From f79ec42ad312809b8fc21929f7630fa79481aff3 Mon Sep 17 00:00:00 2001 From: Nathan Moinvaziri Date: Wed, 31 Oct 2018 18:25:53 -0700 Subject: [PATCH] Fixed hmac implementation in brg library. #334 Moved brg setup in cmake. --- CMakeLists.txt | 54 ++++++++++++---------- mz_compat.h | 7 ++- mz_crypt.h | 3 +- mz_crypt_brg.c | 20 ++------ mz_crypt_openssl.c | 36 ++++++--------- mz_crypt_win32.c | 112 ++++++++++++++++++--------------------------- mz_strm_wzaes.c | 11 ++--- test/test.c | 6 +-- 8 files changed, 103 insertions(+), 146 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 02636f7..22d1df2 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -180,9 +180,7 @@ if(UNIX) list(APPEND MINIZIP_SRC "mz_os_posix.c" "mz_strm_os_posix.c") if ((USE_PKCRYPT OR USE_AES) AND (NOT USE_OPENSSL AND NOT OPENSSL_FOUND)) - list(APPEND MINIZIP_SRC "mz_crypt_brg.c") - - add_definitions(-DMZ_ZIP_NO_SIGNING) + set(USE_BRG TRUE) # Check to see which random generation functions we have check_symbol_exists("getrandom" "sys/random.h" HAVE_GETRANDOM) @@ -213,28 +211,6 @@ if(UNIX) endif() endif() endif() - - set(BRG_SRC - lib/brg/aescrypt.c - lib/brg/aeskey.c - lib/brg/aestab.c - lib/brg/hmac.c - lib/brg/sha1.c - lib/brg/sha2.c) - - set(BRG_PUBLIC_HEADERS - lib/brg/aes.h - lib/brg/aesopt.h - lib/brg/aestab.h - lib/brg/brg_endian.h - lib/brg/brg_types.h - lib/brg/hmac.h - lib/brg/sha1.h) - - include_directories(lib/brg) - - source_group("BRG" FILES ${BRG_SRC} ${BRG_PUBLIC_HEADERS}) - endif() # Setup and use large file macros if necessary @@ -286,6 +262,34 @@ if(USE_AES) list(APPEND MINIZIP_PUBLIC_HEADERS "mz_strm_wzaes.h") endif() +# Include BRG +if(USE_BRG) + list(APPEND MINIZIP_SRC "mz_crypt_brg.c") + + add_definitions(-DMZ_ZIP_NO_SIGNING) + + set(BRG_SRC + lib/brg/aescrypt.c + lib/brg/aeskey.c + lib/brg/aestab.c + lib/brg/hmac.c + lib/brg/sha1.c + lib/brg/sha2.c) + + set(BRG_PUBLIC_HEADERS + lib/brg/aes.h + lib/brg/aesopt.h + lib/brg/aestab.h + lib/brg/brg_endian.h + lib/brg/brg_types.h + lib/brg/hmac.h + lib/brg/sha1.h) + + include_directories(lib/brg) + + source_group("BRG" FILES ${BRG_SRC} ${BRG_PUBLIC_HEADERS}) +endif() + # Include OpenSSL if(USE_OPENSSL AND OPENSSL_FOUND) list(APPEND MINIZIP_SRC "mz_crypt_openssl.c") diff --git a/mz_compat.h b/mz_compat.h index e270efd..5616625 100644 --- a/mz_compat.h +++ b/mz_compat.h @@ -25,14 +25,17 @@ extern "C" { #ifndef DEF_MEM_LEVEL # if MAX_MEM_LEVEL >= 8 # define DEF_MEM_LEVEL 8 -# else +# elif defined(MAX_MEM_LEVEL) # define DEF_MEM_LEVEL MAX_MEM_LEVEL # endif #endif -#else +#ifndef MAX_WBITS #define MAX_WBITS (15) +#endif +#ifndef DEF_MEM_LEVEL #define DEF_MEM_LEVEL (8) #endif +#endif #ifndef ZEXPORT # define ZEXPORT diff --git a/mz_crypt.h b/mz_crypt.h index b858ce6..e3cfe1f 100644 --- a/mz_crypt.h +++ b/mz_crypt.h @@ -40,11 +40,10 @@ void* mz_crypt_aes_create(void **handle); void mz_crypt_aes_delete(void **handle); void mz_crypt_hmac_reset(void *handle); -int32_t mz_crypt_hmac_begin(void *handle); +int32_t mz_crypt_hmac_init(void *handle, const void *key, int32_t key_length); int32_t mz_crypt_hmac_update(void *handle, const void *buf, int32_t size); int32_t mz_crypt_hmac_end(void *handle, uint8_t *digest, int32_t digest_size); int32_t mz_crypt_hmac_copy(void *src_handle, void *target_handle); -int32_t mz_crypt_hmac_set_key(void *handle, const void *key, int32_t key_length); void mz_crypt_hmac_set_algorithm(void *handle, uint16_t algorithm); void* mz_crypt_hmac_create(void **handle); void mz_crypt_hmac_delete(void **handle); diff --git a/mz_crypt_brg.c b/mz_crypt_brg.c index c2893c3..5bc6f2d 100644 --- a/mz_crypt_brg.c +++ b/mz_crypt_brg.c @@ -321,17 +321,21 @@ void mz_crypt_hmac_reset(void *handle) hmac->error = 0; } -int32_t mz_crypt_hmac_begin(void *handle) +int32_t mz_crypt_hmac_init(void *handle, const void *key, int32_t key_length) { mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; if (hmac == NULL) return MZ_PARAM_ERROR; + mz_crypt_hmac_reset(handle); + if (hmac->algorithm == MZ_HASH_SHA1) hmac_sha_begin(HMAC_SHA1, &hmac->ctx); else hmac_sha_begin(HMAC_SHA256, &hmac->ctx); + + hmac_sha_key(key, key_length, &hmac->ctx); return MZ_OK; } @@ -370,20 +374,6 @@ int32_t mz_crypt_hmac_end(void *handle, uint8_t *digest, int32_t digest_size) return MZ_OK; } -int32_t mz_crypt_hmac_set_key(void *handle, const void *key, int32_t key_length) -{ - mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; - - if (hmac == NULL || key == NULL) - return MZ_PARAM_ERROR; - - mz_crypt_hmac_reset(handle); - - hmac_sha_key(key, key_length, &hmac->ctx); - - return MZ_OK; -} - void mz_crypt_hmac_set_algorithm(void *handle, uint16_t algorithm) { mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; diff --git a/mz_crypt_openssl.c b/mz_crypt_openssl.c index fcec577..cceba69 100644 --- a/mz_crypt_openssl.c +++ b/mz_crypt_openssl.c @@ -324,12 +324,23 @@ void mz_crypt_hmac_reset(void *handle) hmac->error = 0; } -int32_t mz_crypt_hmac_begin(void *handle) +int32_t mz_crypt_hmac_init(void *handle, const void *key, int32_t key_length) { mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; + const EVP_MD *evp_md = NULL; - if (hmac == NULL) + if (hmac == NULL || key == NULL) return MZ_PARAM_ERROR; + + mz_crypt_hmac_reset(handle); + + hmac->ctx = HMAC_CTX_new(); + if (hmac->algorithm == MZ_HASH_SHA1) + evp_md = EVP_sha1(); + else + evp_md = EVP_sha256(); + + HMAC_Init(hmac->ctx, key, key_length, evp_md); return MZ_OK; } @@ -377,27 +388,6 @@ int32_t mz_crypt_hmac_end(void *handle, uint8_t *digest, int32_t digest_size) return MZ_OK; } -int32_t mz_crypt_hmac_set_key(void *handle, const void *key, int32_t key_length) -{ - mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; - const EVP_MD *evp_md = NULL; - - if (hmac == NULL || key == NULL) - return MZ_PARAM_ERROR; - - mz_crypt_hmac_reset(handle); - - hmac->ctx = HMAC_CTX_new(); - if (hmac->algorithm == MZ_HASH_SHA1) - evp_md = EVP_sha1(); - else - evp_md = EVP_sha256(); - - HMAC_Init(hmac->ctx, key, key_length, evp_md); - - return MZ_OK; -} - void mz_crypt_hmac_set_algorithm(void *handle, uint16_t algorithm) { mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; diff --git a/mz_crypt_win32.c b/mz_crypt_win32.c index 9962442..3af04d3 100644 --- a/mz_crypt_win32.c +++ b/mz_crypt_win32.c @@ -383,73 +383,7 @@ void mz_crypt_hmac_reset(void *handle) mz_crypt_hmac_free(handle); } -int32_t mz_crypt_hmac_begin(void *handle) -{ - mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; - int32_t result = 0; - int32_t err = MZ_OK; - - if (hmac == NULL || hmac->provider == 0) - return MZ_PARAM_ERROR; - result = CryptCreateHash(hmac->provider, CALG_HMAC, hmac->key, 0, &hmac->hash); - if (!result) - { - hmac->error = GetLastError(); - err = MZ_HASH_ERROR; - } - if (result) - { - result = CryptSetHashParam(hmac->hash, HP_HMAC_INFO, (uint8_t *)&hmac->info, 0); - if (!result) - { - hmac->error = GetLastError(); - err = MZ_HASH_ERROR; - } - } - return err; -} - -int32_t mz_crypt_hmac_update(void *handle, const void *buf, int32_t size) -{ - mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; - int32_t result = 0; - - if (hmac == NULL || buf == NULL || hmac->hash == 0) - return MZ_PARAM_ERROR; - - result = CryptHashData(hmac->hash, buf, size, 0); - if (!result) - { - hmac->error = GetLastError(); - return MZ_HASH_ERROR; - } - return MZ_OK; -} - -int32_t mz_crypt_hmac_end(void *handle, uint8_t *digest, int32_t digest_size) -{ - mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; - int32_t result = 0; - int32_t expected_size = 0; - int32_t err = MZ_OK; - - if (hmac == NULL || digest == NULL || hmac->hash == 0) - return MZ_PARAM_ERROR; - result = CryptGetHashParam(hmac->hash, HP_HASHVAL, NULL, &expected_size, 0); - if (expected_size > digest_size) - return MZ_BUF_ERROR; - if (!result) - return MZ_HASH_ERROR; - result = CryptGetHashParam(hmac->hash, HP_HASHVAL, digest, &digest_size, 0); - if (!result) - { - hmac->error = GetLastError(); - return MZ_HASH_ERROR; - } - return MZ_OK; -} - -int32_t mz_crypt_hmac_set_key(void *handle, const void *key, int32_t key_length) +int32_t mz_crypt_hmac_init(void *handle, const void *key, int32_t key_length) { mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; HCRYPTHASH hash = 0; @@ -499,6 +433,10 @@ int32_t mz_crypt_hmac_set_key(void *handle, const void *key, int32_t key_length) memcpy(key_blob + sizeof(key_blob_header_s), key, key_length); result = CryptImportKey(hmac->provider, key_blob, key_blob_size, 0, CRYPT_IPSEC_HMAC_KEY, &hmac->key); + if (result) + result = CryptCreateHash(hmac->provider, CALG_HMAC, hmac->key, 0, &hmac->hash); + if (result) + result = CryptSetHashParam(hmac->hash, HP_HMAC_INFO, (uint8_t *)&hmac->info, 0); if (!result) { hmac->error = GetLastError(); @@ -513,6 +451,46 @@ int32_t mz_crypt_hmac_set_key(void *handle, const void *key, int32_t key_length) return err; } +int32_t mz_crypt_hmac_update(void *handle, const void *buf, int32_t size) +{ + mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; + int32_t result = 0; + + if (hmac == NULL || buf == NULL || hmac->hash == 