1
/*
2
 * Copyright 2018-2025 The OpenSSL Project Authors. All Rights Reserved.
3
 *
4
 * Licensed under the Apache License 2.0 (the "License").  You may not use
5
 * this file except in compliance with the License.  You can obtain a copy
6
 * in the file LICENSE in the source distribution or at
7
 * https://www.openssl.org/source/license.html
8
 */
9

10
/*
11
 * HMAC low level APIs are deprecated for public use, but still ok for internal
12
 * use.
13
 */
14
#include "internal/deprecated.h"
15

16
#include <string.h>
17

18
#include <openssl/core_dispatch.h>
19
#include <openssl/core_names.h>
20
#include <openssl/params.h>
21
#include <openssl/evp.h>
22
#include <openssl/hmac.h>
23
#include <openssl/proverr.h>
24
#include <openssl/err.h>
25

26
#include "internal/ssl3_cbc.h"
27

28
#include "prov/implementations.h"
29
#include "prov/provider_ctx.h"
30
#include "prov/provider_util.h"
31
#include "prov/providercommon.h"
32
#include "prov/securitycheck.h"
33

34
/*
35
 * Forward declaration of everything implemented here.  This is not strictly
36
 * necessary for the compiler, but provides an assurance that the signatures
37
 * of the functions in the dispatch table are correct.
38
 */
39
static OSSL_FUNC_mac_newctx_fn hmac_new;
40
static OSSL_FUNC_mac_dupctx_fn hmac_dup;
41
static OSSL_FUNC_mac_freectx_fn hmac_free;
42
static OSSL_FUNC_mac_gettable_ctx_params_fn hmac_gettable_ctx_params;
43
static OSSL_FUNC_mac_get_ctx_params_fn hmac_get_ctx_params;
44
static OSSL_FUNC_mac_settable_ctx_params_fn hmac_settable_ctx_params;
45
static OSSL_FUNC_mac_set_ctx_params_fn hmac_set_ctx_params;
46
static OSSL_FUNC_mac_init_fn hmac_init;
47
static OSSL_FUNC_mac_update_fn hmac_update;
48
static OSSL_FUNC_mac_final_fn hmac_final;
49

50
/* local HMAC context structure */
51

52
/* typedef EVP_MAC_IMPL */
53
struct hmac_data_st {
54
    void *provctx;
55
    HMAC_CTX *ctx;               /* HMAC context */
56
    PROV_DIGEST digest;
57
    unsigned char *key;
58
    size_t keylen;
59
    /* Length of full TLS record including the MAC and any padding */
60
    size_t tls_data_size;
61
    unsigned char tls_header[13];
62
    int tls_header_set;
63
    unsigned char tls_mac_out[EVP_MAX_MD_SIZE];
64
    size_t tls_mac_out_size;
65
#ifdef FIPS_MODULE
66
    /*
67
     * 'internal' is set to 1 if HMAC is used inside another algorithm such as a
68
     * KDF. In this case it is the parent algorithm that is responsible for
69
     * performing any conditional FIPS indicator related checks for the HMAC.
70
     */
71
    int internal;
72
#endif
73
    OSSL_FIPS_IND_DECLARE
74
};
75

76
static void *hmac_new(void *provctx)
77
{
78
    struct hmac_data_st *macctx;
79

80
    if (!ossl_prov_is_running())
81
        return NULL;
82

83
    if ((macctx = OPENSSL_zalloc(sizeof(*macctx))) == NULL
84
        || (macctx->ctx = HMAC_CTX_new()) == NULL) {
85
        OPENSSL_free(macctx);
86
        return NULL;
87
    }
88
    macctx->provctx = provctx;
89
    OSSL_FIPS_IND_INIT(macctx)
90

91
    return macctx;
92
}
93

94
static void hmac_free(void *vmacctx)
95
{
96
    struct hmac_data_st *macctx = vmacctx;
97

98
    if (macctx != NULL) {
99
        HMAC_CTX_free(macctx->ctx);
100
        ossl_prov_digest_reset(&macctx->digest);
101
        OPENSSL_clear_free(macctx->key, macctx->keylen);
102
        OPENSSL_free(macctx);
103
    }
104
}
105

