Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

allow HMAC via EVP_PKEY raw privkey functions #1338

Merged
merged 3 commits into from
Jan 19, 2024
Merged

allow HMAC via EVP_PKEY raw privkey functions #1338

merged 3 commits into from
Jan 19, 2024

Conversation

samuel40791765
Copy link
Contributor

Issues:

Resolves CryptoAlg-1704

Description of changes:

Follow up from #1324 (comment), Bind consumes EVP_PKEY_HMAC though this codepath, so we'll have to add support for this within the EVP_PKEY function pointers.
OpenSSL also encourages using EVP_PKEY_new_raw_private_key instead of EVP_PKEY_new_mac_key: https://www.openssl.org/docs/manmaster/man3/EVP_PKEY_new_mac_key.html

Call-outs:

N/A

Testing:

New test for EVP_PKEY_{new,get}_raw_private_key

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license.

@codecov-commenter
Copy link

codecov-commenter commented Dec 5, 2023
edited
Loading

Codecov Report

Attention: 7 lines in your changes are missing coverage. Please review.

Comparison is base (71d119b) 76.84% compared to head (424ce04) 76.84%.

Files Patch % Lines
crypto/evp_extra/p_hmac_asn1.c 81.48% 5 Missing ⚠️
crypto/fipsmodule/evp/evp.c 50.00% 2 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main    #1338      +/-   ##
==========================================
- Coverage   76.84%   76.84%   -0.01%     
==========================================
  Files         425      425              
  Lines       71502    71532      +30     
==========================================
+ Hits        54948    54970      +22     
- Misses      16554    16562       +8

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

@justsmth justsmth mentioned this pull request Dec 15, 2023
Merged
@samuel40791765 samuel40791765 marked this pull request as ready for review December 26, 2023 21:52
@samuel40791765 samuel40791765 requested a review from a team as a code owner December 26, 2023 21:52
WillChilds-Klein
WillChilds-Klein reviewed Dec 27, 2023
View reviewed changes
crypto/evp_extra/p_hmac_asn1.c

// The semantics of the EVP APIs are to return the length, if |priv| is NULL.
if (priv == NULL) {
*len = key->key_len;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

should we do a null check on len here, or can we always assume that to be a valid pointer?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Added a check above

crypto/hmac_extra/hmac_test.cc
EXPECT_TRUE(EVP_PKEY_get_raw_private_key(raw_pkey.get(), retrieved_key.data(),
&retrieved_key_len));
retrieved_key.resize(retrieved_key_len);
EXPECT_EQ(Bytes(retrieved_key), Bytes(key));
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

considering branch coverage... should we add a case where we resize the buffer andretrieved_key_len to something smaller than the key size and and expect failure?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure I added one more here. There are cases where the key could be NULL, so I've filtered those out here.

crypto/fipsmodule/evp/evp.c Show resolved Hide resolved
@samuel40791765 samuel40791765 enabled auto-merge (squash) January 19, 2024 01:34
@samuel40791765 samuel40791765 merged commit 709d214 into aws:main Jan 19, 2024
34 of 35 checks passed
dougch pushed a commit to dougch/aws-lc that referenced this pull request Jan 30, 2024
@samuel40791765 @dougch
allow HMAC via EVP_PKEY raw privkey functions (aws#1338)
d1f62e1 
This adds support for consuming `EVP_PKEY_HMAC` through
`EVP_PKEY_new_raw_private_key` and `EVP_PKEY_get_raw_private_key`.
Logic for `set_priv_raw` and `get_priv_raw` are required for
`EVP_PKEY_HMAC`'s ASN1 methods to get things working.

New tests setting the key and retrieving it for `EVP_PKEY_HMAC` were
also added.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@himsen himsen himsen left review comments

@torben-hansen torben-hansen torben-hansen approved these changes

@WillChilds-Klein WillChilds-Klein WillChilds-Klein approved these changes

@andrewhop andrewhop Awaiting requested review from andrewhop

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@samuel40791765 @codecov-commenter @WillChilds-Klein @himsen @torben-hansen