krb5: Use EVP HMAC() function for HMAC-SHA1

Use the EVP HMAC() function that we use for SHA2 HMACs for SHA1 as well.
2018-05-14 14:16:31 +01:00
parent 9a66752926
commit c2271cfbfb
2 changed files with 30 additions and 11 deletions
--- a/lib/krb5/crypto.c
+++ b/lib/krb5/crypto.c
@@ -315,18 +315,17 @@ _krb5_SP_HMAC_SHA1_checksum(krb5_context context,
 			    int niov,
 			    Checksum *result)
 {
-    struct _krb5_checksum_type *c = _krb5_find_checksum(CKSUMTYPE_SHA1);
-    Checksum res;
-    char sha1_data[20];
    krb5_error_code ret;
+    unsigned char hmac[EVP_MAX_MD_SIZE];
+    unsigned int hmaclen = sizeof(hmac);

-    res.checksum.data = sha1_data;
-    res.checksum.length = sizeof(sha1_data);
+    ret = _krb5_evp_hmac_iov(context, key, iov, niov, hmac, &hmaclen,
+                             EVP_sha1(), NULL);
+
+    heim_assert(result->checksum.length <= hmaclen,
+                "SHA1 checksum too short");
+    memcpy(result->checksum.data, hmac, result->checksum.length);

-    ret = _krb5_internal_hmac_iov(context, c, usage, iov, niov, key, &res);
-    if (ret)
-	krb5_abortx(context, "hmac failed");
-    memcpy(result->checksum.data, res.checksum.data, result->checksum.length);
    return 0;
 }

--- a/lib/krb5/test_rfc3961.c
+++ b/lib/krb5/test_rfc3961.c
@@ -376,10 +376,12 @@ test_rfc2202(krb5_context context)

    num_tests = sizeof(rfc2202_vectors) / sizeof(struct rfc2202);

-    printf("Running %d RFC2202 HMAC-MD5 tests\n", num_tests);
+    printf("Running %d RFC2202 HMAC-SHA1 tests\n", num_tests);
    for (i = 0; i < num_tests; i++) {
 	krb5_keyblock keyblock;
 	Checksum result;
+	struct krb5_crypto_iov iov;
+	struct _krb5_key_data kd;
 	char sha1_data[20];
 	int code;

@@ -402,7 +404,25 @@ test_rfc2202(krb5_context context)
 	if (memcmp(&sha1_data, rfc2202_vectors[i].digest, sizeof(sha1_data)) !=0)
 	    errx(1, "Digests don't match on test %d", i);

-	printf("Test %d okay\n", i + 1);
+	printf("Test %d okay\n", (i * 2) + 1);
+
+	/* Now check the same using the internal HMAC function */
+
+	iov.data.data = rfc2202_vectors[i].data;
+	iov.data.length = rfc2202_vectors[i].datalen;
+	iov.flags = KRB5_CRYPTO_TYPE_DATA;
+	kd.key = &keyblock;
+	kd.schedule = NULL;
+	code = _krb5_SP_HMAC_SHA1_checksum(context, &kd, 0,
+					   &iov, 1, &result);
+
+	if (code != 0)
+	    errx(1, "HMAC-SHA1 failed with %d on test %d", code, i + 1);
+
+	if (memcmp(&sha1_data, rfc2202_vectors[i].digest, sizeof(sha1_data)) !=0)
+	    errx(1, "Digests don't match on test %d", i);
+
+	printf("Test %d okay\n", (i * 2) + 2);
    }
 }