From 55fae189fffc86f07a3448370f0a746670819712 Mon Sep 17 00:00:00 2001
From: vnugent <public@vaughnnugent.com>
Date: Thu, 2 May 2024 21:54:35 -0400
Subject: feat: Working and tested openssl impl & defaults

---
 src/crypto/impl/mbedtls.c    | 10 ++++-----
 src/crypto/impl/monocypher.c |  2 +-
 src/crypto/impl/openssl.c    | 48 +++++++++++++++++++++++---------------------
 3 files changed, 31 insertions(+), 29 deletions(-)

(limited to 'src')

diff --git a/src/crypto/impl/mbedtls.c b/src/crypto/impl/mbedtls.c
index 18eb9db..057e7b4 100644
--- a/src/crypto/impl/mbedtls.c
+++ b/src/crypto/impl/mbedtls.c
@@ -30,7 +30,7 @@
 
 /* Inline errors on linux in header files on linux */
 #ifndef inline
-#define inline __inline
+	#define inline __inline
 #endif
 
 #include <mbedtls/md.h>
@@ -41,7 +41,7 @@
 #include <mbedtls/constant_time.h>
 
 #ifndef inline
-#undef inline
+	#undef inline
 #endif
 
 
@@ -73,7 +73,7 @@ _IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void)
 		uint32_t dataLen
 	)
 	{
-		_sizet_check(dataLen)
+		_overflow_check(dataLen)
 
 		/* Counter always starts at 0 */
 		return mbedtls_chacha20_crypt(
@@ -95,7 +95,7 @@ _IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void)
 
 	_IMPLSTB cstatus_t _mbed_sha256_digest(const cspan_t* data, sha256_t digestOut32)
 	{
-		_sizet_check(data->size)
+		_overflow_check(data->size)
 
 		return mbedtls_sha256(
 			data->data, 
@@ -114,7 +114,7 @@ _IMPLSTB const mbedtls_md_info_t* _mbed_sha256_alg(void)
 
 	_IMPLSTB cstatus_t _mbed_sha256_hmac(const cspan_t* key, const cspan_t* data, sha256_t hmacOut32)
 	{
-		_sizet_check(data->size)
+		_overflow_check(data->size)
 
 		/* Keys should never be large enough for this to matter, but sanity check. */
 		DEBUG_ASSERT2(key->size < SIZE_MAX, "Expected key size to be less than SIZE_MAX")
diff --git a/src/crypto/impl/monocypher.c b/src/crypto/impl/monocypher.c
index b695d08..7c9faea 100644
--- a/src/crypto/impl/monocypher.c
+++ b/src/crypto/impl/monocypher.c
@@ -53,7 +53,7 @@
 		uint32_t dataLen
 	)
 	{
-		_sizet_check(dataLen)
+		_overflow_check(dataLen)
 
 		/*
 		* Function returns the next counter value which is not
diff --git a/src/crypto/impl/openssl.c b/src/crypto/impl/openssl.c
index 90028e6..fd3b4e6 100644
--- a/src/crypto/impl/openssl.c
+++ b/src/crypto/impl/openssl.c
@@ -20,7 +20,6 @@
 
 
 /* Setup openssl */
-
 #ifdef OPENSSL_CRYPTO_LIB
 
 #include "nc-util.h"
@@ -34,7 +33,7 @@
 
 	_IMPLSTB void _ossl_secure_zero_memset(void* ptr, size_t size)
 	{
-		_sizet_check(size)
+		_overflow_check(size)
 
 		OPENSSL_cleanse(ptr, size);
 	}
@@ -48,7 +47,8 @@
 	{
 		int result;
 
-		_sizet_check(size)
+		/* Size checks are required for platforms that have integer sizes under 32bit */
+		_overflow_check(size)
 
 		result = CRYPTO_memcmp(a, b, size);
 
@@ -66,7 +66,7 @@
 
 	_IMPLSTB cstatus_t _ossl_sha256_digest(const cspan_t* data, sha256_t digestOut32)
 	{
-		_sizet_check(data->size)
+		_overflow_check(data->size)
 
 		_OSSL_FAIL(SHA256(data->data, data->size, digestOut32))
 
@@ -86,8 +86,8 @@
 	{
 		unsigned int hmacLen;
 
-		_sizet_check(key->size)
-		_sizet_check(data->size)
+		_overflow_check(key->size)
+		_overflow_check(data->size)
 
 		hmacLen = sizeof(sha256_t);
 
@@ -104,7 +104,7 @@
 		)
 		
 		/* digest length should match the actual digest size */
-		_OSSL_FAIL(hmacLen != sizeof(sha256_t))
+		DEBUG_ASSERT(hmacLen == sizeof(sha256_t))
 
 		return CSTATUS_OK;
 	}
@@ -122,23 +122,32 @@
 	{
 		DEBUG_ASSERT(ctx != NULL)
 
-		_OSS_FAIL(HMAC_Update((HMAC_CTX*)ctx, data->data, data->size))
+		_overflow_check(data->size)
+
+		_OSSL_FAIL(EVP_DigestUpdate((EVP_MD_CTX*)ctx, data->data, data->size))
 		
 		return CSTATUS_OK;
 	}
 
 	cstatus_t _ossl_hkdf_finish(void* ctx, sha256_t hmacOut32)
 	{
+		unsigned int hmacSize;
+
 		DEBUG_ASSERT(ctx != NULL)
 
-		_OSSL_FAIL(HMAC_Final((HMAC_CTX*)ctx, hmacOut32, NULL))
+		hmacSize = sizeof(sha256_t);
+
+		_OSSL_FAIL(EVP_DigestFinal_ex((EVP_MD_CTX*)ctx, hmacOut32, &hmacSize))
+
+		/* When configured for sha256, should always be the same size in/out */
+		DEBUG_ASSERT(hmacSize == sizeof(sha256_t))
 		
 		return CSTATUS_OK;
 	}
 
-	_IMPLSTB cstatus_t _ossl_fallback_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm)
+	_IMPLSTB cstatus_t _ossl_sha256_hkdf_expand(const cspan_t* prk, const cspan_t* info, span_t* okm)
 	{
-		HMAC_CTX* hmac;
+		EVP_MD_CTX* ctx;
 		cstatus_t result;
 		struct nc_hkdf_fn_cb_struct handler;
 	
@@ -147,28 +156,21 @@
 		* calls to the finish function without losing the context.
 		*/
 
-		if ((hmac = HMAC_CTX_new()) == NULL)
+		if ((ctx = EVP_MD_CTX_create()) == NULL)
 		{
 			return CSTATUS_FAIL;
 		}
 
+		_OSSL_FAIL(EVP_DigestInit_ex2(ctx, EVP_sha256(), NULL))
 
-		_OSSL_FAIL(
-			HMAC_Init_ex(
-				hmac,
-				prk->data,
-				pkr->size,
-				EVP_sha256(),
-				NULL
-			)
-		)
+		_OSSL_FAIL(EVP_DigestUpdate(ctx, prk->data, prk->size));
 		
 		handler.update = _ossl_hkdf_update;
 		handler.finish = _ossl_hkdf_finish;
 
-		result = hkdfExpandProcess(&handler, hmac, info, okm);
+		result = hkdfExpandProcess(&handler, ctx, info, okm);
 
-		HMAC_CTX_free(hmac);
+		EVP_MD_CTX_destroy(ctx);
 
 		return result;
 	}
-- 
cgit