_DIG_SHA3_256: |
674 | 0 | case GNUTLS_DIG_SHA3_384: |
675 | 0 | case GNUTLS_DIG_SHA3_512: |
676 | 0 | case GNUTLS_DIG_SHAKE_128: |
677 | 0 | case GNUTLS_DIG_SHAKE_256: |
678 | 0 | #endif |
679 | |
|
680 | 0 | case GNUTLS_DIG_MD2: |
681 | 0 | case GNUTLS_DIG_RMD160: |
682 | |
|
683 | 0 | #if ENABLE_GOST |
684 | 0 | case GNUTLS_DIG_GOSTR_94: |
685 | 0 | case GNUTLS_DIG_STREEBOG_256: |
686 | 0 | case GNUTLS_DIG_STREEBOG_512: |
687 | 0 | #endif |
688 | 0 | return 1; |
689 | 0 | default: |
690 | 0 | return 0; |
691 | 0 | } |
692 | 0 | } |
693 | | |
694 | | static void _md5_sha1_update(void *_ctx, size_t len, const uint8_t *data) |
695 | 0 | { |
696 | 0 | struct md5_sha1_ctx *ctx = _ctx; |
697 | |
|
698 | 0 | md5_update(&ctx->md5, len, data); |
699 | 0 | sha1_update(&ctx->sha1, len, data); |
700 | 0 | } |
701 | | |
702 | | #if NETTLE_VERSION_MAJOR >= 4 |
703 | | static void _md5_sha1_digest(void *_ctx, uint8_t *digest) |
704 | | { |
705 | | struct md5_sha1_ctx *ctx = _ctx; |
706 | | |
707 | | md5_digest(&ctx->md5, digest); |
708 | | sha1_digest(&ctx->sha1, digest + MD5_DIGEST_SIZE); |
709 | | } |
710 | | #else |
711 | | static void _md5_sha1_digest(void *_ctx, size_t len, uint8_t *digest) |
712 | 0 | { |
713 | 0 | struct md5_sha1_ctx *ctx = _ctx; |
714 | | |
715 | | /* The caller should be responsible for any truncation */ |
716 | 0 | assert(len == MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE); |
717 | 0 | md5_digest(&ctx->md5, MD5_DIGEST_SIZE, digest); |
718 | 0 | sha1_digest(&ctx->sha1, SHA1_DIGEST_SIZE, digest + MD5_DIGEST_SIZE); |
719 | 0 | } |
720 | | #endif |
721 | | |
722 | | static void _md5_sha1_init(void *_ctx) |
723 | 0 | { |
724 | 0 | struct md5_sha1_ctx *ctx = _ctx; |
725 | |
|
726 | 0 | md5_init(&ctx->md5); |
727 | 0 | sha1_init(&ctx->sha1); |
728 | 0 | } |
729 | | |
730 | | static int _ctx_init(gnutls_digest_algorithm_t algo, |
731 | | struct nettle_hash_ctx *ctx) |
732 | 0 | { |
733 | | /* Any FIPS140-2 related enforcement is performed on |
734 | | * gnutls_hash_init() and gnutls_hmac_init() */ |
735 | |
|
736 | 0 | ctx->output = NULL; |
737 | 0 | ctx->finished = NULL; |
738 | 0 | switch (algo) { |
739 | 0 | case GNUTLS_DIG_MD5: |
740 | 0 | ctx->init = (nettle_hash_init_func *)md5_init; |
741 | 0 | ctx->update = (nettle_hash_update_func *)md5_update; |
742 | 0 | ctx->digest = (nettle_hash_digest_func *)md5_digest; |
743 | 0 | ctx->ctx_ptr = &ctx->ctx.md5; |
744 | 0 | ctx->length = MD5_DIGEST_SIZE; |
745 | 0 | break; |
746 | 0 | case GNUTLS_DIG_SHA1: |
747 | 0 | ctx->init = (nettle_hash_init_func *)sha1_init; |
