[crypto] Simplify internal HMAC API

Simplify the internal HMAC API so that the key is provided only at the point of calling hmac_init(), and the (potentially reduced) key is stored as part of the context for later use by hmac_final(). This simplifies the calling code, and avoids the need for callers such as TLS to allocate a potentially variable length block in order to retain a copy of the unmodified key. Signed-off-by: Michael Brown <mcb30@ipxe.org>
2026-01-27 09:58:31 +03:00 · 2022-10-09 15:14:41 +01:00
parent 88419b608d
commit 007d3cb800
16 changed files with 142 additions and 163 deletions
--- a/src/tests/hmac_test.c
+++ b/src/tests/hmac_test.c
@@ -100,26 +100,22 @@ struct hmac_test {
 static void hmac_okx ( struct hmac_test *test, const char *file,
 		       unsigned int line ) {
 	struct digest_algorithm *digest = test->digest;
-	uint8_t ctx[digest->ctxsize];
+	uint8_t ctx[ hmac_ctxsize ( digest ) ];
 	uint8_t hmac[digest->digestsize];
-	uint8_t key[test->key_len];
-	size_t key_len;

 	/* Sanity checks */
+	okx ( sizeof ( ctx ) == ( digest->ctxsize + digest->blocksize ),
+	      file, line );
 	okx ( test->expected_len == digest->digestsize, file, line );

-	/* Create modifiable copy of key */
-	memcpy ( key, test->key, test->key_len );
-	key_len = test->key_len;
-
 	/* Calculate HMAC */
 	DBGC ( test, "HMAC-%s key:\n", digest->name );
 	DBGC_HDA ( test, 0, test->key, test->key_len );
 	DBGC ( test, "HMAC-%s data:\n", digest->name );
 	DBGC_HDA ( test, 0, test->data, test->data_len );
-	hmac_init ( digest, ctx, key, &key_len );
+	hmac_init ( digest, ctx, test->key, test->key_len );
 	hmac_update ( digest, ctx, test->data, test->data_len );
-	hmac_final ( digest, ctx, key, &key_len, hmac );
+	hmac_final ( digest, ctx, hmac );
 	DBGC ( test, "HMAC-%s result:\n", digest->name );
 	DBGC_HDA ( test, 0, hmac, sizeof ( hmac ) );

--- a/src/tests/pccrc_test.c
+++ b/src/tests/pccrc_test.c
@@ -467,11 +467,10 @@ peerdist_info_passphrase_okx ( struct peerdist_info_segment_test *test,
 			       uint8_t *pass, size_t pass_len,
 			       const char *file, unsigned int line ) {
 	struct digest_algorithm *digest = info->digest;
-	uint8_t ctx[digest->ctxsize];
+	uint8_t ctx[ hmac_ctxsize ( digest ) ];
 	uint8_t secret[digest->digestsize];
 	uint8_t expected[digest->digestsize];
 	size_t digestsize = info->digestsize;
-	size_t secretsize = digestsize;

 	/* Calculate server secret */
 	digest_init ( digest, ctx );
@@ -479,11 +478,9 @@ peerdist_info_passphrase_okx ( struct peerdist_info_segment_test *test,
 	digest_final ( digest, ctx, secret );

 	/* Calculate expected segment secret */
-	hmac_init ( digest, ctx, secret, &secretsize );
-	assert ( secretsize == digestsize );
+	hmac_init ( digest, ctx, secret, digestsize );
 	hmac_update ( digest, ctx, test->expected_hash, digestsize );
-	hmac_final ( digest, ctx, secret, &secretsize, expected );
-	assert ( secretsize == digestsize );
+	hmac_final ( digest, ctx, expected );

 	/* Verify segment secret */
 	okx ( memcmp ( test->expected_secret, expected, digestsize ) == 0,