提交 2022cfe0 编写于 作者: D Dr. Stephen Henson

New -mac and -macopt options to dgst utility. Reimplement -hmac option in

terms of new API.
上级 47b71e6e
......@@ -7,7 +7,8 @@
*) Experimental support for use of HMAC via EVP_PKEY interface. This
allows HMAC to be handled via the EVP_DigestSign*() interface. The
EVP_PKEY "key" in this case is the HMAC key, potentially allowing
ENGINE support for HMAC keys which are unextractable.
ENGINE support for HMAC keys which are unextractable. New -mac and
-macopt options to dgst utility.
[Steve Henson]
*) New option -sigopt to dgst utility. Update dgst to use
......
......@@ -294,6 +294,8 @@ int args_verify(char ***pargs, int *pargc,
void policies_print(BIO *out, X509_STORE_CTX *ctx);
int bio_to_mem(unsigned char **out, int maxlen, BIO *in);
int pkey_ctrl_string(EVP_PKEY_CTX *ctx, char *value);
int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param);
#define FORMAT_UNDEF 0
#define FORMAT_ASN1 1
......
......@@ -76,7 +76,7 @@
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
const char *file,BIO *bmd,const char *hmac_key);
const char *file,BIO *bmd);
int MAIN(int, char **);
......@@ -106,7 +106,8 @@ int MAIN(int argc, char **argv)
char *engine=NULL;
#endif
char *hmac_key=NULL;
STACK *sigopts = NULL;
char *mac_name=NULL;
STACK *sigopts = NULL, *macopts = NULL;
apps_startup();
......@@ -198,6 +199,12 @@ int MAIN(int argc, char **argv)
break;
hmac_key=*++argv;
}
else if (!strcmp(*argv,"-mac"))
{
if (--argc < 1)
break;
mac_name=*++argv;
}
else if (strcmp(*argv,"-sigopt") == 0)
{
if (--argc < 1)
......@@ -207,6 +214,15 @@ int MAIN(int argc, char **argv)
if (!sigopts || !sk_push(sigopts, *(++argv)))
break;
}
else if (strcmp(*argv,"-macopt") == 0)
{
if (--argc < 1)
break;
if (!macopts)
macopts = sk_new_null();
if (!macopts || !sk_push(macopts, *(++argv)))
break;
}
else if ((m=EVP_get_digestbyname(&((*argv)[1]))) != NULL)
md=m;
else
......@@ -326,6 +342,11 @@ int MAIN(int argc, char **argv)
ERR_print_errors(bio_err);
goto end;
}
if ((!!mac_name + !!keyfile + !!hmac_key) > 1)
{
BIO_printf(bio_err, "MAC and Signing key cannot both be specified\n");
goto end;
}
if(keyfile)
{
......@@ -343,6 +364,50 @@ int MAIN(int argc, char **argv)
}
}
if (mac_name)
{
EVP_PKEY_CTX *mac_ctx = NULL;
int r = 0;
if (!init_gen_str(bio_err, &mac_ctx, mac_name,e, 0))
goto mac_end;
if (macopts)
{
char *macopt;
for (i = 0; i < sk_num(macopts); i++)
{
macopt = sk_value(macopts, i);
if (pkey_ctrl_string(mac_ctx, macopt) <= 0)
{
BIO_printf(bio_err,
"MAC parameter error \"%s\"\n",
macopt);
ERR_print_errors(bio_err);
goto mac_end;
}
}
}
if (EVP_PKEY_keygen(mac_ctx, &sigkey) <= 0)
{
BIO_puts(bio_err, "Error generating key\n");
ERR_print_errors(bio_err);
goto mac_end;
}
r = 1;
mac_end:
if (mac_ctx)
EVP_PKEY_CTX_free(mac_ctx);
if (r == 0)
goto end;
}
if (hmac_key)
{
sigkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, e,
(unsigned char *)hmac_key, -1);
if (!sigkey)
goto end;
}
if (sigkey)
{
EVP_MD_CTX *mctx = NULL;
......@@ -410,7 +475,7 @@ int MAIN(int argc, char **argv)
{
BIO_set_fp(in,stdin,BIO_NOCLOSE);
err=do_fp(out, buf,inp,separator, out_bin, sigkey, sigbuf,