748 | 0 | ctx->update = (nettle_hash_update_func *)sha1_update; |
749 | 0 | ctx->digest = (nettle_hash_digest_func *)sha1_digest; |
750 | 0 | ctx->ctx_ptr = &ctx->ctx.sha1; |
751 | 0 | ctx->length = SHA1_DIGEST_SIZE; |
752 | 0 | break; |
753 | 0 | case GNUTLS_DIG_MD5_SHA1: |
754 | 0 | ctx->init = (nettle_hash_init_func *)_md5_sha1_init; |
755 | 0 | ctx->update = (nettle_hash_update_func *)_md5_sha1_update; |
756 | 0 | ctx->digest = (nettle_hash_digest_func *)_md5_sha1_digest; |
757 | 0 | ctx->ctx_ptr = &ctx->ctx.md5_sha1; |
758 | 0 | ctx->length = MD5_DIGEST_SIZE + SHA1_DIGEST_SIZE; |
759 | 0 | break; |
760 | 0 | case GNUTLS_DIG_SHA224: |
761 | 0 | ctx->init = (nettle_hash_init_func *)sha224_init; |
762 | 0 | ctx->update = (nettle_hash_update_func *)sha224_update; |
763 | 0 | ctx->digest = (nettle_hash_digest_func *)sha224_digest; |
764 | 0 | ctx->ctx_ptr = &ctx->ctx.sha224; |
765 | 0 | ctx->length = SHA224_DIGEST_SIZE; |
766 | 0 | break; |
767 | 0 | case GNUTLS_DIG_SHA256: |
768 | 0 | ctx->init = (nettle_hash_init_func *)sha256_init; |
769 | 0 | ctx->update = (nettle_hash_update_func *)sha256_update; |
770 | 0 | ctx->digest = (nettle_hash_digest_func *)sha256_digest; |
771 | 0 | ctx->ctx_ptr = &ctx->ctx.sha256; |
772 | 0 | ctx->length = SHA256_DIGEST_SIZE; |
773 | 0 | break; |
774 | 0 | case GNUTLS_DIG_SHA384: |
775 | 0 | ctx->init = (nettle_hash_init_func *)sha384_init; |
776 | 0 | ctx->update = (nettle_hash_update_func *)sha384_update; |
777 | 0 | ctx->digest = (nettle_hash_digest_func *)sha384_digest; |
778 | 0 | ctx->ctx_ptr = &ctx->ctx.sha384; |
779 | 0 | ctx->length = SHA384_DIGEST_SIZE; |
780 | 0 | break; |
781 | 0 | case GNUTLS_DIG_SHA512: |
782 | 0 | ctx->init = (nettle_hash_init_func *)sha512_init; |
783 | 0 | ctx->update = (nettle_hash_update_func *)sha512_update; |
784 | 0 | ctx->digest = (nettle_hash_digest_func *)sha512_digest; |
785 | 0 | ctx->ctx_ptr = &ctx->ctx.sha512; |
786 | 0 | ctx->length = SHA512_DIGEST_SIZE; |
787 | 0 | break; |
788 | 0 | #ifdef NETTLE_SHA3_FIPS202 |
789 | 0 | case GNUTLS_DIG_SHA3_224: |
790 | 0 | ctx->init = (nettle_hash_init_func *)sha3_224_init; |
791 | 0 | ctx->update = (nettle_hash_update_func *)sha3_224_update; |
792 | 0 | ctx->digest = (nettle_hash_digest_func *)sha3_224_digest; |
793 | 0 | ctx->ctx_ptr = &ctx->ctx.sha3_224; |
794 | 0 | ctx->length = SHA3_224_DIGEST_SIZE; |
795 | 0 | break; |
796 | 0 | case GNUTLS_DIG_SHA3_256: |
797 | 0 | ctx->init = (nettle_hash_init_func *)sha3_256_init; |
798 | 0 | ctx->update = (nettle_hash_update_func *)sha3_256_update; |
799 | 0 | ctx->digest = (nettle_hash_digest_func *)sha3_256_digest; |