106
static void *hmac_dup(void *vsrc)
107
{
108
    struct hmac_data_st *src = vsrc;
109
    struct hmac_data_st *dst;
110
    HMAC_CTX *ctx;
111

112
    if (!ossl_prov_is_running())
113
        return NULL;
114
    dst = hmac_new(src->provctx);
115
    if (dst == NULL)
116
        return NULL;
117

118
    ctx = dst->ctx;
119
    *dst = *src;
120
    dst->ctx = ctx;
121
    dst->key = NULL;
122
    memset(&dst->digest, 0, sizeof(dst->digest));
123

124
    if (!HMAC_CTX_copy(dst->ctx, src->ctx)
125
        || !ossl_prov_digest_copy(&dst->digest, &src->digest)) {
126
        hmac_free(dst);
127
        return NULL;
128
    }
129
    if (src->key != NULL) {
130
        dst->key = OPENSSL_malloc(src->keylen > 0 ? src->keylen : 1);
131
        if (dst->key == NULL) {
132
            hmac_free(dst);
133
            return 0;
134
        }
135
        if (src->keylen > 0)
136
            memcpy(dst->key, src->key, src->keylen);
137
    }
138
    return dst;
139
}
140

141
static size_t hmac_size(struct hmac_data_st *macctx)
142
{
143
    return HMAC_size(macctx->ctx);
144
}
145

146
static int hmac_block_size(struct hmac_data_st *macctx)
147
{
148
    const EVP_MD *md = ossl_prov_digest_md(&macctx->digest);
149

150
    if (md == NULL)
151
        return 0;
152
    return EVP_MD_block_size(md);
153
}
154

155
static int hmac_setkey(struct hmac_data_st *macctx,
156
                       const unsigned char *key, size_t keylen)
157
{
158
    const EVP_MD *digest;
159

160
#ifdef FIPS_MODULE
161
    /*
162
     * KDF's pass a salt rather than a key,
163
     * which is why it skips the key check unless "HMAC" is fetched directly.
164
     */
165
    if (!macctx->internal) {
166
        OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(macctx->provctx);
167
        int approved = ossl_mac_check_key_size(keylen);
168

169
        if (!approved) {
170
            if (!OSSL_FIPS_IND_ON_UNAPPROVED(macctx, OSSL_FIPS_IND_SETTABLE0,
171
                                             libctx, "HMAC", "keysize",
172
                                             ossl_fips_config_hmac_key_check)) {
173
                ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH);
174
                return 0;
175
            }
176
        }
177
    }
178
#endif
179

180
    if (macctx->key != NULL)
181
        OPENSSL_clear_free(macctx->key, macctx->keylen);
182
    /* Keep a copy of the key in case we need it for TLS HMAC */
183
    macctx->key = OPENSSL_malloc(keylen > 0 ? keylen : 1);
184
    if (macctx->key == NULL)
185
        return 0;
186

187
    if (keylen > 0)
188
        memcpy(macctx->key, key, keylen);
189
    macctx->keylen = keylen;
190

191
    digest = ossl_prov_digest_md(&macctx->digest);
192
    /* HMAC_Init_ex doesn't tolerate all zero params, so we must be careful */
193
    if (key != NULL || (macctx->tls_data_size == 0 && digest != NULL))
194
        return HMAC_Init_ex(macctx->ctx, key, keylen, digest,
195
                            ossl_prov_digest_engine(&macctx->digest));
196
    return 1;
197
}
198

199
static int hmac_init(void *vmacctx, const unsigned char *key,
200
                     size_t keylen, const OSSL_PARAM params[])
201
{
202
    struct hmac_data_st *macctx = vmacctx;
203

204
    if (!ossl_prov_is_running() || !hmac_set_ctx_params(macctx, params))
205
        return 0;
206

207
    if (key != NULL)
208
        return hmac_setkey(macctx, key, keylen);
209

210
    /* Just reinit the HMAC context */
211
    return HMAC_Init_ex(macctx->ctx, NULL, 0, NULL, NULL);
212
}
213

214
static int hmac_update(void *vmacctx, const unsigned char *data,
215
                       size_t datalen)
216
{
217
    struct hmac_data_st *macctx = vmacctx;
218