siglen,"","(stdin)",bmd,hmac_key);
siglen,"","(stdin)",bmd);
}
else
{
......@@ -436,7 +501,7 @@ int MAIN(int argc, char **argv)
else
tmp="";
r=do_fp(out,buf,inp,separator,out_bin,sigkey,sigbuf,
siglen,tmp,argv[i],bmd,hmac_key);
siglen,tmp,argv[i],bmd);
if(r)
err=r;
if(tofree)
......@@ -457,6 +522,8 @@ end:
EVP_PKEY_free(sigkey);
if (sigopts)
sk_free(sigopts);
if (macopts)
sk_free(macopts);
if(sigbuf) OPENSSL_free(sigbuf);
if (bmd != NULL) BIO_free(bmd);
apps_shutdown();
......@@ -465,23 +532,11 @@ end:
int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
EVP_PKEY *key, unsigned char *sigin, int siglen, const char *title,
const char *file,BIO *bmd,const char *hmac_key)
const char *file,BIO *bmd)
{
unsigned int len;
int i;
EVP_MD_CTX *md_ctx;
HMAC_CTX hmac_ctx;
if (hmac_key)
{
EVP_MD *md;
BIO_get_md(bmd,&md);
HMAC_CTX_init(&hmac_ctx);
HMAC_Init_ex(&hmac_ctx,hmac_key,strlen(hmac_key),md, NULL);
BIO_get_md_ctx(bmd,&md_ctx);
BIO_set_md_ctx(bmd,&hmac_ctx.md_ctx);
}
for (;;)
{
i=BIO_read(bp,(char *)buf,BUFSIZE);
......@@ -524,11 +579,6 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
return 1;
}
}
else if(hmac_key)
{
HMAC_Final(&hmac_ctx,buf,&len);
HMAC_CTX_cleanup(&hmac_ctx);
}
else
len=BIO_gets(bp,(char *)buf,BUFSIZE);
......@@ -544,10 +594,6 @@ int do_fp(BIO *out, unsigned char *buf, BIO *bp, int sep, int binout,
}
BIO_printf(out, "\n");
}
if (hmac_key)
{
BIO_set_md_ctx(bmd,md_ctx);
}
return 0;
}
......@@ -67,8 +67,6 @@
static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
const char *file, ENGINE *e);
static int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param);
static int genpkey_cb(EVP_PKEY_CTX *ctx);
#define PROG genpkey_main
......@@ -362,8 +360,8 @@ static int init_keygen_file(BIO *err, EVP_PKEY_CTX **pctx,
}
static int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param)
int init_gen_str(BIO *err, EVP_PKEY_CTX **pctx,
const char *algname, ENGINE *e, int do_param)
{
EVP_PKEY_CTX *ctx = NULL;
const EVP_PKEY_ASN1_METHOD *ameth;
......
......@@ -1027,6 +1027,9 @@ int EVP_PKEY_CTX_ctrl_str(EVP_PKEY_CTX *ctx, const char *type,
int EVP_PKEY_CTX_get_operation(EVP_PKEY_CTX *ctx);
void EVP_PKEY_CTX_set0_keygen_info(EVP_PKEY_CTX *ctx, int *dat, int datlen);
EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e,
unsigned char *key, int keylen);
void EVP_PKEY_CTX_set_data(EVP_PKEY_CTX *ctx, void *data);
void *EVP_PKEY_CTX_get_data(EVP_PKEY_CTX *ctx);
EVP_PKEY *EVP_PKEY_CTX_get0_pkey(EVP_PKEY_CTX *ctx);
......
......@@ -196,3 +196,24 @@ int EVP_PKEY_CTX_get_keygen_info(EVP_PKEY_CTX *ctx, int idx)
return 0;
return ctx->keygen_info[idx];
}
EVP_PKEY *EVP_PKEY_new_mac_key(int type, ENGINE *e,
unsigned char *key, int keylen)
{
EVP_PKEY_CTX *mac_ctx = NULL;
EVP_PKEY *mac_key = NULL;
mac_ctx = EVP_PKEY_CTX_new_id(type, e);
if (!mac_ctx)
return NULL;
if (EVP_PKEY_keygen_init(mac_ctx) <= 0)
goto merr;
if (EVP_PKEY_CTX_ctrl(mac_ctx, -1, EVP_PKEY_OP_KEYGEN,
EVP_PKEY_CTRL_SET_MAC_KEY, keylen, key) <= 0)
goto merr;
if (EVP_PKEY_keygen(mac_ctx, &mac_key) <= 0)
goto merr;
merr:
if (mac_ctx)
EVP_PKEY_CTX_free(mac_ctx);
return mac_key;
}
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册