800 | 0 | ctx->ctx_ptr = &ctx->ctx.sha3_256; |
801 | 0 | ctx->length = SHA3_256_DIGEST_SIZE; |
802 | 0 | break; |
803 | 0 | case GNUTLS_DIG_SHA3_384: |
804 | 0 | ctx->init = (nettle_hash_init_func *)sha3_384_init; |
805 | 0 | ctx->update = (nettle_hash_update_func *)sha3_384_update; |
806 | 0 | ctx->digest = (nettle_hash_digest_func *)sha3_384_digest; |
807 | 0 | ctx->ctx_ptr = &ctx->ctx.sha3_384; |
808 | 0 | ctx->length = SHA3_384_DIGEST_SIZE; |
809 | 0 | break; |
810 | 0 | case GNUTLS_DIG_SHA3_512: |
811 | 0 | ctx->init = (nettle_hash_init_func *)sha3_512_init; |
812 | 0 | ctx->update = (nettle_hash_update_func *)sha3_512_update; |
813 | 0 | ctx->digest = (nettle_hash_digest_func *)sha3_512_digest; |
814 | 0 | ctx->ctx_ptr = &ctx->ctx.sha3_512; |
815 | 0 | ctx->length = SHA3_512_DIGEST_SIZE; |
816 | 0 | break; |
817 | 0 | case GNUTLS_DIG_SHAKE_128: |
818 | 0 | ctx->init = (nettle_hash_init_func *)sha3_128_init; |
819 | 0 | ctx->update = (nettle_hash_update_func *)sha3_128_update; |
820 | 0 | ctx->digest = NULL; /* unused */ |
821 | 0 | ctx->output = (nettle_output_func *)sha3_128_shake_output; |
822 | 0 | ctx->finished = _wrap_sha3_128_shake_finished; |
823 | 0 | ctx->ctx_ptr = &ctx->ctx.sha3_128; |
824 | 0 | ctx->length = 0; /* unused */ |
825 | 0 | break; |
826 | 0 | case GNUTLS_DIG_SHAKE_256: |
827 | 0 | ctx->init = (nettle_hash_init_func *)sha3_256_init; |
828 | 0 | ctx->update = (nettle_hash_update_func *)sha3_256_update; |
829 | 0 | ctx->digest = NULL; /* unused */ |
830 | 0 | ctx->output = (nettle_output_func *)sha3_256_shake_output; |
831 | 0 | ctx->finished = _wrap_sha3_256_shake_finished; |
832 | 0 | ctx->ctx_ptr = &ctx->ctx.sha3_256; |
833 | 0 | ctx->length = 0; /* unused */ |
834 | 0 | break; |
835 | 0 | #endif |
836 | 0 | case GNUTLS_DIG_MD2: |
837 | 0 | ctx->init = (nettle_hash_init_func *)md2_init; |
838 | 0 | ctx->update = (nettle_hash_update_func *)md2_update; |
839 | 0 | ctx->digest = (nettle_hash_digest_func *)md2_digest; |
840 | 0 | ctx->ctx_ptr = &ctx->ctx.md2; |
841 | 0 | ctx->length = MD2_DIGEST_SIZE; |
842 | 0 | break; |
843 | | |
844 | 0 | case GNUTLS_DIG_RMD160: |
845 | 0 | ctx->init = (nettle_hash_init_func *)ripemd160_init; |
846 | 0 | ctx->update = (nettle_hash_update_func *)ripemd160_update; |
847 | 0 | ctx->digest = (nettle_hash_digest_func *)ripemd160_digest; |
848 | 0 | ctx->ctx_ptr = &ctx->ctx.ripemd160; |
849 | 0 | ctx->length = RIPEMD160_DIGEST_SIZE; |
850 | 0 | break; |
851 | 0 | #if ENABLE_GOST |
852 | 0 | case GNUTLS_DIG_GOSTR_94: |
853 | 0 | ctx->init = (nettle_hash_init_func *)gosthash94cp_init; |
854 | 0 | ctx->update = (nettle_hash_update_func *)gosthash94cp_update; |
