projects / tinc / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Add support for OpenSSL 3.0+
[tinc] / src / openssl / digest.c
diff --git a/src/openssl/digest.c b/src/openssl/digest.c
index 71eaec7..6e27b15 100644 (file)
--- a/src/openssl/digest.c
+++ b/src/openssl/digest.c
@@ -22,9 +22,14 @@
 #include <openssl/err.h>
 #include <openssl/hmac.h>
 
+#if OPENSSL_VERSION_MAJOR >= 3
+#include <openssl/core_names.h>
+#endif
+
 #include "digest.h"
 #include "../digest.h"
 #include "../logger.h"
+#include "log.h"
 
 static void digest_open(digest_t *digest, const EVP_MD *evp_md, size_t maclength) {
        digest->digest = evp_md;
@@ -63,13 +68,51 @@ bool digest_open_by_nid(digest_t *digest, int nid, size_t maclength) {
 }
 
 bool digest_set_key(digest_t *digest, const void *key, size_t len) {
+#if OPENSSL_VERSION_MAJOR < 3
        digest->hmac_ctx = HMAC_CTX_new();
-       HMAC_Init_ex(digest->hmac_ctx, key, (int)len, digest->digest, NULL);
 
        if(!digest->hmac_ctx) {
                abort();
        }
 
+       HMAC_Init_ex(digest->hmac_ctx, key, (int)len, digest->digest, NULL);
+#else
+       EVP_MAC *mac = EVP_MAC_fetch(NULL, OSSL_MAC_NAME_HMAC, NULL);
+
+       if(!mac) {
+               openssl_err("fetch MAC");
+               return false;
+       }
+
+       digest->hmac_ctx = EVP_MAC_CTX_new(mac);
+       EVP_MAC_free(mac);
+
+       if(!digest->hmac_ctx) {
+               openssl_err("create MAC context");
+               return false;
+       }
+
+       const char *hmac_algo = EVP_MD_get0_name(digest->digest);
+
+       if(!hmac_algo) {
+               openssl_err("get HMAC algorithm name");
+               return false;
+       }
+
+       // The casts are okay, the parameters are not going to change. For example, see:
+       // https://github.com/openssl/openssl/blob/31b7f23d2f958491d46c8a8e61c2b77b1b546f3e/crypto/ec/ecdh_kdf.c#L37-L38
+       const OSSL_PARAM params[] = {
+               OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, (void *)key, len),
+               OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_DIGEST, (void *)hmac_algo, 0),
+               OSSL_PARAM_END,
+       };
+
+       if(!EVP_MAC_init(digest->hmac_ctx, NULL, 0, params)) {
+               openssl_err("set MAC context params");
+               return false;
+       }
+
+#endif
        return true;
 }
 
@@ -83,7 +126,11 @@ void digest_close(digest_t *digest) {
        }
 
        if(digest->hmac_ctx) {
+#if OPENSSL_VERSION_MAJOR < 3
                HMAC_CTX_free(digest->hmac_ctx);
+#else
+               EVP_MAC_CTX_free(digest->hmac_ctx);
+#endif
        }
 
        memset(digest, 0, sizeof(*digest));
@@ -94,10 +141,24 @@ bool digest_create(digest_t *digest, const void *indata, size_t inlen, void *out
        unsigned char tmpdata[len];
 
        if(digest->hmac_ctx) {
-               if(!HMAC_Init_ex(digest->hmac_ctx, NULL, 0, NULL, NULL)
-                               || !HMAC_Update(digest->hmac_ctx, indata, inlen)
-                               || !HMAC_Final(digest->hmac_ctx, tmpdata, NULL)) {
-                       logger(DEBUG_ALWAYS, LOG_DEBUG, "Error creating digest: %s", ERR_error_string(ERR_get_error(), NULL));
+               bool ok;
+
+#if OPENSSL_VERSION_MAJOR < 3
+               ok = HMAC_Init_ex(digest->hmac_ctx, NULL, 0, NULL, NULL)
+                    && HMAC_Update(digest->hmac_ctx, indata, inlen)
+                    && HMAC_Final(digest->hmac_ctx, tmpdata, NULL);
+#else
+               EVP_MAC_CTX *mac_ctx = EVP_MAC_CTX_dup(digest->hmac_ctx);
+
+               ok = mac_ctx
+                    && EVP_MAC_update(mac_ctx, indata, inlen)
+                    && EVP_MAC_final(mac_ctx, tmpdata, NULL, sizeof(tmpdata));
+
+               EVP_MAC_CTX_free(mac_ctx);
+#endif
+
+               if(!ok) {
+                       openssl_err("create HMAC");
                        return false;
                }
        } else {
@@ -112,7 +173,7 @@ bool digest_create(digest_t *digest, const void *indata, size_t inlen, void *out
                if(!EVP_DigestInit(digest->md_ctx, digest->digest)
                                || !EVP_DigestUpdate(digest->md_ctx, indata, inlen)
                                || !EVP_DigestFinal(digest->md_ctx, tmpdata, NULL)) {
-                       logger(DEBUG_ALWAYS, LOG_DEBUG, "Error creating digest: %s", ERR_error_string(ERR_get_error(), NULL));
+                       openssl_err("create digest");
                        return false;
                }
        }
tinc, the VPN daemon