219
    if (macctx->tls_data_size > 0) {
220
        /* We're doing a TLS HMAC */
221
        if (!macctx->tls_header_set) {
222
            /* We expect the first update call to contain the TLS header */
223
            if (datalen != sizeof(macctx->tls_header))
224
                return 0;
225
            memcpy(macctx->tls_header, data, datalen);
226
            macctx->tls_header_set = 1;
227
            return 1;
228
        }
229
        /* macctx->tls_data_size is datalen plus the padding length */
230
        if (macctx->tls_data_size < datalen)
231
            return 0;
232

233
        return ssl3_cbc_digest_record(ossl_prov_digest_md(&macctx->digest),
234
                                      macctx->tls_mac_out,
235
                                      &macctx->tls_mac_out_size,
236
                                      macctx->tls_header,
237
                                      data,
238
                                      datalen,
239
                                      macctx->tls_data_size,
240
                                      macctx->key,
241
                                      macctx->keylen,
242
                                      0);
243
    }
244

245
    return HMAC_Update(macctx->ctx, data, datalen);
246
}
247

248
static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl,
249
                      size_t outsize)
250
{
251
    unsigned int hlen;
252
    struct hmac_data_st *macctx = vmacctx;
253

254
    if (!ossl_prov_is_running())
255
        return 0;
256
    if (macctx->tls_data_size > 0) {
257
        if (macctx->tls_mac_out_size == 0)
258
            return 0;
259
        if (outl != NULL)
260
            *outl = macctx->tls_mac_out_size;
261
        memcpy(out, macctx->tls_mac_out, macctx->tls_mac_out_size);
262
        return 1;
263
    }
264
    if (!HMAC_Final(macctx->ctx, out, &hlen))
265
        return 0;
266
    *outl = hlen;
267
    return 1;
268
}
269

270
static const OSSL_PARAM known_gettable_ctx_params[] = {
271
    OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL),
272
    OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL),
273
    OSSL_FIPS_IND_GETTABLE_CTX_PARAM()
274
    OSSL_PARAM_END
275
};
276
static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx,
277
                                                  ossl_unused void *provctx)
278
{
279
    return known_gettable_ctx_params;
280
}
281

282
static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[])
283
{
284
    struct hmac_data_st *macctx = vmacctx;
285
    OSSL_PARAM *p;
286

287
    if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SIZE)) != NULL
288
            && !OSSL_PARAM_set_size_t(p, hmac_size(macctx)))
289
        return 0;
290

291
    if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_BLOCK_SIZE)) != NULL
292
            && !OSSL_PARAM_set_int(p, hmac_block_size(macctx)))
293
        return 0;
294

295
#ifdef FIPS_MODULE
296
    p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_FIPS_APPROVED_INDICATOR);
297
    if (p != NULL) {
298
        int approved = 0;
299

300
        if (!macctx->internal)
301
            approved = OSSL_FIPS_IND_GET(macctx)->approved;
302
        if (!OSSL_PARAM_set_int(p, approved))
303
            return 0;
304
    }
305
#endif
306
    return 1;
307
}
308

309
static const OSSL_PARAM known_settable_ctx_params[] = {
310
    OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_DIGEST, NULL, 0),
311
    OSSL_PARAM_utf8_string(OSSL_MAC_PARAM_PROPERTIES, NULL, 0),
312
    OSSL_PARAM_octet_string(OSSL_MAC_PARAM_KEY, NULL, 0),
313
    OSSL_PARAM_int(OSSL_MAC_PARAM_DIGEST_NOINIT, NULL),
314
    OSSL_PARAM_int(OSSL_MAC_PARAM_DIGEST_ONESHOT, NULL),
315
    OSSL_PARAM_size_t(OSSL_MAC_PARAM_TLS_DATA_SIZE, NULL),
316
    OSSL_FIPS_IND_SETTABLE_CTX_PARAM(OSSL_MAC_PARAM_FIPS_KEY_CHECK)
317
    OSSL_PARAM_END
318
};
319
static const OSSL_PARAM *hmac_settable_ctx_params(ossl_unused void *ctx,
320
                                                  ossl_unused void *provctx)
321
{
322
    return known_settable_ctx_params;
323
}
324