855 | 0 | ctx->digest = (nettle_hash_digest_func *)gosthash94cp_digest; |
856 | 0 | ctx->ctx_ptr = &ctx->ctx.gosthash94cp; |
857 | 0 | ctx->length = GOSTHASH94_DIGEST_SIZE; |
858 | 0 | break; |
859 | 0 | case GNUTLS_DIG_STREEBOG_256: |
860 | 0 | ctx->init = (nettle_hash_init_func *)streebog256_init; |
861 | 0 | ctx->update = (nettle_hash_update_func *)streebog256_update; |
862 | 0 | ctx->digest = (nettle_hash_digest_func *)streebog256_digest; |
863 | 0 | ctx->ctx_ptr = &ctx->ctx.streebog256; |
864 | 0 | ctx->length = STREEBOG256_DIGEST_SIZE; |
865 | 0 | break; |
866 | 0 | case GNUTLS_DIG_STREEBOG_512: |
867 | 0 | ctx->init = (nettle_hash_init_func *)streebog512_init; |
868 | 0 | ctx->update = (nettle_hash_update_func *)streebog512_update; |
869 | 0 | ctx->digest = (nettle_hash_digest_func *)streebog512_digest; |
870 | 0 | ctx->ctx_ptr = &ctx->ctx.streebog512; |
871 | 0 | ctx->length = STREEBOG512_DIGEST_SIZE; |
872 | 0 | break; |
873 | 0 | #endif |
874 | 0 | default: |
875 | 0 | gnutls_assert(); |
876 | 0 | return GNUTLS_E_INVALID_REQUEST; |
877 | 0 | } |
878 | 0 | ctx->init(ctx->ctx_ptr); |
879 | 0 | return 0; |
880 | 0 | } |
881 | | |
882 | | static int wrap_nettle_hash_fast(gnutls_digest_algorithm_t algo, |
883 | | const void *text, size_t text_size, |
884 | | void *digest) |
885 | 0 | { |
886 | 0 | struct nettle_hash_ctx ctx; |
887 | 0 | int ret; |
888 | |
|
889 | 0 | ret = _ctx_init(algo, &ctx); |
890 | 0 | if (ret < 0) |
891 | 0 | return gnutls_assert_val(ret); |
892 | | |
893 | 0 | if (text_size > 0) { |
894 | 0 | ctx.update(&ctx, text_size, text); |
895 | 0 | } |
896 | 0 | if (!ctx.digest) |
897 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
898 | | #if NETTLE_VERSION_MAJOR >= 4 |
899 | | ctx.digest(&ctx, digest); |
900 | | #else |
901 | 0 | ctx.digest(&ctx, ctx.length, digest); |
902 | 0 | #endif |
903 | 0 | zeroize_key(&ctx, sizeof(ctx)); |
904 | |
|
905 | 0 | return 0; |
906 | 0 | } |
907 | | |
908 | | static int wrap_nettle_hash_init(gnutls_digest_algorithm_t algo, void **_ctx) |
909 | 0 | { |
910 | 0 | struct nettle_hash_ctx *ctx; |
911 | 0 | int ret; |
912 | |
|
913 | 0 | ctx = gnutls_malloc(sizeof(struct nettle_hash_ctx)); |
914 | 0 | if (ctx == NULL) { |
915 | 0 | gnutls_assert(); |
916 | 0 | return GNUTLS_E_MEMORY_ERROR; |
917 | 0 | } |
918 | | |
919 | 0 | ctx->algo = algo; |
920 | |
|
921 | 0 | if ((ret = _ctx_init(algo, ctx)) < 0) { |
922 | 0 | gnutls_assert(); |
923 | 0 | gnutls_free(ctx); |
924 | 0 | return ret; |
925 | 0 | } |
926 | | |
927 | 0 | *_ctx = ctx; |
928 | |
|
929 | 0 | return 0; |
