aboutsummaryrefslogtreecommitdiffstats
path: root/src/libstrongswan/crypto/signers/hmac_signer.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/libstrongswan/crypto/signers/hmac_signer.c')
-rw-r--r--src/libstrongswan/crypto/signers/hmac_signer.c50
1 files changed, 27 insertions, 23 deletions
diff --git a/src/libstrongswan/crypto/signers/hmac_signer.c b/src/libstrongswan/crypto/signers/hmac_signer.c
index c4a6173b5..76e1ce50e 100644
--- a/src/libstrongswan/crypto/signers/hmac_signer.c
+++ b/src/libstrongswan/crypto/signers/hmac_signer.c
@@ -27,11 +27,6 @@
#include <crypto/prfs/hmac_prf.h>
-/**
- * This class represents a hmac signer with 12 byte (96 bit) output.
- */
-#define BLOCK_SIZE 12
-
typedef struct private_hmac_signer_t private_hmac_signer_t;
/**
@@ -43,10 +38,15 @@ struct private_hmac_signer_t {
*/
hmac_signer_t public;
- /*
+ /**
* Assigned hmac function.
*/
prf_t *hmac_prf;
+
+ /**
+ * Block size (truncation of HMAC Hash)
+ */
+ size_t block_size;
};
/**
@@ -56,10 +56,10 @@ static void get_signature (private_hmac_signer_t *this, chunk_t data, u_int8_t *
{
u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
- this->hmac_prf->get_bytes(this->hmac_prf,data,full_mac);
+ this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac);
- /* copy mac aka signature :-) */
- memcpy(buffer,full_mac,BLOCK_SIZE);
+ /* copy MAC depending on truncation */
+ memcpy(buffer, full_mac, this->block_size);
}
/**
@@ -72,11 +72,11 @@ static void allocate_signature (private_hmac_signer_t *this, chunk_t data, chunk
this->hmac_prf->get_bytes(this->hmac_prf,data,full_mac);
- signature.ptr = malloc(BLOCK_SIZE);
- signature.len = BLOCK_SIZE;
+ signature.ptr = malloc(this->block_size);
+ signature.len = this->block_size;
/* copy signature */
- memcpy(signature.ptr,full_mac,BLOCK_SIZE);
+ memcpy(signature.ptr, full_mac, this->block_size);
*chunk = signature;
}
@@ -84,19 +84,19 @@ static void allocate_signature (private_hmac_signer_t *this, chunk_t data, chunk
/**
* Implementation of signer_t.verify_signature.
*/
-static bool verify_signature (private_hmac_signer_t *this, chunk_t data, chunk_t signature)
+static bool verify_signature(private_hmac_signer_t *this, chunk_t data, chunk_t signature)
{
u_int8_t full_mac[this->hmac_prf->get_block_size(this->hmac_prf)];
- this->hmac_prf->get_bytes(this->hmac_prf,data,full_mac);
+ this->hmac_prf->get_bytes(this->hmac_prf, data, full_mac);
- if (signature.len != BLOCK_SIZE)
+ if (signature.len != this->block_size)
{
return FALSE;
}
/* compare mac aka signature :-) */
- if (memcmp(signature.ptr,full_mac,BLOCK_SIZE) == 0)
+ if (memcmp(signature.ptr, full_mac, this->block_size) == 0)
{
return TRUE;
}
@@ -109,7 +109,7 @@ static bool verify_signature (private_hmac_signer_t *this, chunk_t data, chunk_t
/**
* Implementation of signer_t.get_key_size.
*/
-static size_t get_key_size (private_hmac_signer_t *this)
+static size_t get_key_size(private_hmac_signer_t *this)
{
/* for HMAC signer, IKEv2 uses block size as key size */
return this->hmac_prf->get_block_size(this->hmac_prf);
@@ -118,17 +118,17 @@ static size_t get_key_size (private_hmac_signer_t *this)
/**
* Implementation of signer_t.get_block_size.
*/
-static size_t get_block_size (private_hmac_signer_t *this)
+static size_t get_block_size(private_hmac_signer_t *this)
{
- return BLOCK_SIZE;
+ return this->block_size;
}
/**
* Implementation of signer_t.set_key.
*/
-static void set_key (private_hmac_signer_t *this, chunk_t key)
+static void set_key(private_hmac_signer_t *this, chunk_t key)
{
- this->hmac_prf->set_key(this->hmac_prf,key);
+ this->hmac_prf->set_key(this->hmac_prf, key);
}
/**
@@ -144,12 +144,12 @@ static status_t destroy(private_hmac_signer_t *this)
/*
* Described in header
*/
-hmac_signer_t *hmac_signer_create(hash_algorithm_t hash_algoritm)
+hmac_signer_t *hmac_signer_create(hash_algorithm_t hash_algoritm, size_t block_size)
{
+ size_t hmac_block_size;
private_hmac_signer_t *this = malloc_thing(private_hmac_signer_t);
this->hmac_prf = (prf_t *) hmac_prf_create(hash_algoritm);
-
if (this->hmac_prf == NULL)
{
/* algorithm not supported */
@@ -157,6 +157,10 @@ hmac_signer_t *hmac_signer_create(hash_algorithm_t hash_algoritm)
return NULL;
}
+ /* prevent invalid truncation */
+ hmac_block_size = this->hmac_prf->get_block_size(this->hmac_prf);
+ this->block_size = min(block_size, hmac_block_size);
+
/* interface functions */
this->public.signer_interface.get_signature = (void (*) (signer_t*, chunk_t, u_int8_t*))get_signature;
this->public.signer_interface.allocate_signature = (void (*) (signer_t*, chunk_t, chunk_t*))allocate_signature;
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-12 21:23:34 +0000