325
/*
326
 * ALL parameters should be set before init().
327
 */
328
static int hmac_set_ctx_params(void *vmacctx, const OSSL_PARAM params[])
329
{
330
    struct hmac_data_st *macctx = vmacctx;
331
    OSSL_LIB_CTX *ctx = PROV_LIBCTX_OF(macctx->provctx);
332
    const OSSL_PARAM *p;
333

334
    if (ossl_param_is_empty(params))
335
        return 1;
336

337
    if (!OSSL_FIPS_IND_SET_CTX_PARAM(macctx, OSSL_FIPS_IND_SETTABLE0, params,
338
                                     OSSL_MAC_PARAM_FIPS_KEY_CHECK))
339
        return 0;
340

341
    if (!ossl_prov_digest_load_from_params(&macctx->digest, params, ctx))
342
        return 0;
343

344
    if ((p = OSSL_PARAM_locate_const(params, OSSL_MAC_PARAM_KEY)) != NULL) {
345
        if (p->data_type != OSSL_PARAM_OCTET_STRING)
346
            return 0;
347

348
        if (!hmac_setkey(macctx, p->data, p->data_size))
349
            return 0;
350
    }
351

352
    if ((p = OSSL_PARAM_locate_const(params,
353
                                     OSSL_MAC_PARAM_TLS_DATA_SIZE)) != NULL) {
354
        if (!OSSL_PARAM_get_size_t(p, &macctx->tls_data_size))
355
            return 0;
356
    }
357
    return 1;
358
}
359

360
const OSSL_DISPATCH ossl_hmac_functions[] = {
361
    { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))hmac_new },
362
    { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))hmac_dup },
363
    { OSSL_FUNC_MAC_FREECTX, (void (*)(void))hmac_free },
364
    { OSSL_FUNC_MAC_INIT, (void (*)(void))hmac_init },
365
    { OSSL_FUNC_MAC_UPDATE, (void (*)(void))hmac_update },
366
    { OSSL_FUNC_MAC_FINAL, (void (*)(void))hmac_final },
367
    { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS,
368
      (void (*)(void))hmac_gettable_ctx_params },
369
    { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))hmac_get_ctx_params },
370
    { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
371
      (void (*)(void))hmac_settable_ctx_params },
372
    { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))hmac_set_ctx_params },
373
    OSSL_DISPATCH_END
374
};
375

376
#ifdef FIPS_MODULE
377
static OSSL_FUNC_mac_newctx_fn hmac_internal_new;
378

379
static void *hmac_internal_new(void *provctx)
380
{
381
    struct hmac_data_st *macctx = hmac_new(provctx);
382

383
    if (macctx != NULL)
384
        macctx->internal = 1;
385
    return macctx;
386
}
387

388
const OSSL_DISPATCH ossl_hmac_internal_functions[] = {
389
    { OSSL_FUNC_MAC_NEWCTX, (void (*)(void))hmac_internal_new },
390
    { OSSL_FUNC_MAC_DUPCTX, (void (*)(void))hmac_dup },
391
    { OSSL_FUNC_MAC_FREECTX, (void (*)(void))hmac_free },
392
    { OSSL_FUNC_MAC_INIT, (void (*)(void))hmac_init },
393
    { OSSL_FUNC_MAC_UPDATE, (void (*)(void))hmac_update },
394
    { OSSL_FUNC_MAC_FINAL, (void (*)(void))hmac_final },
395
    { OSSL_FUNC_MAC_GETTABLE_CTX_PARAMS,
396
      (void (*)(void))hmac_gettable_ctx_params },
397
    { OSSL_FUNC_MAC_GET_CTX_PARAMS, (void (*)(void))hmac_get_ctx_params },
398
    { OSSL_FUNC_MAC_SETTABLE_CTX_PARAMS,
399
      (void (*)(void))hmac_settable_ctx_params },
400
    { OSSL_FUNC_MAC_SET_CTX_PARAMS, (void (*)(void))hmac_set_ctx_params },
401
    OSSL_DISPATCH_END
402
};
403

404
#endif /* FIPS_MODULE */
405

406