930 | 0 | } |
931 | | |
932 | | static void *wrap_nettle_hash_copy(const void *_ctx) |
933 | 0 | { |
934 | 0 | const struct nettle_hash_ctx *ctx = _ctx; |
935 | 0 | struct nettle_hash_ctx *new_ctx; |
936 | 0 | ptrdiff_t off = (uint8_t *)ctx->ctx_ptr - (uint8_t *)(&ctx->ctx); |
937 | |
|
938 | 0 | new_ctx = gnutls_calloc(1, sizeof(struct nettle_hash_ctx)); |
939 | 0 | if (new_ctx == NULL) |
940 | 0 | return NULL; |
941 | | |
942 | 0 | memcpy(new_ctx, ctx, sizeof(*ctx)); |
943 | 0 | new_ctx->ctx_ptr = (uint8_t *)&new_ctx->ctx + off; |
944 | |
|
945 | 0 | return new_ctx; |
946 | 0 | } |
947 | | |
948 | | static int wrap_nettle_hash_output(void *src_ctx, void *digest, |
949 | | size_t digestsize) |
950 | 0 | { |
951 | 0 | struct nettle_hash_ctx *ctx; |
952 | 0 | ctx = src_ctx; |
953 | |
|
954 | 0 | if (digest == NULL) { |
955 | 0 | ctx->init(ctx->ctx_ptr); |
956 | 0 | return 0; |
957 | 0 | } |
958 | | |
959 | 0 | if (ctx->output) { |
960 | 0 | ctx->output(ctx->ctx_ptr, digestsize, digest); |
961 | 0 | return 0; |
962 | 0 | } |
963 | | |
964 | 0 | if (ctx->length > 0 && digestsize < ctx->length) { |
965 | 0 | gnutls_assert(); |
966 | 0 | return GNUTLS_E_SHORT_MEMORY_BUFFER; |
967 | 0 | } |
968 | | |
969 | | #if NETTLE_VERSION_MAJOR >= 4 |
970 | | if (digestsize != ctx->length) { |
971 | | gnutls_assert(); |
972 | | return GNUTLS_E_INVALID_REQUEST; |
973 | | } |
974 | | ctx->digest(ctx->ctx_ptr, digest); |
975 | | #else |
976 | 0 | ctx->digest(ctx->ctx_ptr, digestsize, digest); |
977 | 0 | #endif |
978 | |
|
979 | 0 | return 0; |
980 | 0 | } |
981 | | |
982 | | /* KDF functions based on MAC |
983 | | */ |
984 | | static int wrap_nettle_hkdf_extract(gnutls_mac_algorithm_t mac, const void *key, |
985 | | size_t keysize, const void *salt, |
986 | | size_t saltsize, void *output) |
987 | 0 | { |
988 | 0 | struct nettle_mac_ctx ctx; |
989 | 0 | int ret; |
990 | |
|
991 | 0 | ret = _mac_ctx_init(mac, &ctx); |
992 | 0 | if (ret < 0) |
993 | 0 | return gnutls_assert_val(ret); |
994 | | |
995 | 0 | ctx.set_key(&ctx, saltsize, salt); |
996 | | #if NETTLE_VERSION_MAJOR >= 4 |
997 | | hkdf_extract(&ctx.ctx, ctx.update, ctx.digest, keysize, key, output); |
998 | | #else |
999 | 0 | hkdf_extract(&ctx.ctx, ctx.update, ctx.digest, ctx.length, keysize, key, |
1000 | 0 | output); |
1001 | 0 | #endif |
1002 | |
|
1003 | 0 | zeroize_key(&ctx, sizeof(ctx)); |
1004 | 0 | return 0; |
1005 | 0 | } |
1006 | | |
1007 | | static int wrap_nettle_hkdf_expand(gnutls_mac_algorithm_t mac, const void *key, |
1008 | | size_t keysize, const void *info, |
1009 | | size_t infosize, void *output, size_t length) |