0) + return MZ_PARAM_ERROR; + + result = CryptHashData(hmac->hash, buf, size, 0); + if (!result) + { + hmac->error = GetLastError(); + return MZ_HASH_ERROR; + } + return MZ_OK; +} + +int32_t mz_crypt_hmac_end(void *handle, uint8_t *digest, int32_t digest_size) +{ + mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; + int32_t result = 0; + int32_t expected_size = 0; + int32_t err = MZ_OK; + + if (hmac == NULL || digest == NULL || hmac->hash == 0) + return MZ_PARAM_ERROR; + result = CryptGetHashParam(hmac->hash, HP_HASHVAL, NULL, &expected_size, 0); + if (expected_size > digest_size) + return MZ_BUF_ERROR; + if (!result) + return MZ_HASH_ERROR; + result = CryptGetHashParam(hmac->hash, HP_HASHVAL, digest, &digest_size, 0); + if (!result) + { + hmac->error = GetLastError(); + return MZ_HASH_ERROR; + } + return MZ_OK; +} + void mz_crypt_hmac_set_algorithm(void *handle, uint16_t algorithm) { mz_crypt_hmac *hmac = (mz_crypt_hmac *)handle; diff --git a/mz_strm_wzaes.c b/mz_strm_wzaes.c index 03ccd7f..7d0eb01 100644 --- a/mz_strm_wzaes.c +++ b/mz_strm_wzaes.c @@ -97,12 +97,8 @@ int32_t mz_stream_wzaes_pbkdf2(uint8_t *password, int32_t password_length, uint8 mz_crypt_hmac_set_algorithm(hmac2, MZ_HASH_SHA1); mz_crypt_hmac_set_algorithm(hmac3, MZ_HASH_SHA1); - err = mz_crypt_hmac_set_key(hmac1, password, password_length); - if (err == MZ_OK) - err = mz_crypt_hmac_begin(hmac1); - err = mz_crypt_hmac_set_key(hmac2, password, password_length); - if (err == MZ_OK) - err = mz_crypt_hmac_begin(hmac2); + err = mz_crypt_hmac_init(hmac1, password, password_length); + err = mz_crypt_hmac_init(hmac2, password, password_length); if (err == MZ_OK) err = mz_crypt_hmac_update(hmac2, salt, salt_length); @@ -222,8 +218,7 @@ int32_t mz_stream_wzaes_open(void *stream, const char *path, int32_t mode) // Initialize for authentication using key 2 mz_crypt_hmac_reset(wzaes->hmac); mz_crypt_hmac_set_algorithm(wzaes->hmac, MZ_HASH_SHA1); - mz_crypt_hmac_set_key(wzaes->hmac, kbuf + key_length, key_length); - mz_crypt_hmac_begin(wzaes->hmac); + mz_crypt_hmac_init(wzaes->hmac, kbuf + key_length, key_length); memcpy(verify, kbuf + (2 * key_length), MZ_AES_PW_VERIFY_SIZE); diff --git a/test/test.c b/test/test.c index 1d356b6..ee360f4 100644 --- a/test/test.c +++ b/test/test.c @@ -550,8 +550,7 @@ void test_crypt_hmac(void) mz_crypt_hmac_create(&hmac); mz_crypt_hmac_set_algorithm(hmac, MZ_HASH_SHA1); - mz_crypt_hmac_set_key(hmac, key, key_length); - mz_crypt_hmac_begin(hmac); + mz_crypt_hmac_init(hmac, key, key_length); mz_crypt_hmac_update(hmac, test, test_length); mz_crypt_hmac_end(hmac, hash, sizeof(hash)); mz_crypt_hmac_delete(&hmac); @@ -568,8 +567,7 @@ void test_crypt_hmac(void) mz_crypt_hmac_create(&hmac); mz_crypt_hmac_set_algorithm(hmac, MZ_HASH_SHA256); - mz_crypt_hmac_set_key(hmac, key, key_length); - mz_crypt_hmac_begin(hmac); + mz_crypt_hmac_init(hmac, key, key_length); mz_crypt_hmac_update(hmac, test, test_length); mz_crypt_hmac_end(hmac, hash256, sizeof(hash256)); mz_crypt_hmac_delete(&hmac);