1010 | 0 | { |
1011 | 0 | struct nettle_mac_ctx ctx; |
1012 | 0 | int ret; |
1013 | |
|
1014 | 0 | ret = _mac_ctx_init(mac, &ctx); |
1015 | 0 | if (ret < 0) |
1016 | 0 | return gnutls_assert_val(ret); |
1017 | | |
1018 | | /* RFC 5869 2.3: L must be <= 255 * HashLen */ |
1019 | 0 | if (length > ctx.length * 255) { |
1020 | 0 | return gnutls_assert_val(GNUTLS_E_INVALID_REQUEST); |
1021 | 0 | } |
1022 | | |
1023 | 0 | ctx.set_key(&ctx, keysize, key); |
1024 | 0 | hkdf_expand(&ctx.ctx, ctx.update, ctx.digest, ctx.length, infosize, |
1025 | 0 | info, length, output); |
1026 | 0 | zeroize_key(&ctx, sizeof(ctx)); |
1027 | |
|
1028 | 0 | return 0; |
1029 | 0 | } |
1030 | | |
1031 | | static int wrap_nettle_pbkdf2(gnutls_mac_algorithm_t mac, const void *key, |
1032 | | size_t keysize, const void *salt, size_t saltsize, |
1033 | | unsigned iter_count, void *output, size_t length) |
1034 | 0 | { |
1035 | 0 | struct nettle_mac_ctx ctx; |
1036 | 0 | int ret; |
1037 | |
|
1038 | 0 | ret = _mac_ctx_init(mac, &ctx); |
1039 | 0 | if (ret < 0) |
1040 | 0 | return gnutls_assert_val(ret); |
1041 | | |
1042 | 0 | ctx.set_key(&ctx, keysize, key); |
1043 | 0 | pbkdf2(&ctx.ctx, ctx.update, ctx.digest, ctx.length, iter_count, |
1044 | 0 | saltsize, salt, length, output); |
1045 | 0 | zeroize_key(&ctx, sizeof(ctx)); |
1046 | |
|
1047 | 0 | return 0; |
1048 | 0 | } |
1049 | | |
1050 | | gnutls_crypto_mac_st _gnutls_mac_ops = { |
1051 | | .init = wrap_nettle_mac_init, |
1052 | | .setkey = wrap_nettle_mac_set_key, |
1053 | | .setnonce = wrap_nettle_mac_set_nonce, |
1054 | | .hash = wrap_nettle_mac_update, |
1055 | | .output = wrap_nettle_mac_output, |
1056 | | .deinit = wrap_nettle_mac_deinit, |
1057 | | .fast = wrap_nettle_mac_fast, |
1058 | | .exists = wrap_nettle_mac_exists, |
1059 | | .copy = wrap_nettle_mac_copy, |
1060 | | }; |
1061 | | |
1062 | | gnutls_crypto_digest_st _gnutls_digest_ops = { |
1063 | | .init = wrap_nettle_hash_init, |
1064 | | .hash = wrap_nettle_hash_update, |
1065 | | .output = wrap_nettle_hash_output, |
1066 | | .deinit = wrap_nettle_hash_deinit, |
1067 | | .fast = wrap_nettle_hash_fast, |
1068 | | .exists = wrap_nettle_hash_exists, |
1069 | | .copy = wrap_nettle_hash_copy, |
1070 | | }; |
1071 | | |
1072 | | /* These names are clashing with nettle's name mangling. */ |
1073 | | #undef hkdf_extract |
1074 | | #undef hkdf_expand |
1075 | | #undef pbkdf2 |
1076 | | gnutls_crypto_kdf_st _gnutls_kdf_ops = { |
1077 | | .hkdf_extract = wrap_nettle_hkdf_extract, |
1078 | | .hkdf_expand = wrap_nettle_hkdf_expand, |
1079 | | .pbkdf2 = wrap_nettle_pbkdf2, |
1080 | | }; |